35cf3ad040e370ea6febd200318776837ece71f06fc7e46392f2f6e55e860851

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
05-11-2023 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
Size

341KB
MD5

d9a43961c899fc2947ec5a26cd263c30
SHA1

0770410f5e9e3c1a58afbf8211ada5df36894236
SHA256

35cf3ad040e370ea6febd200318776837ece71f06fc7e46392f2f6e55e860851
SHA512

b65acb18ce381c9fd6976205d3802b49063e173e7f620b328a8d89317056b378eb2db328fcd52c652bb44ed13cbcee6b066d5efb2de71b62baf39cba6a2b22e1
SSDEEP

6144:grnkP+6bB0H9rj3fMMICM4kfBbSVtxzcdNg/SOPOoUkZUuOsOjbSMu6l3bS64u5U:gQ+Qu9yus9exo/iSuU8OsitH5og+

Score

10^/10

adware dropper persistence stealer trojan

Malware Config

Signatures

Malware Backdoor - Berbew 41 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x00070000000120ca-5.dat	family_berbew
behavioral1/files/0x000e000000012274-10.dat	family_berbew
behavioral1/files/0x00080000000120ca-11.dat	family_berbew
behavioral1/files/0x00080000000120ca-13.dat	family_berbew
behavioral1/files/0x00090000000120ca-22.dat	family_berbew
behavioral1/files/0x0017000000015cf0-26.dat	family_berbew
behavioral1/files/0x000a0000000120ca-31.dat	family_berbew
behavioral1/files/0x000b0000000120ca-40.dat	family_berbew
behavioral1/files/0x0018000000015cf0-45.dat	family_berbew
behavioral1/files/0x000c0000000120ca-50.dat	family_berbew
behavioral1/files/0x0019000000015cf0-54.dat	family_berbew
behavioral1/files/0x000d0000000120ca-59.dat	family_berbew
behavioral1/files/0x001a000000015cf0-63.dat	family_berbew
behavioral1/files/0x000500000000f661-66.dat	family_berbew
behavioral1/files/0x000600000000f661-74.dat	family_berbew
behavioral1/files/0x0015000000012274-78.dat	family_berbew
behavioral1/files/0x000700000000f661-84.dat	family_berbew
behavioral1/files/0x0016000000012274-88.dat	family_berbew
behavioral1/files/0x000800000000f661-94.dat	family_berbew
behavioral1/files/0x0017000000012274-99.dat	family_berbew
behavioral1/files/0x000900000000f661-102.dat	family_berbew
behavioral1/files/0x000a00000000f661-110.dat	family_berbew
behavioral1/files/0x0018000000012274-114.dat	family_berbew
behavioral1/files/0x000b00000000f661-117.dat	family_berbew
behavioral1/files/0x000c00000000f661-125.dat	family_berbew
behavioral1/files/0x0019000000012274-129.dat	family_berbew
behavioral1/files/0x000d00000000f661-132.dat	family_berbew
behavioral1/files/0x000e00000000f661-142.dat	family_berbew
behavioral1/files/0x001a000000012274-146.dat	family_berbew
behavioral1/files/0x000f00000000f661-149.dat	family_berbew
behavioral1/files/0x001000000000f661-158.dat	family_berbew
behavioral1/files/0x001b000000012274-163.dat	family_berbew
behavioral1/files/0x001100000000f661-166.dat	family_berbew
behavioral1/files/0x001200000000f661-174.dat	family_berbew
behavioral1/files/0x001c000000012274-178.dat	family_berbew
behavioral1/files/0x001300000000f661-181.dat	family_berbew
behavioral1/files/0x001400000000f661-189.dat	family_berbew
behavioral1/files/0x001d000000012274-193.dat	family_berbew
behavioral1/files/0x001500000000f661-198.dat	family_berbew
behavioral1/files/0x001e000000012274-202.dat	family_berbew
behavioral1/files/0x001600000000f661-206.dat	family_berbew

