ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce

Analysis

max time kernel
160s
max time network
192s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/04/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Size

446KB
MD5

7117337199731d38da136f6f472fbb7a
SHA1

be11f1e3de5d90c06ea5e76648f36a00266cf7de
SHA256

ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce
SHA512

446f935e5510303e37a13abf7ee5ddc13a76bda6bfff5fe9a3e472cfe71f41eab61c7884f77cb7c4df5b6c6717c72985039efed789d5f7907df3879eb2a31f92
SSDEEP

12288:gQ+Qu9yus9exo/2oweeKie/fU94ieeZXnAeou:8I9exo/2TeeKie/fe4ieepnAeou

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

UPX dump on OEP (original entry point) 29 IoCs

resource	yara_rule
behavioral2/memory/976-7-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2064-9-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4688-21-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/976-22-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4688-34-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/484-46-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3436-58-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4532-70-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3128-82-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4692-94-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2064-106-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3380-118-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/5056-130-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1072-141-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2408-154-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1232-166-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/820-178-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/3004-190-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1284-201-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/1004-213-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2004-225-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/228-237-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4564-249-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2028-261-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2576-270-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4832-280-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/4756-289-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/2472-298-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral2/memory/944-307-0x0000000000400000-0x0000000000437000-memory.dmp	UPX

Drops file in Drivers directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Sets service image path in registry 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Modifies system executable filetype association 2 TTPs 27 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\T:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\S:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\U:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\U:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\Q:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\R:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\T:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\M:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\N:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\S:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\L:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\Q:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\T:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\L:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\Q:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\E:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\E:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
976	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
976	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4688	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4688	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
484	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
484	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3436	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3436	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4532	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4532	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3128	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3128	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4692	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4692	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3380	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3380	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
5056	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
5056	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2408	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2408	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1232	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1232	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
820	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
820	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
3004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1284	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1284	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
228	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
228	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4564	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4564	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2028	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2028	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2576	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2576	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
4756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2472	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2472	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
944	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
944	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4852	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	88
PID 2064 wrote to memory of 4852	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	88
PID 2064 wrote to memory of 4852	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	88
PID 2064 wrote to memory of 976	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	90
PID 2064 wrote to memory of 976	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	90
PID 2064 wrote to memory of 976	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	90
PID 976 wrote to memory of 4688	976	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	96
PID 976 wrote to memory of 4688	976	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	96
PID 976 wrote to memory of 4688	976	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	96
PID 4688 wrote to memory of 484	4688	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	98
PID 4688 wrote to memory of 484	4688	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	98
PID 4688 wrote to memory of 484	4688	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	98
PID 484 wrote to memory of 3436	484	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	102
PID 484 wrote to memory of 3436	484	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	102
PID 484 wrote to memory of 3436	484	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	102
PID 3436 wrote to memory of 4532	3436	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	103
PID 3436 wrote to memory of 4532	3436	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	103
PID 3436 wrote to memory of 4532	3436	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	103
PID 4532 wrote to memory of 3128	4532	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	104
PID 4532 wrote to memory of 3128	4532	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	104
PID 4532 wrote to memory of 3128	4532	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	104
PID 3128 wrote to memory of 4692	3128	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	105
PID 3128 wrote to memory of 4692	3128	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	105
PID 3128 wrote to memory of 4692	3128	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	105
PID 4692 wrote to memory of 2064	4692	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	106
PID 4692 wrote to memory of 2064	4692	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	106
PID 4692 wrote to memory of 2064	4692	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	106
PID 2064 wrote to memory of 3380	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	107
PID 2064 wrote to memory of 3380	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	107
PID 2064 wrote to memory of 3380	2064	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	107
PID 3380 wrote to memory of 5056	3380	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	108
PID 3380 wrote to memory of 5056	3380	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	108
PID 3380 wrote to memory of 5056	3380	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	108
PID 5056 wrote to memory of 1072	5056	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	109
PID 5056 wrote to memory of 1072	5056	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	109
PID 5056 wrote to memory of 1072	5056	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	109
PID 1072 wrote to memory of 2408	1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	110
PID 1072 wrote to memory of 2408	1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	110
PID 1072 wrote to memory of 2408	1072	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	110
PID 2408 wrote to memory of 1232	2408	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	111
PID 2408 wrote to memory of 1232	2408	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	111
PID 2408 wrote to memory of 1232	2408	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	111
PID 1232 wrote to memory of 820	1232	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	112
PID 1232 wrote to memory of 820	1232	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	112
PID 1232 wrote to memory of 820	1232	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	112
PID 820 wrote to memory of 3004	820	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	113
PID 820 wrote to memory of 3004	820	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	113
PID 820 wrote to memory of 3004	820	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	113
PID 3004 wrote to memory of 1284	3004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	114
PID 3004 wrote to memory of 1284	3004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	114
PID 3004 wrote to memory of 1284	3004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	114
PID 1284 wrote to memory of 1004	1284	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	115
PID 1284 wrote to memory of 1004	1284	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	115
PID 1284 wrote to memory of 1004	1284	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	115
PID 1004 wrote to memory of 2004	1004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	116
PID 1004 wrote to memory of 2004	1004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	116
PID 1004 wrote to memory of 2004	1004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	116
PID 2004 wrote to memory of 228	2004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	117
PID 2004 wrote to memory of 228	2004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	117
PID 2004 wrote to memory of 228	2004	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	117
PID 228 wrote to memory of 4564	228	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	118
PID 228 wrote to memory of 4564	228	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	118
PID 228 wrote to memory of 4564	228	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	118
PID 4564 wrote to memory of 2028	4564	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	119

C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
"C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
  C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
    C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Enumerates connected drives
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
      C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
      4⤵
      Drops file in Drivers directory
      Sets service image path in registry
      Modifies system executable filetype association
      Adds Run key to start application
      Enumerates connected drives
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:484
    - - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        5⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        6⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        7⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        8⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        9⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        10⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        11⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        12⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        13⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        14⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        15⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        16⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        17⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        18⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        19⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        20⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        21⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        22⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        23⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        24⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        25⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        26⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        27⤵
        Drops file in Drivers directory
        Sets service image path in registry
        Modifies system executable filetype association
        Adds Run key to start application
        Enumerates connected drives
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        28⤵
        Drops file in Drivers directory
        
        PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
456KB

MD5
097331cc1b09d34219efff922028c066

SHA1
5ce3850f30b915295c096867f8d672cf1d83cfff

SHA256
b806a96220417bfa84adb6b34bb0762daa57ae5a0067c963258af3303001287e

SHA512
32e6e5427fbfcfe93183c2c11a50ac5f75979bc83634a79976d660ff74260bb1c18c917e31693dba1cda94b392cac8bab99d2ba7684462a5c8ecb633f86ba98e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
457KB

MD5
c344e546a6909e6c1ccee8d476a8bb10

SHA1
4cfa82e9c13995bed7b5efc7727b5e9e6e477003

SHA256
409a0335d468dee5659d02c8c10328968cfe775d279e7c94c7fce29f10c8a593

SHA512
c31abe9f3c73d20ca50a142f75553445a8c58aec458cc3489d53844e30e860fa93386e3b33a6b6d5419fb66ec6fafa270cad682ebc318bb736801bdc16f26000

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
470KB

MD5
b5f06f84518a5fdc33b2da9247d62f4e

SHA1
468c6c46eaed5ae6895a6e54a9f18ac703d86135

SHA256
93b362cdbf08601f340f78f3c088dff046823b693c42539d16a19f9afca7bc35

SHA512
db6c9b4e6dbc83453a0036aa28f257f4f928b910ebd4377d0647257bcf3f6ac72e8fb1f3499310b613e2e6eb27fba4d8e18848918c446056f6231ccd5f5f2680

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
457KB

MD5
8a6001bbdd604ef68c40a66564318205

SHA1
ddd617fe37c943e5dc82b32239cf38bebab83f88

SHA256
a2767257611f79400f67915c03b7f1b45fc11e27e6fa797d9783d0bbbab533ce

SHA512
dce0287de35ab18c6d87d99feffd24211658bc94316a2b23042a7deea4e584e82b034214edaa1294fb2ae580b9bbed355cd12fbd19c6c3b5c59c658214926152

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
474KB

MD5
37d8b9a0a2b9cd8e6f9cf16e8b543de7

SHA1
8753d16c346a8a61012def4621d549488fc032ce

SHA256
4dfa2d8bd787bc3adef4b99f4be1fa345fc9a080ab78045cb6abd6c4798fa88e

SHA512
55e893f5a14ccb8d882f6262c0a342012b679569a0ce1a8b46f7c31febad3b2213a4e57318f7c105d3e2a1f0e408ad2c7d2f3a79098530d6aface0177062f2e7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
455KB

MD5
b2311b7f13412a8192a8ba503065c393

SHA1
cfa1ea92d9293fdbe7d58b0810bfb37434bf2f0a

SHA256
b84c589cc0b296086c82594b30efe729b5717e255f4c1ad67f536a97c5b9f171

SHA512
37c8e9f70bf43b791aac0d78caa343019d7ea843160ba6c38f1a9ff93374645c6a6b20a89d3310204763841e41ad3a84f485cc1359abdaad903c778168c7420c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
472KB

MD5
fcd962363a712f8be442ed5da178066a

SHA1
1ff7b606cfffa09249716fe4d6fafaf8d576083b

SHA256
bc7f7a7efe7fe2e049df4472045fc0f1a391f6856767476f6f7173224111d257

SHA512
c59d2df1dd57f9cf1eeb772196c42cd28eafa450ca72ff3235760fb2d40ba35480d8558e6bf6fdaae82af0faab5ec09ad6d9307bb85515e83f7134a97915c32e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
477KB

MD5
a501e2d19151aa85ef264b4b88f94c03

SHA1
dc79eb5d69578ffc5e660723a7969c6e619c7c0b

SHA256
327aed66b86a9b11854e276b426d9ab585b7ed963db739c0d605e349c94b49a7

SHA512
9fa48fe01d476c7ac652d1255ad3b2c688f2b5bf20c1563ac9d894e167c0a8db9be7454138338f0ff9b1ac4a14888bb893482afb03fb5fa5b6a1aab7417e1704

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
451KB

MD5
b19dc43a6765eb93ac72804658fbe884

SHA1
7fa065839201f79db15c201cb1433b38265a7157

SHA256
6fecc31fe117c767c3f02260c808e881ffbcbfbef9f1e8ef5756c96ed55e4fd6

SHA512
ab5be79e69c26bcb929c192f454abd9b60bca1381b4108c7850bd83d4a1dfa012391e301b5674ce2c2f97f4664206f30190bb5aab69fd4ea83b70bb13f2e42bc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
477KB

MD5
5ad1a3e36aec6e514ac5ba3e18637f02

SHA1
6161c692fbed196d271ef95a2bed8062aa85fef9

SHA256
38b178d4aa7758795cc731c51121824a395210f7bc2896a676e5ffcb2de1384d

SHA512
053ea762bbe5c368dc6450fce9cf48d16fc860354f69991683df73524a69c8b7de91904a44f5a5a453f0d3d8ab1fef3ff4dc5aedf9e647d92152701ad5cdc54a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
455KB

MD5
21732029f3b6b7e436098d10d63e9e73

SHA1
fb62f0c515e33304fe859a08de9925382207d2aa

SHA256
06ed2597b20a28e5a1db9752d2542d552a54bc4af2da16fc0d1bac0e175c03b6

SHA512
817f1ea5990a9be41851c90806b15e9b1227dd85ec4861f0edaa3581b982d60c463c921f2eae21feb9602e6976d21cf2df99f5e57057a38bb9ff816f20609b6d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
467KB

MD5
d49e64d7b959cee124101d16c11eed38

SHA1
c340fcefb5500067158013e8e35c9c82d67a8b65

SHA256
6072c5d212e8c72eeef2a51ef42b958621bd31d2afe4437b1bac63a5d808cabc

SHA512
53942c809f210b7188a7c196d2ce9a162558fe4a58556505157c70a6580e076a786076d267ec82921bd73d142c72abc254edc369b355cab34d02c11f36d2de4c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
475KB

MD5
578102333eb7bbeaf7ca311cb3d04651

SHA1
573f38127271cc36a88f9caeab4f9dc08b5d9901

SHA256
ebf04141d55c01c2175a755af385ed60cbe752017cb134211132cf3241337750

SHA512
8062f4f3c4c13e200c80e43e3ca138a7146b90c6b4e5e6167cc2792ab50924b9557369a9eca084dde30ddf5e29e632557aef6bf8dfe801fb2411ea1c00ac50c5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
447KB

MD5
5130d4969ac420436cfc21bb69c7cacf

SHA1
680881345cdeffe79e1b5e404e9a28eed2cf0160

SHA256
b6330db2c6e4974b6986af30cf15508af5fd09c2333829376452328eefb86bb3

SHA512
9f759070030a5dd91f95d4adef1a48664657eae364d6bf5e210976287bb2bb49771ed9947dda0dea8003573464330d36fb8b14f62d353d969f01f157f0686d4a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
460KB

MD5
74383960e4be2e5c2686c514d3402750

SHA1
18baaa6c67af7458ed3dacf0cbf39bac0cb830b6

SHA256
6f10ca21e139ee9db959bf8706171f56b9336c461d06351b88591507106cf9be

SHA512
5621ad6f85980598c8cdafb22e01163515d0a1e5d2f093e2f58461fa0e1eb64163080d9de1bbf76b4cc80ebb7205f143bdc556d4c8e7d87a2a340c5ecb05f6e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
468KB

MD5
7422c33782b324d4e005e61a3f67a42d

SHA1
686ad7e2a062c975eaccfb3705ec308da0ac51e7

SHA256
7adbe3145e22322effef7152064ad5db6421667fca845c2a3d78d558397921ca

SHA512
fcffed027bce2a11d22dd31b9eaa84fbb07dabd87a9143054b79a31bfc993162a5e65ea9c1cbc99152cf3708d510ab139386afe13a8a8206ea2428f641ea29e0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
449KB

MD5
aa23ed88b3609a3bae3f53cd6bf29ad9

SHA1
268a78e5c91e01f055a54b445e79b92f8877ad66

SHA256
dd3252f03d72d60f12908fede6ffe3f7a5ebd0cfe72dfe9e8b171cc0bc0587d9

SHA512
cdcdc58231e2ea58801b096562124723c7d6dd0627dee4063e3e51727ecd1c81e9f5f3c766e9c27ff764f4968fe231e7a08267bb6d32b357dd95f8450c212696

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
459KB

MD5
e63687d62894cee3cd6bc4f1706728bd

SHA1
1b143b8b90170a149c3d801f85e6bf2388587990

SHA256
4daca380d12a9d147db08932842d485b4477d231f23765e334729a1b320035c1

SHA512
116688e354ed63455a9d5af42dc813e5af1a221103f192dd292fe78e33c940d591cb1692fdf91b27ea0c2dfe933eb23fac78d45c28080b9ee220a1edced8dbe0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
463KB

MD5
d5ed28ad7006ffad9827792904fbf03d

SHA1
56178aaac84179660063d04cab67d008eeb98c11

SHA256
a912cbec6beb63d1aeeff236623bffb64a2524ec377d51901eb6b09630d4ecbd

SHA512
7c26cb0135074bf4f56483238d092316a0bee7dbe232a0486e1f29a2b6ed7b300d19991f9c45ba1eafcf6051851f8df40d7e8cb345ca53e1b0a0f25cdc9e3abf

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
468KB

MD5
0fb7815d29f6d60d8a3821809296d1c2

SHA1
d1a90089c4aba4ed8b08610bdb3b5cc1bca1d145

SHA256
20f6afa663e65d7d40f991efba7f194c4132c46c2cf9a935c5b26b8bb13dcf25

SHA512
608a9236bc729e9acb915820b8b8f6084cf8dd9de461d51734e54cfe879da941adc0e346fe18d648e78f6785c705089bb19b951f7e45ef2eff406f036eccdbc9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
454KB

MD5
4f023f004d129f59fd0640f5fcb576e7

SHA1
c7ad38b349d722de70e1a807306ed379cd2be72b

SHA256
22e1279fc9fe7feac89c98bcee044116941d030bb7deab139fbabec1b0a66de4

SHA512
601f3f665c73306f1066c8bf7bc087d795a1109c820e845130dcfcba9f2921f1a28d4669a294de7388bb1a9f554d576308bfe15dbb93e5ad7533348fb40374d9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
474KB

MD5
cad27cfc9e85ca627d29ad60c03b243c

SHA1
eb751d74a64e38c7278f609e3173163f32775489

SHA256
afeb9c8d80974581f8ceb4a8b61100d7dccd627ceaca820f82e97218c59cc63c

SHA512
879a0d7f512d48bfdb04b33c8d4bfc3b26356f07442002ecd29ee22f9bbed5c13f026c92414e0435336799d3e86c089a197bd723f3ae07b1d823452091a2722c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
477KB

MD5
879d2c4b0730632a071c4abf66c8f9d3

SHA1
d0ca4a4818c109add66f1202424d3d06b05e384d

SHA256
10054e9b8f4fa1e77abc9d0d01138563071df87689e9b8554a06b2f87df2d54e

SHA512
a6c382d43176b4560ac8eb74503395266eaf111b88224998a3633af0ab5e4492eb6a707756c3c568abde1c61ad2576fb5b9ac0b172353b875402ca67f9ec5665

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
bb39c72e40482f13a4b66c5953597657

SHA1
be272b892e76e111dff5fc620d14703a853198e8

SHA256
4c72aa24d270601a39439a7080520567993d94ca7106aacc44fc8baba0457b28

SHA512
d4f36ca91290565b0282263d1ed174f729a7a9f14f3a32a6f070134482caf7c7fd5cd54ba75569056db46e2ed6124e77962df4c7d9a4e13099db068891e64f6f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
446KB

MD5
4dabb7d1bd7827bb787ab68874fbb3f5

SHA1
cf8694acd18b6b74f65bfe2bb2131ae1d8902f7c

SHA256
75a6eb2edc23e49610fe59a815867ae4855dc84f12f9bbb00ce37741b4a0dab0

SHA512
07935b05c51496182721535d5366a9d1179bbfbd075696b2075b9fea407eb64d74b0fdbe905a92b6cff4e26601d0ecacded3fb3da76f8e8d6985e325b9e16e05

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
455KB

MD5
8e652de15b5b6bd6d658ad8d6a49196b

SHA1
58406df250d7c616463b4e1127e18d8df44323be

SHA256
f8309195390a7b958701eb2072b7dd3cb35da168727ef72c0570365b99b54247

SHA512
ddf843351e1eaf3be8956a1c57471ffc5fa3471db63af5104484af8d9107930f201382eb4f24622dac8c391851fb5f8792402ddd676da05cdfaf9e50511607d0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
450KB

MD5
59becac1372984d05abce7ec48fc9f05

SHA1
0faba68be470387910f5c73cb3c9452dfc241dbb

SHA256
fb369b333b5adf14b474c1c4c3646224e20e9eef11e998fed45a9a47c85227f0

SHA512
d09d15ae5dee795684adb6bb4a5d26fe646d89d2c9d65c66f44f465d4f1561f05bfc5c8a24adfb9f542e4a633641ca6a2570e65a67906df7c9276208ce33c6a2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
456KB

MD5
acad0e561c0aad3db58e93b156c298af

SHA1
c9afb2c94c314699da92eae349d6f8eeb2afab7d

SHA256
5f1eaf656b2365b75422bd8c8da7d3a9c46072f7855fd4728e1c1e1aed49cddc

SHA512
2335c78bbee6685911a7a274b1c1d33295587cd4df3d9182306a373b7793b81861bb776144229fe8864d6568c3b65d921e653665325918256bda2dc5bec57d27

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
452KB

MD5
078206d7b9d34c2bf13e6c98dccb34b4

SHA1
0e0d50329168cfe282a897d36a6d9acc54f300d6

SHA256
9f2cb596d731df81d3acd00d75c63034b6ebedaaac4c2bc59eaad30720fdc97c

SHA512
e3beb54da001092d103d33b3c74a786fd9d6902e1048cd919cce8eb3e514864c80d4e4bcb66c57ec2f956568240746716dcc3ea626b91c29f481b1b3c1db7744

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
461KB

MD5
94ba95c6cbb3b7bfdd257f565a312990

SHA1
eb83a9c50906ffaed8ba5dbd978956cd6826a74c

SHA256
3e041c1004aebc431b8dc1ab5f9cdf899c1ba186aa79ca0943ccf23475b6ceca

SHA512
ef1a9de107f2a87ae48f25f1ff1998cc0ec69ea6b56ded9de75be877a3ebc288e5c0c1233c0b4a6aaa6fa02c4ce535191e98098465562b4d59eff5cd5d95964c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
1feb4df77a6467c2f24ebd1783b70166

SHA1
0ce078522c22cd7ea33a9592c1eba075997ae968

SHA256
9f684f1b1c74020f6011c4b49946360a3248965c0be423cac5a05828745c26da

SHA512
9390a6a020337596b72fa44cc67fefba7959b21d2322ec14a67ac7caab1818f9675950ddccc014333b3d08ad22a8efe4d5409c6b67989cbbd17b5e0d13d69f04

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
2030c1fb996d88f45972959c4d9f5c1a

SHA1
5989c1f40e08a8c378dbf44ed7b85355262ca92b

SHA256
cebc0714af48dd5eefc81cea4a1cee663cc3eabc56a8ef66720a3bb4743cc818

SHA512
a4e1f082b1063e85f3a9e1f6d4002ceeb113410be90b2ad351f32c1145b4a034a1f8e99596b12108a002db977fae7b579b6be9e762b2207d1e7c364249512d96

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
452KB

MD5
c3ceba9be61e1516817c92fe12521f46

SHA1
c7f20291fea13ee3855751f030feaee64d9f542d

SHA256
bf43b34074c9a87c74b3e7c6ff9679251d539c979c212852b7702abc12148771

SHA512
3272e1f609ffa4663a64348b9ff0b538ffa94bf1a486a465927aef22062574e0441b22ad0e23cc76c0160bf9ee612ba5b18e1467c057381e959ec32ee98318ea

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
453KB

MD5
ddfe60a99b01c8763f8b282bd2b3e2e6

SHA1
f3a2cac5c7601de8b3f2b1f88591f0c891817eef

SHA256
d52bfecf345af161a38f1ce1d09d4752c2fb4c4f3eb8db915d186fda63f82494

SHA512
5770d0db0e9629fe992d43dbf4247d1fa8e76303b2a6bde9aca0407323a1a1da14d73acff4e3467b0b7177985ed526f37df4077b07541471780b2158ddecfb94

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
450KB

MD5
997fa5cb6b4e6e96d76c2dde2cf447e4

SHA1
565bb0065fa0ff6eb9685fe08724de87e12eabcc

SHA256
ee2059550339c7a2963feadec3f1f6fd9545112b8b05010b7201f0cf35fcbcdb

SHA512
f8f46ca7d7ed93b6150929c53960c328cf7c957c09e160d0cc2d258cc432cf309a055cc2f1d6dba25be319d87fc52afb6ff7d9e2617b640e42772dcfcf1d247c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
dba5c035b8151e22af79601b77ce24ff

SHA1
a7790151f10db75b99b08a725847d9fd5e70c69f

SHA256
ed7e4fa634087707a7160f34ee027f77482197bd64432ebae8ea2191cbb207c7

SHA512
ded14ea9789e4ae40621fdbd73159dff9cbea7d4f54402c5fa310c77ca7619c4b2f636425d1a7e1abf57c93cddd4e8b6a49f9d66e88b4297620d9025ed4bf164

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
447KB

MD5
05fc9298b4f68d6f0c20f840c61dec49

SHA1
47d287bb301c525aa6f58e7a1fe16233df0ced46

SHA256
3edb1aae7753726aebe723545e13c880cc786d63b018b63921d90c331bd4aaaf

SHA512
9afaeef492d3f3c627ec0f6ea02b610c7cc58386ead9d833f05022f890bd85ad050f9dfcecc207ad95266078056081e9c1a62bfd462cb52f8c6efdbdf227ca97

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
471KB

MD5
cfe97c0fb5191e803734a9792d5fc548

SHA1
06f64b220906e51b7bce3dcd5c50a1503e56aa50

SHA256
7d25d6606d528e49edb34820a8d6776c8db1898eee70ee02252a76b2b2d82671

SHA512
a6a1e52c7b803a957a75b0bbc76b4a4fcb4bfe6964cb29f2e00a56e4e78116c551af955bc1311171d645fd8492f50f2e6746687e18aa214e2456228c2038770a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
452KB

MD5
875c93ba574272c05be095f6ffe42e85

SHA1
1418c9b30d6fe4a6454991f8b9d20471c67d6952

SHA256
086358fea43e0fb3a032db0b556d61355f0e63d62d0181f4c8aa45ac18628c91

SHA512
bbf6bf00b0c72f85f378ce290d0c751da2bf1c724fc4fabc8a19d4d24e75af0e0fa481945d4ac3c564ee7776c6aa4a8ba4c15a0e507e8e60c1c96ba046756c32

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
471KB

MD5
bd32904099902c08a3d06f11be8eb9b1

SHA1
f50de889012badb7390aec78363bc2572419dbc9

SHA256
3284482d78e174b4737cc6be8cba26f4fe349ca3cea668de33883dd6564b47a7

SHA512
4738d7411ed743319a60957baa8fc1d7f5592a61416ad60ee8c3fd958eb48c159dd5cf006c3f15a79a63c950f4a1f3d844d02210887ba4d61788961b5ad7aff3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
460KB

MD5
a544c4000cceca4917dad79d75ea133b

SHA1
5250439851aa4d5cd15a7ec04473d2f5cb13393a

SHA256
30e7bd46a363b281a47f26a0329416a55c1f647ae7167f9a8d09d399c3b25b3c

SHA512
cd05768c8d397a54f46503010461894725a12c5e5c44fb43cf641b16e9b5c2d51c844ef02c036890777abff374fef8a9d691b2b032bfb43326fb6b843de634b7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
469KB

MD5
18b5b83ee2614c7a620c7790527157ac

SHA1
5c4bf9a81d2c5aa37cda98e55643fc4f21cda94a

SHA256
c1af1c472e7e37fbde58954daf244e830152faa904f6ea4096a1794ab9134552

SHA512
135f4201f81b8584716931adf2863db362ee1a65ab9ee001423ebc262b061d9116cb207c54a3647985c8e963ed1dc2e8d709e6e27cd443023042c7241c1df456

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
466KB

MD5
7b57bbca781c9a033fa4839b96057f98

SHA1
fcfa04805fd88911b096c77e91f2bccfc9713df1

SHA256
3af3e1191e6b1f1a0f60e257eb0c302cc43ee52d8b524684d44a5868755c5060

SHA512
c4f9f68196a518d101599707d635cc255c2d92c3d8f0f908829bb0c583d2cbf95717fa9ced9b9e925d9be3f93407cfa422a996cd57a66be0e09b395d14eda1d1

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/228-237-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/484-46-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/820-178-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/944-307-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/976-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/976-22-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1004-213-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1072-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1232-166-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1284-201-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2004-225-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-261-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2064-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2408-154-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2472-298-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2576-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3004-190-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3128-82-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3380-118-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3436-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4532-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4564-249-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-34-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4688-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4692-94-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4756-278-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4756-289-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4832-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5056-130-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download