546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Size

527KB
MD5

d2a84cd7cb1e7c8a63820f030753a8f5
SHA1

15d0538bc7013357e897f02c7e2175c122b2e826
SHA256

546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350
SHA512

de53165cb051c841207371ab0a05a1a69f9aadced101c419e3bb83f167da69ab1c1e1e524d1bf20573ae99f41490ed3f66afeaac6a6bf8367613947607c4c51e
SSDEEP

12288:gQ+Qu9yus9exo/2oweeKie/fU94i8Z3D+RXseaj9Mav:8I9exo/2TeeKie/fe4i8ZQseaj9Mav

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

UPX dump on OEP (original entry point) 47 IoCs

resource	yara_rule
behavioral2/memory/2320-6-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2208-9-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2320-21-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/8-32-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3656-34-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/8-46-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/700-59-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1676-70-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4124-72-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2696-83-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1676-85-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4916-96-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2696-98-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4488-107-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4916-111-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3988-120-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4488-124-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/5096-135-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3988-137-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2312-148-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/5096-150-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2312-162-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2836-173-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2084-175-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/212-186-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2836-188-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3968-199-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/212-201-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3968-213-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1804-226-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3608-238-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4804-249-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4508-251-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3212-262-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4804-264-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3212-276-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2064-275-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4720-285-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2064-286-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1136-295-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4720-296-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1840-305-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1136-306-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2304-315-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1840-316-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2304-325-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2996-335-0x0000000000400000-0x0000000000437000-memory.dmp	UPX

Drops file in Drivers directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Sets service image path in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Modifies system executable filetype association 2 TTPs 28 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\H:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\N:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\L:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\E:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\R:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\L:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\J:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\P:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\J:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\W:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\N:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\X:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\L:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\V:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\T:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\V:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\P:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\J:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\E:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\R:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\J:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\P:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\T:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\X:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\H:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\L:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\P:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\N:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\V:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\H:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\E:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2320	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2320	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3656	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3656	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
8	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
8	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
700	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
700	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4124	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4124	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1676	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1676	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2696	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2696	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4488	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4488	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3988	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3988	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
5096	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
5096	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2312	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2312	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2084	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2084	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2836	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2836	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3968	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3968	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3608	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3608	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
3212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2064	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2064	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4720	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
4720	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1136	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1136	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1840	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1840	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2304	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2304	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2996	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2996	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 3756	2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	90
PID 2208 wrote to memory of 3756	2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	90
PID 2208 wrote to memory of 3756	2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	90
PID 2208 wrote to memory of 2320	2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	92
PID 2208 wrote to memory of 2320	2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	92
PID 2208 wrote to memory of 2320	2208	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	92
PID 2320 wrote to memory of 3656	2320	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	97
PID 2320 wrote to memory of 3656	2320	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	97
PID 2320 wrote to memory of 3656	2320	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	97
PID 3656 wrote to memory of 8	3656	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	100
PID 3656 wrote to memory of 8	3656	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	100
PID 3656 wrote to memory of 8	3656	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	100
PID 8 wrote to memory of 700	8	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	102
PID 8 wrote to memory of 700	8	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	102
PID 8 wrote to memory of 700	8	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	102
PID 700 wrote to memory of 4124	700	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	103
PID 700 wrote to memory of 4124	700	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	103
PID 700 wrote to memory of 4124	700	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	103
PID 4124 wrote to memory of 1676	4124	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	105
PID 4124 wrote to memory of 1676	4124	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	105
PID 4124 wrote to memory of 1676	4124	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	105
PID 1676 wrote to memory of 2696	1676	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	107
PID 1676 wrote to memory of 2696	1676	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	107
PID 1676 wrote to memory of 2696	1676	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	107
PID 2696 wrote to memory of 4916	2696	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	109
PID 2696 wrote to memory of 4916	2696	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	109
PID 2696 wrote to memory of 4916	2696	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	109
PID 4916 wrote to memory of 4488	4916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	110
PID 4916 wrote to memory of 4488	4916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	110
PID 4916 wrote to memory of 4488	4916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	110
PID 4488 wrote to memory of 3988	4488	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	111
PID 4488 wrote to memory of 3988	4488	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	111
PID 4488 wrote to memory of 3988	4488	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	111
PID 3988 wrote to memory of 5096	3988	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	112
PID 3988 wrote to memory of 5096	3988	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	112
PID 3988 wrote to memory of 5096	3988	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	112
PID 5096 wrote to memory of 2312	5096	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	113
PID 5096 wrote to memory of 2312	5096	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	113
PID 5096 wrote to memory of 2312	5096	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	113
PID 2312 wrote to memory of 2084	2312	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	114
PID 2312 wrote to memory of 2084	2312	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	114
PID 2312 wrote to memory of 2084	2312	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	114
PID 2084 wrote to memory of 2836	2084	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	116
PID 2084 wrote to memory of 2836	2084	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	116
PID 2084 wrote to memory of 2836	2084	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	116
PID 2836 wrote to memory of 212	2836	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	117
PID 2836 wrote to memory of 212	2836	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	117
PID 2836 wrote to memory of 212	2836	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	117
PID 212 wrote to memory of 3968	212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	118
PID 212 wrote to memory of 3968	212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	118
PID 212 wrote to memory of 3968	212	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	118
PID 3968 wrote to memory of 1804	3968	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	119
PID 3968 wrote to memory of 1804	3968	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	119
PID 3968 wrote to memory of 1804	3968	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	119
PID 1804 wrote to memory of 3608	1804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	120
PID 1804 wrote to memory of 3608	1804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	120
PID 1804 wrote to memory of 3608	1804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	120
PID 3608 wrote to memory of 4508	3608	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	121
PID 3608 wrote to memory of 4508	3608	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	121
PID 3608 wrote to memory of 4508	3608	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	121
PID 4508 wrote to memory of 4804	4508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	122
PID 4508 wrote to memory of 4804	4508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	122
PID 4508 wrote to memory of 4804	4508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	122
PID 4804 wrote to memory of 3212	4804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	123

