7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09

Analysis

max time kernel
150s
max time network
176s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Size

366KB
MD5

7a3c5d6d3e30f57539e3a163ef91e76e
SHA1

ebdcfbfd07279cb3d6195c532eb3914b7e66a68c
SHA256

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09
SHA512

7e6bdaabe983d482c83de9f50772093a085cabbaf5f68e1bb010a11dfd7676d9478132b068f2916e91a177bfa3f6f9412df86a85e45664b929da41d0f394e4f3

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 44 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

pid process

1028 7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\N:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\K:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\U:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\K:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\G:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\S:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\W:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\T:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\W:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\T:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\N:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\N:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\F:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\S:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\T:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\M:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\F:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\U:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\V:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\G:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\G:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\N:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\V:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Drops file in System32 directory 1 IoCs

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll 7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Modifies registry class 21 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

pid	process
1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1416	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1524	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1008	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1804	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
948	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1988	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1548	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
768	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
912	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
240	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1964	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1336	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
824	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
712	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
588	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
912	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1888	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1072	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1400	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1644	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

pid process

1028 7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
"C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1804

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:768

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:824

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:712

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:912

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
22⤵
- Drops file in Drivers directory
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
dd2d20a2d75cad40a0f7b2ce4c4d5bef

SHA1
4942b3bb460a51a112c05bddcb7ae43cad5d25dc

SHA256
ddeb0da9f960b00586730c458d9534ca5a60b932956288901f70f2d5d2cdd9f0

SHA512
4b56b2dbb8100ba699a21a0cf45b0661037fe1afbfd6e8bcb1a92f207a2fc4014a0a6f558485c90a78806518cde24783d772eefcdb9e875d1227e4828c72b070

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1f42dd85720d4d7b86c772b7b4499bfe

SHA1
f81b3d6886bb919897b57634447b9b7bf1282f62

SHA256
b361235b59d67b81603486208ccc577395b907fba38fa35922a8279a05069feb

SHA512
e10be3f0fd53dc8e6f645a361ef0b3216823ce1bd6cbdc7d9e667992654b8d5cc51a39401895e0d13a1265be5d316f04823eb5cd5bcbad9e2c79b02b1c1cd1da

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7ec5a5b0fc3e2955bc1dcecc7d7ee891

SHA1
79edbef8855d816a152c83a1641ee53ad78019d1

SHA256
230bd079508f2501f3cddbd89919a420302dfe2bae13051a641aba208e39ca9c

SHA512
f4676e259de6d5bc6668d177d51b5015bc23cae57fbd5ec5de353bbf0750de97b5cd34e6e33a44e0aaf4719bb0ff5b95e8b186671151774fbadcd9ee09cbc4cc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6f5dee55890caf28d42ac81522390f31

SHA1
0900f098607a3da0148e237fb10e91786ad25a5e

SHA256
18d600a870417e5f9dfabc59eb031e1a825854e6149b89ab51cb845b3f866d5c

SHA512
8468032854ade27666e2cb4ce26c49489dfd51841b7d2b2cfed8d29f38a2d2c9dc2d1941268a3fcb568bfeceb064591ef1b3965223196cd39c91b81eb539bf0d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0409db0da3a397a46dba878dbf62d208

SHA1
8b6f55d13e667da6704d61748eead7d3c95997af

SHA256
81277da1ecd9064276ec51bbb1da59811bcd67da5d5d1873632c55211092d28c

SHA512
f60182de6f212cfdca5189c6d17b1f08500e9b454e079fd3bb873c02d132c34db6167b2888feaf383369708bffe348ca8764d3b173a991634d524ff8ca311bb1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
376fea87405de90385aebaa1551420b9

SHA1
51c471677451fe717a53a1236edb9d36c43c07cf

SHA256
d62bd3dd18a91129d6e6e46ca36c75a81aa0361832bc2a62959d7b597970dd20

SHA512
5f850152551f7fa16a0557da2d4d77676c30de7ecce51176715a226ec9aff2a747fb1d25e0ee0a08c721f130727ea6cddd4a15f7eaa3844a8712128b73d09f05

