0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0

Analysis

max time kernel
153s
max time network
198s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Size

1014KB
MD5

9886479ae7902f047409a32d28c9ca9c
SHA1

a973cb1cb0c088bbde87338eff2136d56db5f97e
SHA256

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0
SHA512

eb6298a867136dba43d7e2180ed5c9c0e744a278b005ee3e624d8291860a391f7621a01f24902c62d35b0c91ac64f0f40b6f65996847cfdae8479525783188c3

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

pid process

1100 0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\T:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\Q:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\L:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\K:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\X:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\Q:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\J:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\T:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\I:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\J:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\E:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\O:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\E:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\K:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\L:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Drops file in System32 directory 1 IoCs

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll 0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
552	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1500	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1404	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2004	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1688	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1692	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1264	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1796	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
260	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1972	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
984	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1036	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2020	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
948	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1092	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1896	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1832	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1400	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1528	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
972	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

pid process

1100 0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
"C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:260

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:948

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1896

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1832

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1400

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:972

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
23⤵
- Drops file in Drivers directory
PID:1192

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
47e8549957d7ac2bf0ac50408d86d0cb

SHA1
018f8ba7f0a7e9287616242124678b238f199dec

SHA256
59052200390dbad5b538e1e1c8b741f7f80510096c0fe2abcbba356af210b623

SHA512
3ebe8f7564746e58030f5a9439e5fda1dff126f2d6597a71f3e21d8ae46520e4ed6c110e136eaa12007bb4779eab1ebc00595f9236d8435a39c4ddfb38c2fa4c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2bda0ec261ed907c7e2a685eb8b4d992

SHA1
b984361b41fd2495605cb7532376060274b1aa5a

SHA256
73bf420e2608e52c9d2286a8a235c83067752c163e69fa5648f3751824addc59

SHA512
5bdc7d5ba7950ede994de7576be9d077ff958307e3b9e99e91f38a8918898e65dcaa85dad9b3e5c3843a80dcc5256968f9dce29769ff131eb9d516ba98d7cfbe

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
af76b9c26c15ca2d3f18cde6857453d5

SHA1
29947e9bf9fc712a4835122021f6596434a12055

SHA256
1126ea1efa2e960d106396b942df8e5ae0afeb58e44ab34d4881e2fa82b473de

SHA512
eb2ae7e449c45009b1928c5aa9d910d595815abef80b7f16ea4cf33ada1321a2b2d346555c72a43ed8d9a6cf3d1bf8cac722d10895c4f4c19dd17e6aa765cf86

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
343469070d7c4b9c0278c5e944790322

SHA1
5ae31d6581e9effc6cb5102ccb6b3342f38d052f

SHA256
3bfecdd4aac325d3f41fd874fbf5cefe9ef983f7ade317ac4d3ddff24c7860ff

SHA512
0a19dd9597c739c7dca47bf5aac552998d0b614740900f2eb640b70f53f5b2205403ea9e017866e13ed7dfbd17ba4560f455823eef57dfad394f12195678b559

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
cfce62aa63d7db6c076ce24a6385c940

SHA1
872613004935f672143e1433197a2feac495e1ac

SHA256
590bb26c4102b2983f64b46c51fa73ebf21641e18a5daaf66d405d0c084cf4d5

SHA512
0cdeb087880f2e06186cf887c6af246a5fd1b3d28b8df8270cde9d59267a54f10db8cb9f5314fb00678e66045db47b9e3ddbbb8b3fdb7728bc28c0752b77299e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
259f00c40fd0391d2095d3203ec8f36c

SHA1
246c6ca2c37a33599a3f032cbda1dcb0ffb6ace0

SHA256
1b8ac0e1f5e1323215b5f812ccc186865747c7540fe6856acc31e8ca01eb8653

SHA512
65a13235d7a73607d544ee1a13044889135647729752e23782929c2b4452bca9a6738430d28b57641c9c7eaee99452691dfdfcf4b528f536c3d3b125f23739e9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
39b41c53364486ac8c0c78ecebe474d4

SHA1
81cf938c62a97be92aa04de2fc5d39803925a847

SHA256
f9343c3ffa1b7072f066ad6a7411e85085197e20feaee029b9cc2d51ffce615c

SHA512
cf4fdcf4c94a28a644f77b9ecff82e4e4372fa55624b8461bc6c14babde0b58251ec0385704e2a743367656e22d2b3bf6f34ee4025024e253467e5485b353e32