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\H:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\O:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\J:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\L:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\N:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\L:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\H:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\X:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\H:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\S:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\U:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\J:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\K:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\E:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\K:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\G:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\L:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\Q:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\O:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\I:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\T:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\X:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\I:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\O:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\W:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\R:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\K:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\L:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\J:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\G:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\R:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\V:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\O:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\M:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\T:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\G:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\J:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\M:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\O:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\L:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\N:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\L:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\V:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\S:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\R:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\E:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\V:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\J:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\Q:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\S:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\J:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\I:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\P:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\V:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\P:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\U:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\O:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\N:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\I:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\E:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\E:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\W:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
File opened (read-only)	\??\I:	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2984	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2656	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2472	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2492	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1340	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2540	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1456	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2760	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2064	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2088	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1424	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1860	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1772	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1560	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2348	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2112	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
972	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2004	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1468	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
948	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1740	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1964	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2864	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1848	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2424	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1572	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
1232	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2792	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2720	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2656	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2752	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2464	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
2476	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 2984	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	28
PID 2040 wrote to memory of 2984	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	28
PID 2040 wrote to memory of 2984	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	28
PID 2040 wrote to memory of 2984	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	28
PID 2040 wrote to memory of 2792	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	29
PID 2040 wrote to memory of 2792	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	29
PID 2040 wrote to memory of 2792	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	29
PID 2040 wrote to memory of 2792	2040	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	29
PID 2984 wrote to memory of 2656	2984	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	31
PID 2984 wrote to memory of 2656	2984	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	31
PID 2984 wrote to memory of 2656	2984	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	31
PID 2984 wrote to memory of 2656	2984	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	31
PID 2656 wrote to memory of 2472	2656	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	33
PID 2656 wrote to memory of 2472	2656	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	33
PID 2656 wrote to memory of 2472	2656	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	33
PID 2656 wrote to memory of 2472	2656	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	33
PID 2472 wrote to memory of 2492	2472	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	34
PID 2472 wrote to memory of 2492	2472	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	34
PID 2472 wrote to memory of 2492	2472	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	34
PID 2472 wrote to memory of 2492	2472	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	34
PID 2492 wrote to memory of 1340	2492	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	35
PID 2492 wrote to memory of 1340	2492	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	35
PID 2492 wrote to memory of 1340	2492	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	35
PID 2492 wrote to memory of 1340	2492	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	35
PID 1340 wrote to memory of 2540	1340	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	36
PID 1340 wrote to memory of 2540	1340	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	36
PID 1340 wrote to memory of 2540	1340	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	36
PID 1340 wrote to memory of 2540	1340	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	36
PID 2540 wrote to memory of 1456	2540	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	39
PID 2540 wrote to memory of 1456	2540	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	39
PID 2540 wrote to memory of 1456	2540	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	39
PID 2540 wrote to memory of 1456	2540	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	39
PID 1456 wrote to memory of 2760	1456	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	40
PID 1456 wrote to memory of 2760	1456	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	40
PID 1456 wrote to memory of 2760	1456	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	40
PID 1456 wrote to memory of 2760	1456	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	40
PID 2760 wrote to memory of 2064	2760	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	41
PID 2760 wrote to memory of 2064	2760	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	41
PID 2760 wrote to memory of 2064	2760	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	41
PID 2760 wrote to memory of 2064	2760	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	41
PID 2064 wrote to memory of 2088	2064	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	42
PID 2064 wrote to memory of 2088	2064	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	42
PID 2064 wrote to memory of 2088	2064	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	42
PID 2064 wrote to memory of 2088	2064	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	42
PID 2088 wrote to memory of 1424	2088	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	43
PID 2088 wrote to memory of 1424	2088	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	43
PID 2088 wrote to memory of 1424	2088	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	43
PID 2088 wrote to memory of 1424	2088	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	43
PID 1424 wrote to memory of 1860	1424	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	44
PID 1424 wrote to memory of 1860	1424	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	44
PID 1424 wrote to memory of 1860	1424	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	44
PID 1424 wrote to memory of 1860	1424	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	44
PID 1860 wrote to memory of 1772	1860	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	45
PID 1860 wrote to memory of 1772	1860	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	45
PID 1860 wrote to memory of 1772	1860	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	45
PID 1860 wrote to memory of 1772	1860	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	45
PID 1772 wrote to memory of 1560	1772	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	46
PID 1772 wrote to memory of 1560	1772	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	46
PID 1772 wrote to memory of 1560	1772	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	46
PID 1772 wrote to memory of 1560	1772	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	46
PID 1560 wrote to memory of 2348	1560	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	47
PID 1560 wrote to memory of 2348	1560	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	47
PID 1560 wrote to memory of 2348	1560	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	47
PID 1560 wrote to memory of 2348	1560	NEAS.d9a43961c899fc2947ec5a26cd263c30.exe	47