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
bdfdd0705341d2c9aef54449a0c91447

SHA1
47048aeb1a553e82a95f754eb925ca8e53c8bf2a

SHA256
57079dc3fc0b9dc4c1aa8d5d58c18a2c18859fdfbe39e6c55cc3e3d40d53c4a6

SHA512
c1ce0e206e312fbc3c43c1af9b29d862a0ee714f8ff75b724549d9fa021b769171b20c39d71c7fb90d63d7dc96820e281582202195e9ce670f6a861c6d2806e7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
de473db275c498355efa2fda79622230

SHA1
ae05a1f15065b9b76f4eb4164bf2f656ef75743c

SHA256
c2bd3d1aa878e4eb310938fd43a180fae3d0ad898118c791ac32c1e2443b7a4d

SHA512
c35c85230ca0a9ccff629880407238695fefd98710043f1c6ba7effcbac60e451cebc956b3b8853534b63c0a780d6334c6e38a63438374da3715dd2b724f370f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2a4902b5b11a3d6125c158cebee8f3b8

SHA1
8832c46f8dd9c8ec3926a3244ffbe605de7f82a9

SHA256
a83f54e3a96c57af8f8d8f484921fc398cb47e51c954c7fb87f06a7d7a3aa533

SHA512
ea454032a6a36864bb1095dfe92f3c7fc00ef75ed274591cb9a5e6adaf5ae4a11c179a2d2e3b7b6b2e69f55f5e0c946c64cba4da73ac284fe79583c137827ca6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
773d98dac99f02b76aa0e3c1631e0cf0

SHA1
784017527357ba0582d58a3ed91df9767ac6a104

SHA256
f2430a97ad112b56596ecebd1d5b107919ef7a6839094d8ca742a17d0ba40572

SHA512
c354274223fdf4144dc02f048d5813fdf7a3883866353c1562ea99ac8f6fa9ec4f056b3cf2096ce55e1dd2550731b5b56e066c999e645010907f12c87d80573f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
01544be02a69b9bfc64fe6f1f73bfa2c

SHA1
dfb87ba1c5af0cd1b3ee2fd1f3eb7ec73ef516e3

SHA256
eecae1657c9318c0d957799bc6ed97cda062a689f99a21a5714b60f0d2fc068e

SHA512
92f9efa7033d9501707b2662caa97cc09c1f2706bbb255d71c1a222ff33834547ad44a095fbbc8407ea9cbfe0da0727059d4584f0960aa163dbff81b66e0f33f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c77c69088522a9106756ebef012d3091

SHA1
eafa32720da87fabb87788e1bf3421adc592b9d3

SHA256
288c5fcc7f6e895100925d632c600c8895ab357d49825280255005ad404d327b

SHA512
de36780e8b7e712ac038fd58fbcdfa12d9adb21966f2bb2c8a2a8e000d442fe8912b13ab55302369a70ed4b3b48eafb090e24f61a962ad51b98320e682f5696c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d25c7921f8a2f7c13bcdf70d03b69973

SHA1
84633f0f4f268de76ec38ba6f72430a7a87eea5b

SHA256
b81643e79851edae601d89acb48128e635454b68d488e3efb4e435007f4991c8

SHA512
96ea9b8212af853aa2be8e8d5477590932345448932452ce01b799a203e948a8d20b5aa8ac1d14fddf7433830081f1adedc09369eee08e574f082d10249c23da

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1328a06f31427e5fd3404d7a79481af9

SHA1
17223b2f9e2f2a8d698028f30894c56be5a7a0ec

SHA256
8b10c69fe969ea00025971bc5cc0cf5edd4e170fbf18184316634318a6bf154d

SHA512
9c9a7021577ba47aa7b2e4499fe0f694fbfc76a4d3ad15b46fcdeff2edfffc31d34e3e32daa20fa3e06d4498bd0845975119bc5a987991b8572d46a4f665bda7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e40565676576b5562e918e09e70a2276