C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
"C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:3756
- C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
  C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
    C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
      C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
      4⤵
      Drops file in Drivers directory
      Sets service image path in registry
      Modifies system executable filetype association
      Adds Run key to start application
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:700
      - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        6⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        8⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        11⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        12⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        13⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        14⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        15⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        16⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        17⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        18⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        19⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        20⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        21⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        22⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        23⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        24⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        25⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        26⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        27⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        28⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        29⤵
        
        PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
529KB

MD5
28b61962d7051f3eb31e0f2e04a730d5

SHA1
3d2a13fade4a9bd770af03442aa49529503ac490

SHA256
86b83364bd43fbab03fa3f4eca09e150f93b7296b670c309f8b5463e2ba4895d

SHA512
bbe0f6ab4e5a2f3fbf289ea6728e4f09a0ee255cd5214f65727f84d858400ea21df5408fac4329c4a5b2056ad2ac223ca71cb09219ed2ce643f38f741f724e4c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
531KB

MD5
1ff9a0cfd179829d67b16416752f27b5

SHA1
04dc2b39f2888a50c07fea785ce49619940589f5

SHA256
dc8c0d228a80d70be443812994408c5ea118c00d5e3973d02e3737fe65a40d93

SHA512
3df37e26eaff16db388341a43ade0c6f1221f36b5c8e0ff584166fdd681e62f7f8ae49df4590a54125a4b0e8386af527ccd657ffa9fb1b465a4256b11a1c8790

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
554KB

MD5
31505cbc32c03044a0a90352765b1a56

SHA1
c5991854c6efa8de097c5f93268af53f542656c6

SHA256
f498bbc709fb63038558f3c5df648c64055514cd6d53543a6a172838549a5e88

SHA512
c2a99fe5acbb113fbcf88b0bd4ec8177b03e84652f4505009407c87ee6461b648caea53533e4f50e5dcde5f3222ea31221bac03fb431ebed25dcc498fef7a359