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9e9e0632951d426db3f7cd3fc5ec2fb1

SHA1
b0c05cf1df89bdf05cb4b6e0e29c133e25c12abf

SHA256
4761bd954deac0720a8a77b37e7b01a92f1e1e66f7209ab72813ead3b8bba2df

SHA512
a7e7035e7b9e0b10420123b23d4f86487a318d922ff9aa866bbccd8aba66ef0aee6ebe6d6c6f060f922cc7d358b6083994ca93cb25916f510edf61029950254f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
371bdc5faa39fef44e9db708954240e2

SHA1
f64121d4b05cb42480c4fb2dcf1b6216e64a3f61

SHA256
4148a04864fcfaa2f7924e0bf04c5d00095f5ed15bcff669041c3c4ca82c5f23

SHA512
a31a95dbb7deb19f44bf7a6bae28ce12d34217c4b3c6dd2da3c3c52b054a7cd5857610ed1eccf63550a318c63b3e81ad4987be652a0f75ee6185cbeb1fa02a6c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ef9a6211919dde286cede4ffc3dbe02b

SHA1
8157a5a91e7b7942daf26a2d1d3f504484c848c2

SHA256
ece8b8383c84342746a3a1d5f0d3db17b286e56b882b4a06078aef547f0fe555

SHA512
34e1a29b36f480da40f8826ae934b7bbb2cbaaecdea0f4282b674a00c2068e65862b16dc9a6d788a90125dc87f2cc1c280aa3fc932bd1ce443692f77f0341914

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
106654abf335d226ac54074819037b3b

SHA1
7ea5a0589dc2a77f85dc8c456df25e3068bea18c

SHA256
5c0f04a9bcd20b728bc7a71a16c70dbaf6a0f4f08bc8cf268075ee549ab35eda

SHA512
34f402ef3ee403f0600cba1912d7de1022249972e92b925b61c32c25fb702d75ac77c37a285a9978491c8f87fbd73afcdb26f26fbb8f52c8790ca69c51d5f025

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
deb9b2bbe405dd9f9291f3dcee92e384

SHA1
b4938f0345ed1dfbca6be26b767b170ed21250da

SHA256
658dd193560d7ca33ad8eb0fff341a9a596fcc207ffe02911625b8be05a29562

SHA512
d1c61077ac674cae2fb4529f3b5385467c4abbf648a1a7f1cf5e4c3114257881703d1d86817b0a61bcd4139204675253f01608d1d1833773d1e2dbd8ef7d6c6a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fd071bbbe546728e82caf3bd0bea8972

SHA1
83301b67ad76fe8be27a9bae5ac5d97f00546c26

SHA256
04890947531d388d76ff6153a87023af2a953af0f3cd660902615a2a3f461236

SHA512
5b4d4a8c7b82a5da50aec99b6b63d08e8e2b39a6155d13159c66cca25c09e8f05096d03b37a36e796a870d1ca3f117bb8a972f20d88e97fa856392e3eba7adf2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
28f1afb5b0cb9032deee95a6bdd292b4

SHA1
5ae9ea534d0c2e430a6ea8b19f56da5857cd38bb

SHA256
8495a1c312072ed7df05d0548d11418d604231765ebc7308903d9ef2b70119d6

SHA512
eecc424eb809b437b7ba8a3508c91dbf1317a25c585ecb2eccdbd858b662b2f2420a014275fdd0da042778f5bbe2abf1eb1a6744589f6c56fbe77e9a7ecf4bf2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ed4404862df9ee2123fa57cbbad61c6b

SHA1
65551d3c6b5d88ef1e1dec9dfcd406b25091f56f

SHA256
457f28e04beed36ee9b843eb2cc6914a49e62c626a926558fbc7b5bb6bd1daeb

SHA512
772cc6d3b1c7e77e82cf1ddb2578ee9b90333882a0a8339b7e77e59a935d04cc8f6f02110cdef01fd438409bbfd23c7c971d476a783894c2074b88c121cb14eb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
844eec6869b0eea8b83aeac278326da5