C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
    C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
      C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
      4⤵
      Drops file in Drivers directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        5⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        6⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        7⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        8⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        9⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        10⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        11⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        12⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        13⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        14⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        15⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        16⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        17⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        18⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        19⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        20⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        21⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        22⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        23⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        24⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        25⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        26⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        27⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        28⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        29⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        30⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        31⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        32⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        33⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        34⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        
        C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
        35⤵
        Drops file in Drivers directory
        
        PID:2896
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
  C:\Users\Admin\AppData\Local\Temp\NEAS.d9a43961c899fc2947ec5a26cd263c30.exe
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
358KB

MD5
cd7a07fd6bf0fec4ada7b53bd45335ad

SHA1
801a1a15d871913e78797caf70c6b13f8017c748

SHA256
a176af75b990ea82e35a565313c33fe467815c2893980158964b1709fedccac9

SHA512
378d0c2a1406d4bb24cc56d032ee8cdfd9b815176aa82d69e77db01fe4392dc8d36ae6760f83b3b1c256736499451df9ade7396090bf3ec3de3d587deb7d5c41

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
372KB

MD5
59a2700678bf126982c4ea4548930c2b

SHA1
a418f75587e989fe587799e0819d72b724a6096d

SHA256
cf56c241037d61120566c40e18904bfa38d107130ab086e5471f757e5793e53f

SHA512
47c625b7aa2800659d0bc5338c787a6e8f24b01116594eef7dc816c175e72be2a65b6053a031c7bf6b49ea73ab2572a36d3eed35202da14be6164054909b8ff5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
360KB

MD5
f5e22a200ea0261dc8e39de778be3de8

SHA1
ca64578a73415dc19fda48e8ac4bdeff48f4e24f

SHA256
46a543c8c8ae0b5e6c51d013cc82d9195b13c188a395202c08c85c96eb1c839c

SHA512
56e51da0c5debe7d9309c7098e32e266f0264b42bd40d69b13193da6e6adb1843301cc53f36c2d9a2784954e937182d0e105ebbc060a22ca95f76e74ec62bd2a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
354KB

MD5
3e8efc5b97f030778cdd663986c319ee

SHA1
13b9bb8c5efc8efdd5aeff0f70d1b830eb47510d

SHA256
069c86b2b140c3f7fbc88ef6f623c5eeaf3dadaf1236c7239226a5172d932725

SHA512
07fca9c81d373462feaf5593c54493105c39962acff07f9ff25257a7016a21a7a88138e3cbb7914d3d7f41d88e287599fc10e77730da4f236cfcb840ae3d0cd6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
361KB

MD5
3b8ca184a24b7c6d0fb0a5a9186cc43d

SHA1
86477593b192a1e0ea606bc1716588316e540612

SHA256
07710259b1c16eed7a813dc5b0d3fbd7f0737a82798c7c1bb44576ccc266275c

SHA512
bc5ec232bce03760a3e442e23dd8a9f4c82215b3fa9faddf9f91490087e116dfa506f855130babba5634491a409fb939c6f936d079f5155e6f1594017ae1b92e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
361KB