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
542KB

MD5
f80b67edd902140b0b7385413c991e04

SHA1
455e4e63a1f5886b626dd79eb763bc6cfc036d64

SHA256
cad0784c781004a2961401b41a5f14518d5cfa234c97a19a9aee3a9d1cd8e2a6

SHA512
edf263fbf267db8c57c23f581dd65789f82af5698e656546c8afdbed96451bad02fe1534354a9abeb6b42a696af322da1a5d35468825d38c44aee949c6cdb283

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
540KB

MD5
bbf18567e2be8f233e30f643fa5d768c

SHA1
d4ca990aee8e33616a0df596d38763a593765cda

SHA256
ead276ad257268420f34a9fa8bdee7cfc06c2c2c014da173d8101b340d7286ac

SHA512
f5b0b802fc041e507a69080193ad883577d2a2f7bd5f34cc15f22553d55a110e18e76cb42050c39b82e69e7cf00d11d488856c13dbf44c9dc51da27766af42c2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
559KB

MD5
923c52a72771080314073b7ad587237f

SHA1
407d258b08b755534663a01507e57c313dfe6899

SHA256
4076d57ea46f01949ba8b49c26cd06aa7536266c32f2d7eeaaf4287044dc6840

SHA512
0f207b51b7d53481d9092f981e0de2b31fdbd028b9538dfdd85d387d876811ccc69902950c248efb8d1a8c61e1f972e5535879c804325b6fa63938020fd872b8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
553KB

MD5
5a40603aba2e1cfc80413098ff87ca62

SHA1
92bc7bc46a4083cc85428355ba923cb2f4fc75aa

SHA256
3311e9382fdace0d717eee7edd9f5e98fd9369473226a8d0fd2e5bb4fd4c842d

SHA512
783fdf4f67b70a2edf5584c95fceb48adb6b291a8d395548a93329780dc0aba8d8e25410799a2135d1ad206ad2a9e1ca06fae4c6f48dcd97c6e1850b745d5b00

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
554KB

MD5
08132715b955c3b5c8d296bcf0ab70a7

SHA1
264353086e3afaf922fae937801d62aa408256c6

SHA256
96adfdf342184e0d969c11adb64e146188eea06b381252e869a78218f9493202

SHA512
24a3941881b75d688415ecc1b93d52c5fcb5accdf3543cc24512e0f726ceed78dd6915869e0db48c57eb7d7aa143f0ef6f5a02de58a8bc83226e79261af117f8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
530KB

MD5
e06bca3ddda9250786dddd5787a64dae

SHA1
6b53b351772778997f1bfdc53d4916968b1bcebb

SHA256
0128c14e4878a42bfc411f955a860e21a7f1faaedc8aa2d20be7995b7965d3f2

SHA512
7e30442b6cd6ab9a688dfa5654583b8950331ecd8d8abd0cee8c9e29174c08c9ee5db0277aba261004ceca5af8e6548dc906344fb27cf6e4605ece7a302670fe

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
548KB

MD5
9032432e4afe74f888ca646eca72556b

SHA1
f04b3fedc376cbb0f1a04d102c4c554aac8afbce

SHA256
a3fec5f8e6e0e00e9d52975e3431deedade4eace36d19b67405f16f0ab9f07b0

SHA512
64bbab2d571ccc9339c8ddfa8db6f561abebc1244a4df7886d4cb63caebec86d2bba182f6d64b8395bcd1b5eddbbc2b9909c3cc0b53e3a870227dc8c8a817cb4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
549KB

MD5
4d039fc6c6a122b3bc0063ab61a6cd92

SHA1
74e9510dd646c3a75dad0e8c731d7acf76805907

SHA256
73dd88eea6acf5381cec17043de772911d5215657d9938954fdd952b5e3216e9

SHA512
060f2b82b651d6d68816b35141a49734ced0029117740e5df2df296b2b11987aafe074a24b8fb792941f129fdeebaab9b83288daec5103bbdd6e115decd402fa

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
543KB

MD5
919987a19ec741e55f14b739e917db02

SHA1
310c5fdb2d032f9969226da4475894142853680a

SHA256
2b4c9c45349c82628e33e7e294f404c3e063afc8fbfc7d6fae52920823100bb9

SHA512
36dd4d3447b53dabb511534ca941b21b27ec6f38da172d9d1a2ef511486d7d02931de1e361f81e933da33b786ef1047a35173b8935d32c6e3f0d61f487738cd6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
556KB