SHA1
07868ac214fffd50efe60894ddaea671792c1da2

SHA256
8558277a95fe831fe64820b1063c6d50649d5be111c4cf8a1b8d6282c41da6e9

SHA512
e94612d51c35fdec2b8a8e752b2a0783e22e7d68aa3112e6ad9fc0f414de03f873721850c2990d42552010bbab454668665fcb7bb76ace0bcaf508561d951b46

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
80b81202e97e8ba467c0cb37a7c71be1

SHA1
ccc1dfc8a966b899aca1708659faf9970e4567bf

SHA256
b21eb0aa742d98a2bf6792a3a5a6c8ffe9de906d4d601035a163ec7a3442b999

SHA512
5baef74463d91a26a9349f131149bcb9c2e849bae73c6ad6f31e148d2ecf74fead98c817759ef15db116aa908046edfbba57ab3261e6475f4058ff6009566388

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1d9bccad70098245e852fa73d11b2e2c

SHA1
73f6cb3e8704abc1436f0f90187987478b601a8a

SHA256
232fa2531806b841ee5631998150caf4cb98264259257a5cf2a41d08aeaf1220

SHA512
95fab4b7b82c381622fdb5a5a05a3c80a6ca7dc90c1438cf2102ae98897ff3f904486731c9eeb9f585efef4be488f85b278f337485251dccd4590ac91f935fa7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
808485ebc271386e50ef7ebc4ecf459a

SHA1
d40705a9eab40817e98f93aa8d6e4fc0561423ac

SHA256
deb59f5adbe4fa9db5e1007e589f2f03ff2683b50d4867bbb5c8860b54f0415a

SHA512
1ea0b8f2af08691004a16005f21b3d4d21f4ebaea698629bdd14a9de88282fd1260fc240afab58aac42b5b337911bf5b1933a15acab325cf2c3ed627f01ac852

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9bc194867ef672ce2b7d1c98d128a9e5

SHA1
ca430cb680438c4ae5b5fb1fc583bc33f9205306

SHA256
3cb28b56249d7579a12756d715b4182f85ddccb513a39a848bcb8a2fe5c10fbc

SHA512
adaaebd8c93a05a2d6caf6f17b2a8e700e8c40d281e979ef28395356933cdd106b1c09976612f244dbe68d0452d7194b5c568823b265a74af733b8cf817bea6b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ae2a70b00c1732d0b52a3e3287d2b071

SHA1
c53c9bbd1a21a9a9130fe51915bea0d4c636963e

SHA256
101dad50af6dc172cce75b7de56c78c2ac82eb3adfd8fefe63bf3180bc92043d

SHA512
5ac664125ed5a9c2aa1a6f82be6d7e99b5860159105a287b17a19b048cb0592c1fa38575bf47db3f2896cbcc125502b140bc8a2e86fe96815a8ebc8daf18bdd5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
88fa7baaa185097b4c7aa6727bfb4686

SHA1
92101fc55534e1776e46935156bfb3d0e9a99c38

SHA256
16e5f3b6b00245dfd35b30b62596461ed92b13a5c7fc84992ec7f58e9b203443

SHA512
fa77f87a84743785b1ff7836989362fa9c74d8f275138ed60756d56429c82cc084a07ca84a391927dc8403d36dc625115dfd113ad3134a8391fd9d9690eeb8fb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f969059cf04412c4b5c97f26e4d867d4

SHA1
d4f49165a607979ed1df264af8b0999dbba31fb1

SHA256
fbd67fa2009e0ca2e85e5236cbfacdbe7516c9d68ca3e6300c4f275380604b37

SHA512
6dcd8197daf68d5f327e63afc0fb16f57b75c1057f3b46414e46cbe1483d941c834643d996f5bcac64153df9de4a7d9d902394f580615fa81c41d772fcf5f964

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0aec27a62cfe530797d0b8d4df854f08

SHA1
d685529f57ceec9b3c73114ef951a8d78faa1f67

SHA256
4bd070a01a2b4e3fdf8170962a8514c69dd1995cc218d2f4e83a0b1052b24ccb

SHA512
de2ba59321bc401e5dc032e368f949fccf2b9483e7a8ddfac710abbb3ce4fd6b0665dffeaf5659f94ff21c5a94c9630794b151f3c7dce4e71cd9e3c28ff12fca

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/260-103-0x0000000000000000-mapping.dmp