SHA1
120949a454e5b7f5a033186b59ccd079ab9da8ef

SHA256
227100c7cbd9be4d99b1a39335706cdcf0b8e024e62973bf55739de95b6b59ec

SHA512
33b3c770299d40974203fa7a666e35fae9b1c745dbddeebadee74721ea09e12d0b7b2e05b18ec02a0e7a3cc07a4a7a2ff412768a437c43fdd4a5e24f7a40b85c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9ee35ced3f7dd2f0b2758d1d5beff759

SHA1
664a6f72e3db49e4a3733a9481811d00dc9a6f3f

SHA256
134b43c3082aac947887a372400adb666111127801dae23c4823a164e0b157d6

SHA512
3961c197a4937e33860e7319ac1b3413c071c27fe7d0ee3d822648c9339abb3abc68c10b49ab8f1feac1a7c2629a719ee3d5edc10035f214d856a78c21f3b948

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
aa6f369f320f03d3101a426f2307f8a0

SHA1
a7639e4ae82025a6163e99072ab4073052478029

SHA256
5aa09fda712b5e15c463d8a847d833607ca9a989e81d1569f090caa477f9a21a

SHA512
f59f89ad34ee0a3e7338729482e13f66fbf06cff3dece6b650c3e87ba3747e7adffd045ba7ba2fe83f11547bf1c6359119a78b02436a3d1f2cd7fa18dbbc1ce2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e654d663a67c37c54392f5c841376375

SHA1
b1c812aa5f50c16c23af1fb95a61ee8a65698dc5

SHA256
0c1dd7ebaf5d829c8e6a0016301758f1156e3b2ccd20455a8643ba04ed846380

SHA512
fc0cb43e2a5f97a4697fbe29e2b193a7f32297231e93e774b5572041e643816b0ac2e50d947107fbba16d384d31c99be9470921aeaf48731f0ca0eca1843eee0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3b4aa60b32907d209a410f236637fd67

SHA1
c72d01039f149608c76351f6acbad7666d5f072a

SHA256
0e60cc6b8ecfad9ac3e761b79e937d8ba5cf80c04d1f49d3b25c77a21f1ecc1c

SHA512
ff51d92bb0b4ac151272de466ea655de6ec9f7de8733cf1ec872e0095e6aa93aaab0b7c17ffbe432edac162a3d40402337ca75049732d64e776f82681f89d6b2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
67be353400fd717020d895a7efa6e2b9

SHA1
d73fe1e0ac46940328563f87b9b4d43b4901eb4b

SHA256
0e8b7aad9c4174a0a1cfda442fd90b0fab2ba0c7f9b601d2e94448f41d42b637

SHA512
85e5d3c1dfb1654a97be05c41f1b76f021b82444308ae13c8f59bd63b75a003918472a78ddda2b7c66959372684cd9d1c5fa6b56e3413b7406823656fb5456ce

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
afae59379fbf59ded54317b8c607a5a4

SHA1
6807f87084876c909cbe00a66a0c413bfe3b9602

SHA256
14529262c6b190e5e3089c0670b0866b95ca1e12896cfb6283ed47947f15f80a

SHA512
a3edc2521c77843d16073126e0f3898ac38e9c2ea22b155a9842372463e4f25527895f2a8bcb30e3b71a730b2b994d56468a2859225fe4f30ba90fbc16095f0a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c12aaefaa1b565a5f69deaa563afb176

SHA1
54d7d3215c353546a3b9ba3c56195d8c8fc77c6b

SHA256
3192c892daf83f8e35e4f9e17b102a658702fc49098fddc41e2abbc473e8438c

SHA512
eef989b7f52713250f5d20d41d4834ee25b4a37184514db01612a7dfe52c8c6a09f3e9c561aa799fa8e363da219ce1877bc84ca58cdd48bfaf29790afbf9a99e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fb8f1d67d67ed12f25594c4ab35ee258