MD5
441187d8dda1b615790a5cb00801b428

SHA1
19542d9cec55de8043943dd6db953a4fa87e09f3

SHA256
3f29a4d7af062064ce398ca23e39cebcba69a2c07e2db31e6dfc0108cae61984

SHA512
e3eda6bccaea3213c1716d16b4bd30da5039679190969ffdf763cb510b495b469126574651b0df5d33924fad523131435685620f0dd759819ba6379787f0ca9b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
535KB

MD5
efbbfa0ac52a25d211559419e086ec86

SHA1
6b2acd82d99179d06cfc5875346f0d72614a26ec

SHA256
2eff37d71976cbc062ec51a92a43dc86b84401d23b55d8fd69869779efa92aa7

SHA512
8de38a10806b967a3c6a56b4445080a78d7d23a97c09e824de2fa0a03729eac678c332ed84f3ad9e8116116fb1d7ef8fbd64a3c99bfc18de265e1a4cc0764e38

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
530KB

MD5
36109439d5579892574316206d6cadf1

SHA1
0bee6f60802ab52c8f6ed585e194481f38addb20

SHA256
3740bd1a75ccbd1c515b10184070be7505d3915180a2de48ebb6522406ba53c9

SHA512
ee10f409b4546657f260832752881dac4d2d7b74b604c9acaf3497fb05bc873937c4613b9d5d48d4885b62c24d00f85827cb5781cbc7121ac028741738f24149

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
547KB

MD5
6289dd921e59f6c1847e94ab94c2dcf1

SHA1
2c6c2287297b2129dc8c2d9c271491912ac63665

SHA256
a1143987e23accdebf0d30ff1f051fc99bfebd565046c0170029ee20de3d1526

SHA512
674e57a86f2a9c4374701791b759ef6e2d7a0a4b8d5c9f7e81d3e6bbe2c57100e420ac968fd8d641e616e8587f8ecb457bfd5ed849da3c1609067bde943aebcf

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
530KB

MD5
1ea2db4cdbd8613b29a65e631cf54161

SHA1
a67f3d4deca5cf8d88ff89656c12c646a761dd7d

SHA256
e270d28fd22455652426d79b9496ade9de93b1b2e9918a6d90a0f81c99eeaf73

SHA512
b5826069753d5e1e639411b542fd24f62f82a4e4745ab6f959543feb697ee4649162649d5bc0af52ab8803d2958a0a0c044c586c918ffd91b4e93214fd21527e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
535KB

MD5
e0f76243feb667830be0480117ccfa59

SHA1
7de9d0dc7f836ba110f65abd02e532c8b6ba2601

SHA256
4da201f486c1c09d929fa94980e0b4f522baa3fbbb824e4b384dea263a2eacef

SHA512
b0abacadc78b1867b9eafe1d12341e632951480c4bd2ed7cea0aad8b19a39c7242793a0a755269d2209d4808fbc5d06842a1ef01a61e7e18ded9eec0cab2e4fe

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
556KB

MD5
4b220f7c4c2d1a11572dc21bead2e7d7

SHA1
00782d631a153f38750c72c32dda258947c08df9

SHA256
c4d367e5cff70b871d6978411227cc0c48f3933a9906f640a015836a2e2dafdc

SHA512
285e3a44a36fcf6c30db3ecbeb02ebefa128534e8b84a0cc575d2cb87537e11062f3100aca7caa04a0c442dd6dcdad0621b40b20d089b357f791d3669272668f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
541KB

MD5
74e26dd635c0266e870aebbd5743c506

SHA1
ff777469fe22cd10b53afcf6a7b47eaaeade75c0

SHA256
6d5b538802af44e2a88a0d33db2d435b068d058f31902fd282cebf06d333b759

SHA512
882884c2c8053ab9fae4c84a2a30883bf134fd25240ff2b692dc6c069aee36cc9e83ef1a115a6ba31dbcd33847015f19ec2a47c05baaebf0161b4827c884109f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
534KB

MD5
daa8d5a2de88408e6df6dbadbef25a6e

SHA1
a553409e25b61fd7671c7d169053239f8795e9ac

SHA256
efcbaedf415387b94fa2a5134d4dd457f1b5d35461781ad31f0671c954d2dd06

SHA512
75808ef39cf698fd1443b82e9ec869f2ec7ef537d6df7ff77b24f13105e382febd52329404965ca4153c9b27012c1b6afa0fbda1d9732e5e3e8fd2eb8164017d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
543KB

MD5
e866ed6058185e4da05cb6d772320403

SHA1
17918dfe81cb691a8ad0f5273b04d9b5975504d3

SHA256
b1692f5962ede61c596e446b0f55d859d1158ccdd2db8017e79eab21b2ade198

SHA512
c0c3a7d4dd3560fc617da871efa3db17a2ad99d476f0db408aace4669ec7152217793349207ca85ea4797f937f30ad442bb124d29ff67e6a51f4d79994c0e196

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
559KB

MD5
2dafc102f5a2da7fab7f910b471e9963

SHA1
88da797cbf7d7316a4931b2d9786aebefa87cd5d

SHA256
691fed6d206a7329f9ec6e21d1b224ebb27a5e2fbea1608a940109fd2b13b8ff

SHA512
668192fb03c1c363a9ec5703ee12fcfbf29590c489ed37ba9ec2bbde492a4c1f30c58584060c968952b8ffcd37ed665d2d79c4f308aba65962dd37a807bb786f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
534KB

MD5
15aecfd6f91f34a2d7e88017367f42c9

SHA1
8d6b8adb22eb65be6fd70b4f4d1c1320a6c98f29

SHA256
062478aabcc6a15cc10d4a68b30d7e5068015dec518fbe383f2d96c8eb63eedd

SHA512
10bc4df76940d57fabf2772f6331552a3c186e45655279fd7a5e1c1aefb3e850340f998dce3af41541ab13a1914e0e27a9acfbddb65185ed1d27c4676a66d63e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
550KB

MD5
181fc7848747a048dc6adf108cbae79c

SHA1
e5f5151a3bff08dcd84b763ef7fe5ce22cc16f30

SHA256
5666f32978baeef00c0fd8233bab8a8d5ef3c4ca2e7b90041f220884d5ea90e3

SHA512
db89f7a8c64fcfe0d5ca412736ed5db667f20c352aa2de91d502e7fa8e75267d3f85364f03f4ecb1aa0786b24df658524b1dfd2eb6351e0bab5b6b3fe530c81a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
537KB

MD5
9dbea47062bbd23d8e286c0a18d2ac8f

SHA1
90efb8d3a9ac23ff524ce4e32ab6d5db6f06078b

SHA256
371bb0b5abec57a139494b932a3a83bd829cc81b84bfbbeb1dc3161ad0143ac4

SHA512
2b4d25dc1d005810cd8322527381736ca63129fe0455c0f19417c36e03d2fe033e5b54c4b369825f93d49b75f9bdd9a1aec85ff7cdf0ad93b9714bc339f02eae

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
534KB

MD5
6d7531a13a822a15a6fd51971d13e7e7

SHA1
a5172a93a7ebe508281d799f25d2c5b5a9a0a163

SHA256
1b3327b5623ec1339e997ecdeb9c5bc9e366da5a320e27efd2edecbf1fb879bb

SHA512
ac240e4e559d444cf55c255362d22eaf5da6eb1bd13013b208c95b865a73d5b3af64fd76038f6bba869be1d6e95ef5482b3b5fd2f0eaed64e03e02deddf3ee78

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
531KB

MD5
434ea38b3a3a30f0c3c0849a4c45b02c

SHA1
0105888fe280e93c1354de52302d210b225aa3d7

SHA256
971b5eb24fe6cb9ff84639b2c1872e3db4ea02781a156c228a848256dd397d35

SHA512
45c4487240c6f71f1240e5702925c66d9c3ecd5f8843cd9f3991c6632261045509909391fc29f5e744fe0588d89469ff7af2d6dd80a7116c48f01af7f9b51fb5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
532KB

MD5
be2e2e1a2aa701b4a0c057cdb0123a03

SHA1
bbb31cfb56606d7a1ff9b618c5a329c85c7e3c93

SHA256
26801c1d8988a6100b85e0a40802240d8f8c38606f3486ff1ba54e818f4b7829

SHA512
0725579a75f4d98642d8b53f2dc045c3e350637eba3c60e31f10136d2dccfaea50d56db69927bb4b6b3a3a92b4f1a536d0bef98b7f1a490f50c273707a21eae6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
534KB

MD5
cfa758fc9b16677d0764dc286a75180a

SHA1
70638a9d26f3aba88ec37c055e3d05016a3f1563

SHA256
b2e9fb1a77433a5820824bc070be853fe13886531d1142d1f87a8042b80e4483

SHA512
e1bcc28ee4ea94bc7613ac8d5690f9ca7937b940795d6a29311cd76c40764bab6a9031202c81bb15834624d2a00b33381ead1fe77da4c66c54052ddcce8458ac

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
516KB

MD5
d29b591761cd612e746377a5951ddbf4

SHA1
d950df0947fcc1d987c0267de8c298af74ee58e7

SHA256
e73a15f5547239d1f9df5104461d7e3101891dd5f29cad8ede133fd2e18d892e

SHA512
3b2188fed2952202c9ed6d52172a257de3eea80b2a088f6d62304494f907bdce61ea1e3fc3eb3464ae249da2fe5da94457cbc764d2f14275f66d0fece128b7c1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
555KB

MD5
eb1876b85bc070c206bed80145151664

SHA1
dd0b73c64f8c88154cd14206f839236a5aaf12e9

SHA256
3b27608abe94969b108ff3236b56ffe41c05bb083e052e2a47e498eb1e0854c1

SHA512
c2475b52ff8639342c04514c5c5bd4642a3e71ac8622ab89b6d14b8b51294c2abff85737b75e1b08c2afa5707be6e64e1960ccf5b3133eec3bdcd4569620dff2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
548KB

MD5
9dbb4006c9ff6207191ababb76655def

SHA1
fbc9bc665d045bbc65c3f3ff3951c1ceed6697db

SHA256
7534513bd082f12cab0260b5fde4227ab1d3a2240d3a60e86567a07e9a712874

SHA512
d692315cf174d860e3fa3e25cd2f61a9c748fb2343f8b1be6aa4e52e9d9909e4a6aa7c68833c7dcff3940f9acc9f645e1725a6cfa38327042b1b0f5385b083cb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
553KB

MD5
55355764097dc74bf4a78f58920fd67f

SHA1
f9d1f1e4a61dea80eaeb1d41673aa5f9b6118cf7

SHA256
46b2a733b0cb831ce20136ee7b48c20e4d90c200d8295aed7b13772eabdd5dcb

SHA512
4cd621bab2af7f48d749be026c7f61f3f7d290c488fc7d1157a9b86ddc438eac45cdb68e81b238257ab5cfde74c8c3cac5bb0033bad209fe47a72ebba81891ac

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
553KB

MD5
9b175a23961b2b9fcaf1f258961f0858

SHA1
748182fd22644c1879adc51129d47d20328cb84d

SHA256
4a093e8a49169aa3a203805fac9547e6c4155e66002fa0288d90c2a620d8df3b

SHA512
7fc6946f5a8a66351e0611a1b9da5b1514131694728b120a4ead75cc0bb284b8e62f57f6eb6037514b7f00a5f44f75baebb2ca4bb2d3776a5de906ba725b6a3f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
529KB

MD5
4c49e03c13666cca71f732caaba182f7

SHA1
955309768d3be02febecf0eca96bd9a171714cf9

SHA256
9ca749bc0a3ae8caea01893290ccb4c0fcc215dacccb2fbb43b66374278433ca

SHA512
8bc4a6182e57bc1495b01eb174fc3bd55feb22ff7747065a60018db09ca48aa6d1fc28d419eb3e9d6d9f82ee6ac669b25daf57a6104efb1a2e4dba7f35666dc3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
548KB