MD5
6fe11122360aadfc7fff7a65e725c299

SHA1
cb3f2c31ce6142c8bdf3920b9f597183860f2a56

SHA256
40b35efaadd1ca4f65fc7a22ace4638320683052608bab11960ac2d3a4fb7db3

SHA512
0f229cf92f11239745011cf208911bc531952f1e4b9514c391cdde6313bcc2504a7e98df3c7d4729e691d72b92d95090f32b67bf5394ea252e94318a0d146e44

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
356KB

MD5
0d053619da684137731069b61f9a7781

SHA1
92d9b2ff562837b1a3c10457919f18609f764ada

SHA256
f364ee859cc29d23166a1326161f098a4647f40e302b85920b159ad264240ab7

SHA512
66275cebaedbd63e30e3f8356cbcd17b3165959839886a70bf4fd664d6bf59ee994cb4622f65b4f5fa06cd5a71f39cd40870e32ac45046cbc46acef93a81d622

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
354KB

MD5
90390819dbd94399b1a9627ff9fca2fb

SHA1
7090ef442e174a242f17c683c202dba98d9cbf8a

SHA256
677a376ba931418e7d059fd80e4090cabb03d959f3442361264eeff5ff106760

SHA512
1bbb89e87b47bc774602844be20402b30a4533c89a3ea106a43e5fd1485e3cf38c19e623bfeb131ab34b04edcf820b0802d4d588065bab81912ec6e33c5da691

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
369KB

MD5
e3da50820a9a03ebc58ccd8d74877750

SHA1
ef03d9077e25466239061957bcdb0e0fb46d79ca

SHA256
77d60cab1b0f764624ef53fbf38e4281e63f00a0490b71f5014900066bc89186

SHA512
e6098e5fce6c6c5865ad2463556d5e85bfc22a0ee966797ef414baaca7be71fc13fc0b3c44012ca500d350c097aa23e44b7fb3ff4e2928ac5138c778fb39dca7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
358KB

MD5
3e2f6b1f8874d6173bedb91bc351ea24

SHA1
350e388fedcecf762998e5504b35a9964aa8970f

SHA256
99cf620f7de2bf0fc9f35152287a688dea0febf023a3a60b6d339998bd10444a

SHA512
759182a0a2523352c0cbfcb0d8baba1c3297f7bb2de07d8bbe92a7e406c60798958789c9c519a1b1da155e7b746df59f70badcfe1834000e902a130a33003bd9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
351KB

MD5
afcc32b20e438908305b44f3aa8fd5e8

SHA1
b68655ca495435e778b47cb779a87033bddc8e04

SHA256
ea0747951693de02593e48d3f42a8947ff422bcde38e2d210462da8011b8677f

SHA512
ef984a2a7be8718cc845feb45ed012175551a74fe6ebc0b1d232eb368552edbbddd74f7723cf4af2cf58d71589ac44f85685caa384521e8448d472cfcc11e794

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
368KB

MD5
d72eb0779f5c3abc1cb71b3abe15c609

SHA1
45173ce092730af8ec7c7a90e9a60cde811360ff

SHA256
ba7d6735b272d28340315d0a0a81d6ea7480d7d9f0abca383f166045a6984c45

SHA512
1a322a3f120fba33b9abe267fef6141fe25595b3ffa2ed61cfb857b90f01cc9a89f80a2679310a34d103e61f7194307e5e27d0c5d2648722e0edd22b9f63740b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
345KB

MD5
ec03569d3895921dcb12de02afc76d27

SHA1
71fc57c387d8ab17c51375a232947ef020902ff8

SHA256
cdc0de043c0f798e788ff85859d250199af92ee6d6ee19147a0e78230e5819f9

SHA512
5bf3ad2fb350872ad2f03b7c249a72187986f7003c348a05b667b6d66f7d55f4cfa17a7b4d2e10a8b2c614a58ff88423e7556d1fcd50e34e58466668322738a3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
345KB