SHA1
ffa824904e5daf94b71c79adf99e9636be22db6e

SHA256
8c0ec8aca9752a87afb3cf890f7dac913649d2183e315992d7f6a4bdee3ac57c

SHA512
9c72aa22f54550c8719e251c25766963327180c1d7932e6a5d6d953a8eb79345442208d394c5685cad8d739579876fbd2692621590b058a0efa1490b7c7f24e0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f295f00e11fae91d745a6a62c036ac7f

SHA1
8b1587add9dd96deac84d8e20e48906df226c62a

SHA256
c6abb8229f7fba878bb416e118b381c0c187ee2cec0a76763cd57d0bc776340d

SHA512
63631107be1a5e10043c366eb5c12b7d53f21613dd0d21b5ca22014a209d552abb46c009f25e0bcd94bd01a975716cb9c0c6363e5d7b1b452ea6b4d9f31086a7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
42dfe20aaf88e0f2ec91371dd8f0da01

SHA1
7a5896d69e66d26cf8df2fe9da3316b48e22c24e

SHA256
ae09d69483a8f98225e05daee8f1e027c481974d10de15ddee94bd41cb196cc8

SHA512
ba5294441cfc5ac9e581f59377b565aa52fc632192850090f220dc7bb47ea600fad32ba3ebb99a4a2790d555702cdec4de2062837322c116e935ecc9ca70ff87

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
331348735aee7f16675931a334a0362c

SHA1
fe39351f2717d2429a8e30d6020669b634848a86

SHA256
fe14a92a4ce6a89ab97b59b53e317f326712e7319433b1322fcc3b4b6ebde5fa

SHA512
4e317adeda8ecb31dd7fe5a8d46c90387775567cd657d796e92e42621e151e027286706bb0dcfcdb68e2acd11c8c61ed14073bd37109efdbd3c83a6cbf3bd810

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
98bee54541fdc4277dce811634ac5657

SHA1
3a8f51c75bd075148ba7f3e05fa0daaca25deb15

SHA256
cda73d6936e403ba8c090aee335f82d0477a5631bbeb5ae1b84292a92f03141f

SHA512
7c072235f07dbc4fcbb207a96f6041475e6e63502cb09cccff27ea02ad299be4db6eb67cba1f934db85e2f86e152382d06eecb4d6fc91514afe4059c03bfe038

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dcfecac05a2c6c95d7b3ece146e4e40f

SHA1
88f7761022ff325b7935e60c31ccb4d29a4aa46f

SHA256
f2c774e1ee0aa3a7eccc4a91ef07e227a0dafb8a987058315e5750364041e719

SHA512
c0e5bee64b1b27740420bc76ab67f7f64f4065eb336362d8431ff1b859ef7dc799ced3a2a2b0fa492fe9b8be206b01112ed50b30c9ef28f62fb2dde14d23f0dd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
328267278806e8f845938c8b468f98a7

SHA1
e62335197e445edcda3e006303d21d7f88b2bd88

SHA256
847c14c967d4d3229ca9728c7340c52b98263c4d294fb20f18c62b9da16a9e05

SHA512
57707d9ec361cdbfebfdcc58e916556c6e094259ed4d111f67947b512afea51ceb6f154db7df3ae9ff5cac36c49300a4a108e952523c28e63138da8c57911fe6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3978395dc6e03ad8d516fa655f32eb13

SHA1
9a9ee4f5d686e84d02f7b6bdbf14c7cc0761e030

SHA256
06598d0748bafc486e794f6a22ee8ac9f003a3eaa58561dedd304f8e2c7435d7

SHA512
92a660ff3b6db49804ac52807745c875e9f292903f01894f435599fe75fb386148ec1b8ecd26d84beb2dd342a387c2c744fac28e0c8321fbd9d05a85bf0de24e

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/240-108-0x0000000000000000-mapping.dmp