Download
memory/552-63-0x0000000000000000-mapping.dmp

Download
memory/948-133-0x0000000000000000-mapping.dmp

Download
memory/972-163-0x0000000000000000-mapping.dmp

Download
memory/984-118-0x0000000000000000-mapping.dmp

Download
memory/1036-123-0x0000000000000000-mapping.dmp

Download
memory/1092-138-0x0000000000000000-mapping.dmp

Download
memory/1100-61-0x0000000075B31000-0x0000000075B33000-memory.dmp

Filesize
8KB

Download
memory/1192-168-0x0000000000000000-mapping.dmp

Download
memory/1264-93-0x0000000000000000-mapping.dmp

Download
memory/1400-153-0x0000000000000000-mapping.dmp

Download
memory/1404-73-0x0000000000000000-mapping.dmp

Download
memory/1500-68-0x0000000000000000-mapping.dmp

Download
memory/1528-158-0x0000000000000000-mapping.dmp

Download
memory/1688-83-0x0000000000000000-mapping.dmp

Download
memory/1692-88-0x0000000000000000-mapping.dmp

Download
memory/1716-60-0x0000000000000000-mapping.dmp

Download
memory/1796-98-0x0000000000000000-mapping.dmp

Download
memory/1820-108-0x0000000000000000-mapping.dmp

Download
memory/1832-148-0x0000000000000000-mapping.dmp

Download
memory/1896-143-0x0000000000000000-mapping.dmp

Download
memory/1972-113-0x0000000000000000-mapping.dmp

Download
memory/2004-78-0x0000000000000000-mapping.dmp

Download
memory/2020-128-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1100 wrote to memory of 1716	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 1100 wrote to memory of 1716	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 1100 wrote to memory of 1716	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 1100 wrote to memory of 1716	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 1100 wrote to memory of 552	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1100 wrote to memory of 552	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1100 wrote to memory of 552	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1100 wrote to memory of 552	1100	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 552 wrote to memory of 1500	552	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 552 wrote to memory of 1500	552	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 552 wrote to memory of 1500	552	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 552 wrote to memory of 1500	552	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1500 wrote to memory of 1404	1500	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1500 wrote to memory of 1404	1500	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1500 wrote to memory of 1404	1500	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1500 wrote to memory of 1404	1500	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1404 wrote to memory of 2004	1404	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1404 wrote to memory of 2004	1404	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1404 wrote to memory of 2004	1404	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1404 wrote to memory of 2004	1404	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2004 wrote to memory of 1688	2004	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2004 wrote to memory of 1688	2004	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2004 wrote to memory of 1688	2004	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2004 wrote to memory of 1688	2004	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1688 wrote to memory of 1692	1688	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1688 wrote to memory of 1692	1688	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1688 wrote to memory of 1692	1688	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1688 wrote to memory of 1692	1688	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1692 wrote to memory of 1264	1692	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1692 wrote to memory of 1264	1692	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1692 wrote to memory of 1264	1692	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1692 wrote to memory of 1264	1692	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1264 wrote to memory of 1796	1264	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1264 wrote to memory of 1796	1264	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1264 wrote to memory of 1796	1264	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1264 wrote to memory of 1796	1264	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1796 wrote to memory of 260	1796	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1796 wrote to memory of 260	1796	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1796 wrote to memory of 260	1796	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1796 wrote to memory of 260	1796	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 260 wrote to memory of 1820	260	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 260 wrote to memory of 1820	260	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 260 wrote to memory of 1820	260	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 260 wrote to memory of 1820	260	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1820 wrote to memory of 1972	1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1820 wrote to memory of 1972	1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1820 wrote to memory of 1972	1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1820 wrote to memory of 1972	1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1972 wrote to memory of 984	1972	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1972 wrote to memory of 984	1972	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1972 wrote to memory of 984	1972	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1972 wrote to memory of 984	1972	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 984 wrote to memory of 1036	984	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 984 wrote to memory of 1036	984	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 984 wrote to memory of 1036	984	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 984 wrote to memory of 1036	984	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1036 wrote to memory of 2020	1036	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1036 wrote to memory of 2020	1036	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1036 wrote to memory of 2020	1036	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1036 wrote to memory of 2020	1036	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2020 wrote to memory of 948	2020	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2020 wrote to memory of 948	2020	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2020 wrote to memory of 948	2020	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2020 wrote to memory of 948	2020	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads