Malware Analysis Report

2025-01-18 21:25

Sample ID 240323-w277aadb7x
Target 1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902
SHA256 1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902

Threat Level: Known bad

The file 1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902 was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

Enumerates connected drives

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 18:26

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 18:26

Reported

2024-03-23 18:28

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ftpdll.dll C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2876 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe
PID 2876 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

"C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe"

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 xepace.cn udp
US 8.8.8.8:53 hq-pharma.org udp
US 8.8.8.8:53 hq-pharma.org udp
US 8.8.8.8:53 hq-pharma.org udp

Files

memory/2876-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1960-1-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3040-2-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\SysWOW64\ftpdll.dll

MD5 91d31d186f3bbd935946697f8b34d5a0
SHA1 78eccbde63c6913759adf819622ebc3508840f94
SHA256 1767b9108ac9ba4e5d0a7bb104a3462ec4dd5076d3245ad58d25fd1a972fecd0
SHA512 16bdd3bbf2f51b585617a9d398ce1fa8b997e8dbb92ca2d441cab833733255d364537f1ecf9fa020014af759dc6baf4e1f60bfcdb510062c9ecb01ac64c05db4

memory/2876-7-0x0000000010000000-0x000000001010B000-memory.dmp

C:\Users\Admin\AppData\Local\cftmon.exe

MD5 23983e99df31f49393bbff97c3d2c540
SHA1 bad6f04ea7c6e4700c4bb4ba04bf4e38af1a77cb
SHA256 43469a41a106227ba2314ccca6a97a03a7fb48b70adeefb2f42d68840fc1128d
SHA512 e2e4f4f0fb570443a3534e9d5f1e2fa0e81afcfb729ec4d026579f8ace3fd5b886e60ced1cd745f696123c463897d2897df2fc4b796e1f9441de506bad6d187e

memory/2876-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1960-16-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3040-17-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-18-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1960-20-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-22-0x00000000021B0000-0x00000000021F6000-memory.dmp

memory/2876-23-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3040-26-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-31-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-39-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-55-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-59-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2876-67-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 18:26

Reported

2024-03-23 18:28

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4656 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4656 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4656 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe
PID 4656 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe
PID 4656 wrote to memory of 4676 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Windows\SysWOW64\reg.exe
PID 4628 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2956 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2956 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2956 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 4628 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2720 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2720 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe
PID 2720 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

"C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe"

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

C:\Users\Admin\AppData\Local\Temp\1f144a203b184e91beaaddcd28f35272b3f86759799b36e1897c5e7120d21902.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 xepace.cn udp
US 8.8.8.8:53 hq-pharma.org udp
US 8.8.8.8:53 xepace.cn udp
US 8.8.8.8:53 hq-pharma.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4656-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4628-1-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Local\cftmon.exe

MD5 b4cbf850f8253a2c643386676f074adc
SHA1 84d08a9d95b52c1b109e821a9d26d1281a8d569a
SHA256 6236717c33702bc72d3eb683f463763069062d521f7228922035a1db5605ee62
SHA512 95752f076a11969cc29195df8d99f65b4c65718c7c30d88678624ae90cc5076a5bbae07a0da27c3c40c2dd1a5b5ffd2b5339d5abe3f20886b3bacc16bbb1ad13

memory/4656-8-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1252-9-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c74e5bb0edf441fbb5cb49ccf260eef3
SHA1 39c6f4e28a8af10ffba8abf9774541ac8cafbaa3
SHA256 3e4a6ffc386a60d89e1f1dbb7ae5d61395b17e9b60a4e08effa8e35e6010b5da
SHA512 c5a3cdaf3c6a8adc5490011affa917c91f2c58f6207a5de93244c45580fee5db78b87d0486b39808a1ab3fb9667fa1705bf62d84d7cf51c37e2a99270b5abfc0

memory/2956-12-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1252-13-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1432-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4628-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2720-16-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1336-18-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2720-19-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4628-23-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1336-24-0x0000000000400000-0x0000000000446000-memory.dmp