MD5
52681ffa2efc5aa32416da460b8617b3

SHA1
7c850949e849f6432ed321973314503fda1d5415

SHA256
504acb7a5f249b3cf0d4308c8d08768d6c49142d08cbc5c01d59e8d0fd1dc055

SHA512
195253af9c071ab3c8f5573803122b5f281694626dae5237d2cd36f3aeecbf7176d5bb20c7e782883ac19703a4ae1cba6f617d6c276f604e99b967613dc50543

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
537KB

MD5
9c790b238d97def120e8b6544f04b692

SHA1
8a3d78d8d3cdeff547a184569339f4bf87b33d5b

SHA256
0f3ac0824d10f80d1c8b7a6dcc679e301d34632860fed64c154e63d157fe07ef

SHA512
b588a32e1e08625c99ea5aedec771e590899c504e2fa9f3b9e20a163806cca5304d622949d060f3168df6284bc4d90c2bb54498a46735bf7a4ba1802b0208d67

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
537KB

MD5
3e6e0c8d5f460606d6dbc7ed5f9ad352

SHA1
2761359227f77043e5d93ce0316be78c2412639b

SHA256
c3803141adc0a619ec745ecc8e5b793acf28c5a467b67b7f751ff7ac6964ce7b

SHA512
79c103b3150c161cf36c9f0339c5f12869a781cb64606c59320c6219bfb040d5ad60c1804207bea7a17eab3ce042d36231c3997630e1c1037768cb830d237d04

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
542KB

MD5
7a794df3482415b570dd66f96448cb11

SHA1
08fd9ebd450d117d5f13ed170ff2ba551c427d6f

SHA256
c6fcf02176db420faee7d61b685e813bba3636e87be1f635f98524d9e8f08062

SHA512
62d1eac67facd5137402b2fadcbaeb2aba2d8c393d500ed006738604c347536ce06169868e63a004af29cb7f402e779743b52e90251219f36fbba6ee7d176a9b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
529KB

MD5
dd2c7b5dc667522904a9b2a7723079a1

SHA1
2f31827db39ef0a1227efadf386ded3bfd92ad01

SHA256
604350cdbf7396b1828ae2e4f36ca2ea2aaaf1884b26823cb125f3c3fd714431

SHA512
662ad44a0fd2638db373249ae101c83b867dc475ab9e0e0d0100020cd1d6db8fafdc0bdad4e15ead6cb442c711ced879ab1c51ab123bf4334363414798e691d1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
537KB

MD5
b72dc2de1e88941e5b6de38798abe577

SHA1
3f7d0f197dd0aaed0749cf39c0da30b3ad183cf3

SHA256
072081b8c7fbdd644649236f172e7e4564211e8c38d3ee12f7356e4120bc8b01

SHA512
a8008edfed80a08158b2cc042429b355fca693518c8a0ec2a9e0dad4b58f5925bf957075df9000b5a59c6d4ffd8b866fc8eb4da35e7ab16291abbba10e1bd976

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
532KB

MD5
c2561561d7c8c665e1dfa9fe5680278f

SHA1
55df96ad6d77e9dafa6db5943497acc02a487c1b

SHA256
04d799f12a4d602546c658444453539fa1bfe50829007d8a4febd32bf3a9d1c0

SHA512
94c947b30cdec6186882d889cfc70ceb2b2bbdb0e5b8d2bea8868e4da5801b699a463ec914da154f6d915d548f20bc348a3ecc7ad2708cd102a6305ceef91842

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/8-46-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/8-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/212-201-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/212-186-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/700-59-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1136-306-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1136-295-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1676-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1676-85-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1804-226-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-305-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-275-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2084-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2208-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2208-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2304-315-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2304-325-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2312-162-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2312-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2320-6-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2320-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-98-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2696-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2836-173-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2836-188-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2996-335-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3212-276-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3212-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3608-238-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3608-222-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3656-34-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3968-199-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3968-213-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3988-137-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3988-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4124-55-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4124-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4488-124-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4488-107-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4508-251-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4540-333-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4720-296-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4720-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-264-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4804-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4916-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-150-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download