MD5
8067987e08730e3b8577482b8a1b2054

SHA1
dd0aa62fe95cd0a66230c61db7b63d545c6dc9af

SHA256
9b11cb0d34e450e578c28fba4aba2e1822aac27a5c8568b55fa1d266c8144307

SHA512
e731388943f53daac91f6d1d68bbd21c8301967dff56208f5b9aa97ccff434fff63b34cb8b7ec57fcc3387479174bff0ec5d153dff7fcfbc1adcc274e429942b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
347KB

MD5
5b4ef20a3ba25c3e123a1d5a0ee98943

SHA1
2de00fc6a92d7106d339446eb603bbf6cbba0b1a

SHA256
e584441993e2fb39434c91d38e62e4ea83c1bae4379c6d0830dc3ea19818f853

SHA512
d0a8fb2f847d36399855d3c6e13c3e24fe77e0f5c0084a85ac09fc757efdd75382ced4372b6acd5547e67c49f03b8bf0ad7861ad2d391f89dc414425671d27c8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
343KB

MD5
59f601787b616f5e8cbe29c44c684e6e

SHA1
80cb2e2ecc8ae677e2241970d6dd5a45040b2cd3

SHA256
2f623c944f75242ccd2442b77c07bb5c7b42a302cbce6009e89180abac11a65a

SHA512
d972dbf96fad5769c84566b50247e7c8758e040ec6e81c48e79c6f388934f228409a0b310a197a4ad1327a13b15f1e36fd33759b7c1f877511ed69799d9ae512

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
347KB

MD5
19f2352cf5d240dab7dfdd72ccb256b6

SHA1
5922744293ba733018b8e83cdfdfe1b2bba6a1bd

SHA256
8cd4367ed3ce288bb97c2c2065591fae34bfbcb625afcb2716809d3858956bdc

SHA512
bde844e52270e1f6c9ba54f846128c54db1eee4c13191800b9528263d93ec64a2fac863ff6b2971406894212171b7fbc5d39f3e97d3cf039d47ecd50818fe173

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
358KB

MD5
a3aa2f6c6566ce94b89bd5e77872a143

SHA1
e5becb5e66ff9be51a599cf365fb7085eb081dca

SHA256
19a26d09681e9107a82db9a4ac1312841aa4fbc0c3bc9a00488e7573ffb56419

SHA512
ce4c3e84f4868db0f88847f24515383a7a98591c6a60faed0c05792489f21ab78daa1a00faadde2c4f28a286beef04988e406cc1071874ab8b9f3c115eb1e996

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
354KB

MD5
595b5bf37e1c107081f75268526be7a1

SHA1
5388b1867a9b6be43cba4d7e4edcc3c2df5f40fb

SHA256
ea8b8decaa806df164bf0e29f1bdb075f005e7732e0f0680041b213a5228200f

SHA512
2d3baeeea1d010b4c8babf1988df2eeb63d9bcf949a8af5f1a4f5683609d2fdb92b069e48476aef2a00461ddd9eaee0208642df8996ee54aff69d7861c52429e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
356KB

MD5
e151351f8e056a30c17e6c42f981d0fd

SHA1
af2cbc7c8e07633610b28ebb5f344b598a837141

SHA256
46d61c989b649ac8aa29715707974d2d90014608ed18b441ad6137d9b1ab92dd

SHA512
fc3068a8e626e2f8fd22718b7305255e6d40c5dfed73c75b3aa5405f0d876b5ef7bf9d98ad4e65b07cd8e44f67e88f605c46dc08eadc2f7860dea151c8a0fbe1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
349KB

MD5
b279ac06ffb0c7c3d9883e81cd0dc1fb

SHA1
5b93fa0caff87fb41f38f77346bcd460022e20ab

SHA256
3ff9b699ed10748ca3065857f3dadc993db15815a5886e68b9586297342b2ea4

SHA512
e231c6db9ceedf992c2b0215d669d728ce341ea304cddc2bf38251c940b6a11a3071248715c06818bf65928195f9e00fd8dd2b0c8fbedfc149a647a6f1ab4711

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
349KB

MD5
b279ac06ffb0c7c3d9883e81cd0dc1fb

SHA1
5b93fa0caff87fb41f38f77346bcd460022e20ab

SHA256
3ff9b699ed10748ca3065857f3dadc993db15815a5886e68b9586297342b2ea4

SHA512
e231c6db9ceedf992c2b0215d669d728ce341ea304cddc2bf38251c940b6a11a3071248715c06818bf65928195f9e00fd8dd2b0c8fbedfc149a647a6f1ab4711

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
368KB

MD5
aa74f46fbf802514aa10dc6c5606f8ad

SHA1
4e7f52ea8214cc6832e05cbf3f3c2f4939e345aa

SHA256
90a07c135fa35b06c6f8e05b9f0e2f3e784e4956a2a1bbb62fd12795bd9f0b5e

SHA512
24d6d4a140e4376dbab51f7e737a8ba514ebd2a97c269f9ee4c548dad7ee22244b5f2c57bf42042bc0a06cb5ef8e8d4ad778b08af007a27b11e6d155b6fb9627

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
345KB

MD5
cee94b7a7826ed85778eff2194b0b082

SHA1
c4c93af5c3edabab4566945882e3c4ee02408867

SHA256
94ec6b09fe0cd11a3e79468e68a924c960842da4dd7f7c15b5063255a3518999

SHA512
06314f3dd6c613b0b266af0e00ea39ce56cc832716e91d78f11ada3c9fddc358769ccceb5957a80ea9d7c16d6d96bc9e0c603e25c449ad1e32b136f4fb0d4083

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
363KB

MD5
cf2fad2c0d228b58bd72f46d85a102dd

SHA1
4da3f33dda952a4c2b134c92dc2652aea734ca5e

SHA256
9f5f9a05100412e7bf2afbbbe824ae7b5f1852b274a43293017589dca7ce481d

SHA512
90724b17765f6c6610f0ca8662cc51b4d7c4acc02c9f9f7b696d111b6af38464874f3edc4a527274dd332b284ccfc8024451256df5842cf45a53b8814fbd029d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
343KB

MD5
9646faa133268c1e301a3024256507d8

SHA1
2a9137e4f3050cb5910ef548fb0adb770a7291e2

SHA256
736839d37d4209ad09ed05873c91916d854a9b49a3767b89a2c4540c5fef13e3

SHA512
cc729b0597429079b9cd0577f42cf188c9110b80109696b96d1309f1be7194d0a0ae3866e96cc36932b692accb96e08b4f7b705a7bfe2f2b7b3830691ad9959b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
361KB

MD5
9f44c49d671779b10fc0aa26e34abc55

SHA1
0c33a29a36f40a0d236116ad1efae5c24bdc84aa

SHA256
e537b6825624919db10e2ef0a1770dd159f74522e002df4c2f43fd002c5aba0e

SHA512
ab4016965883ea65b150b581c687e409346c187ea063f397b15cc117d11b95f73a977e7cd26f35d7fa9c85bd52cd4dcd9367ea53959154ae84975940f0e34973

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
343KB

MD5
3c66fb8034007398a5f17890ebf10718

SHA1
63adffd0f4b089f44337461c62196f4ab7832b94

SHA256
77292e72b251fd2c2ceeb1ba023487e6078bc47e97dbd1018076d3cfbb494230

SHA512
82c9a4689a6dfcd51e86ee9b0ec9098b674f51c1f88415366befa4a7431a2a05aa692c32af5d2e9ed07f33e72ea0c13f8b08428a22e1ca86b9b8b9501efbf36d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
368KB

MD5
6689005de0a1dd5692f3a02bdeb7ff63

SHA1
c3c143e6b8917822c9f7278f5aa497ff320f4bcb

SHA256
7af57ad4274e07de91ecc295b835667f4e4d1168e4919d64d0f5da94ce280bee

SHA512
1291cff4cc589e6ec2906954294c35dae529d1250297c63c74db8122d1abcc6c4ea6ad702b7f90142adfb9291b917867916b4958ba04a80e2f5e35410bf0ef95

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
368KB

MD5
06b07840a6db29f42a0238344f25a75b

SHA1
5f22835a4a3740d64ecec411f253d7de44a3cc60

SHA256
ee2be7e21be1dd064549d920eb636ee0dc09ceac002743cc497c42a98472057a

SHA512
ba09bd96baa7add5b1f6d5f5c1acfcf46d2063ed063515b2742b81ce2b012e0b2851be49908edef1aef486b85643480803df96cd5b99772cbce6ff6e80840a2d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
366KB

MD5
7518fde58903d1679224a1db5336a2bc

SHA1
63e4ed004787c6589e3ebab9cbe56b03c587807e

SHA256
4106eee449dfd36e025cb2a8bfb5ee71c710a3a561092edf0ee5a8b54d41ee17

SHA512
722bd4472925a9cc68cad22c2c0dc51323ec5fb4c07af1c505bb1ee6e0587cd8a0f56ca90a9eb248db4795a27b5dba02164334626373db43892ead17db601f17

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
353KB

MD5
1a2d7a2fac53e66fe0ffb8e3b98ff343

SHA1
dbb521611ed0e3ed495fb13c41dbef631f7732f6

SHA256
eb5713f3a16742771bf4bd4f7999504eb3199007557049591083fa1085ca3329

SHA512
17b6c9b4b7839868fff382ddc4f5f604af202eeca261153d879c677cb767b011e1cd60a2c7facaf6ffea62938e465716ab2a88f667f38cfbcea6b5049999c9e3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
372KB

MD5
7ed2b166ba69777bd446b99024e7cc7a

SHA1
eaf678220314a5feb1d96c870724a6776909bcf3

SHA256
99b8ddac60622b62046a055ab6fe65056ff1c907a3634f100c23dfa513e4675a

SHA512
6c191f63462445329d8283711f3f0e6c3b6c732870e8a547460f2e4d8e42d81d9aa285d492b01f2c1564d9f225fe3bd2eba830b97970f7fc807e92f542fdca80

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
367KB

MD5
2577275ed909ff1154f20cd316bc3e50

SHA1
61bdf6654082482df07bd7439c8f20bda9da4df4

SHA256
051ff0f99a0eddb1f2b71df5ce6a484b0143d44210699024c47b5df4f2ea994d

SHA512
185beb62830aaf87997c4543b8cbf3c8ce25152772815a7734c122fd8fdc45b93675267454eda45ba3c38961eea2dc4e73ad087c4444ceebca9082104e1f8ad9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
371KB

MD5
e91eb71f47c7aaac105369a00e98667c

SHA1
a8dfa5970be077155a79e5c4201a88f8f7c41118

SHA256
4d52afa210aff16da814bb5f9a9f5a724db1b7d853365468c0cb9744370e66f4

SHA512
85371d5f218fdcde5720fd89ac9b3c60035f278c3447601d554d96278030f117aa72d26588f90b937c8301dc9befd06caa2d47119a9694b8c78a2f47099dc17c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
347KB

MD5
e7d0b59b41f3aed80fa4b20c2b8f260c

SHA1
d56a6f9d1fda2c80dd3f9d7f636735257fd1cafb

SHA256
d4e3a75db6aacf0764455cd469b4504e3a1693ca6cd5b882e8177fcab6e6df36

SHA512
b821eab1c17a773a682f5733e329a831e726bd29c63f34867a56b02a6a8f069c9d91107b4cd1a15634dcfaf372b2e2bdd30cb285594d068d889dcb8fbc11c689

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
351KB

MD5
9bec57abaa8566b20e6a1687e68d9f90

SHA1
e79b4278cb47bdcbe76ced9038446f375d378d88

SHA256
8525fc86619428b2aecab21b982f482419b572e1b692c0e76c613c7ee071bfc7

SHA512
d0dd515c348b46d7a3f5797fc7c669e42814e74feaed1d01844dca26fe13a3ef40ef95a02c9e296ae44d07375e98a224212aa8e19a396f052bcdc63c80be158c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
349KB

MD5
543c254f88f6dcd6cee61002c7faa137

SHA1
b692e6e9edbaef6ab858ec97d06a58b116bc4825

SHA256
a986d763f916073fd18b4abc5af9974448bd10ac20e04461d5f29a3f43aba5ae

SHA512
4634e6b4ed6933f206d8d0fa28433e79494eb42eaa9643fb546e58280f4ed9f955dc70ad349509acd25532a77d2f8a0463d8fc5903012fb6c11c0e74240694a2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
361KB

MD5
97b27d7b4f5da3369a20083bf2ea5a71

SHA1
557b7d78bccc277ee36f90ff55f457d81e3daa9c

SHA256
08358122f0e76aa6f7fabde4a2cce1a88c6ed1b537e13f5efe11cec5047a914c

SHA512
53456834c0b34fefaa84318c31dafb1b2ce5303d7ee57290ae9af609fd2cb71e88810e37aacc91a8fb6082776e4cacc253e28f205873752e29237e14d51f4d52

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
356KB

MD5
b712566a7742133dcc83ce94fa01e393

SHA1
004d0a3b376266c0a44ab703bee57c795dfce56f

SHA256
40febd891855cb113b952daa490648bf2ee82eb97f3b6551c7b93b87a6885efb

SHA512
3682232597deeddade6b5e6a737dc69cfdddb05d2f93982206e3c34a816d6b53bb46d4cbde2397283398adf0d635a0269fc23ef065e4226f33423ad18b8b882e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
341KB

MD5
5831a7e2d2bd209cacb2eb234cfe66e1

SHA1
57b5fe842d3784b5860b654796c138df3f1cbb0e

SHA256
02148d851457a233215539803c8ade97bc21780c15b5561799acb8ec934d5544

SHA512
967be240180199039a086499131836419a2e5264b3232ed9adb266eb830034eb82dbe07520157aba8b2899351d8ca6d8fcd92815dcd6f2674a4f7eeed717129c

Download Submit
C:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/948-162-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/948-169-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/972-145-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/972-140-0x00000000004F0000-0x0000000000527000-memory.dmp

Filesize
220KB

Download
memory/1232-220-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1340-39-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/1340-43-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1340-30-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1424-93-0x0000000001F80000-0x0000000001FB7000-memory.dmp

Filesize
220KB

Download
memory/1424-97-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-62-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1468-157-0x0000000000540000-0x0000000000577000-memory.dmp

Filesize
220KB

Download
memory/1468-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1560-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1572-214-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1572-205-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-177-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1772-113-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1848-201-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1860-98-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1860-105-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1964-184-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-152-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2040-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2040-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-77-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2088-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2088-83-0x00000000002E0000-0x0000000000317000-memory.dmp

Filesize
220KB

Download
memory/2112-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2348-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2464-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2464-249-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/2472-25-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2476-258-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2476-256-0x0000000000540000-0x0000000000577000-memory.dmp

Filesize
220KB

Download
memory/2492-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2492-29-0x0000000001FC0000-0x0000000001FF7000-memory.dmp

Filesize
220KB

Download
memory/2492-34-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-44-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-53-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2656-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2656-16-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2720-232-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2752-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2760-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-226-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2864-192-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2896-259-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2984-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download