Download
memory/588-133-0x0000000000000000-mapping.dmp

Download
memory/712-128-0x0000000000000000-mapping.dmp

Download
memory/768-98-0x0000000000000000-mapping.dmp

Download
memory/824-123-0x0000000000000000-mapping.dmp

Download
memory/912-103-0x0000000000000000-mapping.dmp

Download
memory/912-138-0x0000000000000000-mapping.dmp

Download
memory/948-83-0x0000000000000000-mapping.dmp

Download
memory/1008-73-0x0000000000000000-mapping.dmp

Download
memory/1028-61-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/1072-148-0x0000000000000000-mapping.dmp

Download
memory/1336-118-0x0000000000000000-mapping.dmp

Download
memory/1400-153-0x0000000000000000-mapping.dmp

Download
memory/1416-63-0x0000000000000000-mapping.dmp

Download
memory/1524-68-0x0000000000000000-mapping.dmp

Download
memory/1524-163-0x0000000000000000-mapping.dmp

Download
memory/1548-93-0x0000000000000000-mapping.dmp

Download
memory/1644-158-0x0000000000000000-mapping.dmp

Download
memory/1804-78-0x0000000000000000-mapping.dmp

Download
memory/1888-143-0x0000000000000000-mapping.dmp

Download
memory/1964-113-0x0000000000000000-mapping.dmp

Download
memory/1968-60-0x0000000000000000-mapping.dmp

Download
memory/1988-88-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1028 wrote to memory of 1968	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 1028 wrote to memory of 1968	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 1028 wrote to memory of 1968	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 1028 wrote to memory of 1968	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 1028 wrote to memory of 1416	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1028 wrote to memory of 1416	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1028 wrote to memory of 1416	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1028 wrote to memory of 1416	1028	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1416 wrote to memory of 1524	1416	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1416 wrote to memory of 1524	1416	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1416 wrote to memory of 1524	1416	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1416 wrote to memory of 1524	1416	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1524 wrote to memory of 1008	1524	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1524 wrote to memory of 1008	1524	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1524 wrote to memory of 1008	1524	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1524 wrote to memory of 1008	1524	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1008 wrote to memory of 1804	1008	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1008 wrote to memory of 1804	1008	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1008 wrote to memory of 1804	1008	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1008 wrote to memory of 1804	1008	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1804 wrote to memory of 948	1804	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1804 wrote to memory of 948	1804	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1804 wrote to memory of 948	1804	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1804 wrote to memory of 948	1804	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 948 wrote to memory of 1988	948	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 948 wrote to memory of 1988	948	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 948 wrote to memory of 1988	948	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 948 wrote to memory of 1988	948	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1988 wrote to memory of 1548	1988	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1988 wrote to memory of 1548	1988	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1988 wrote to memory of 1548	1988	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1988 wrote to memory of 1548	1988	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1548 wrote to memory of 768	1548	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1548 wrote to memory of 768	1548	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1548 wrote to memory of 768	1548	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1548 wrote to memory of 768	1548	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 768 wrote to memory of 912	768	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 768 wrote to memory of 912	768	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 768 wrote to memory of 912	768	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 768 wrote to memory of 912	768	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 912 wrote to memory of 240	912	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 912 wrote to memory of 240	912	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 912 wrote to memory of 240	912	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 912 wrote to memory of 240	912	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 240 wrote to memory of 1964	240	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 240 wrote to memory of 1964	240	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 240 wrote to memory of 1964	240	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 240 wrote to memory of 1964	240	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1964 wrote to memory of 1336	1964	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1964 wrote to memory of 1336	1964	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1964 wrote to memory of 1336	1964	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1964 wrote to memory of 1336	1964	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1336 wrote to memory of 824	1336	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1336 wrote to memory of 824	1336	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1336 wrote to memory of 824	1336	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1336 wrote to memory of 824	1336	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 824 wrote to memory of 712	824	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 824 wrote to memory of 712	824	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 824 wrote to memory of 712	824	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 824 wrote to memory of 712	824	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 712 wrote to memory of 588	712	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 712 wrote to memory of 588	712	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 712 wrote to memory of 588	712	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 712 wrote to memory of 588	712	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads