253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5

Analysis

max time kernel
150s
max time network
190s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Size

1006KB
MD5

b680beae90df0927b7755a371f9d848b
SHA1

8816fa0fbf71e67b068e2a2ad0e1989dc19563c6
SHA256

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5
SHA512

4ef228c04e89dd8538ae88230f1f13953fc588a58195e340db05e049c21d7d67df1d74cadf06306e76be00aa7517fcabf773279d416d1a8c4dd3c751ccc5dfad

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Modifies system executable filetype association 2 TTPs 20 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 42 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

pid process

760 253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\S:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\E:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\G:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\M:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\R:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\Q:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\U:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\E:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\F:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\G:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\X:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\O:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\K:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\P:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\X:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\R:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\S:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\M:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\Q:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\O:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\V:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\I:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\L:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\Q:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\G:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\L:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\M:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\K:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\I:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\K:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\H:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\T:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\G:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\V:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\X:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\H:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\H:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\Q:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\E:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\K:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\X:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\V:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\R:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\H:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\K:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\V:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\M:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\S:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\U:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\U:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\R:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\S:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\N:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\V:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\J:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\I:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
File opened (read-only)	\??\V:	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Drops file in System32 directory 1 IoCs

Processes:

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll 253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Modifies registry class 20 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

pid	process
760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1288	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
928	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1704	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1544	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
412	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
368	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
360	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1880	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1276	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1932	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1156	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1548	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1256	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1768	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1216	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
1780	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
932	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

pid process

760 253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
"C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:368

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1768

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
C:\Users\Admin\AppData\Local\Temp\253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
21⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
5350595031ff8f210db958153c671fa0

SHA1
b2cb839bb8d3fd6c5da182ef5f52835e0b9cb639

SHA256
0df183366aa1cd21feb8518303b0746921c11d9e9bc0feb67e044fd58209120c

SHA512
d8057cee6b5b93a8fad9c556d54dc43b94cdc38a64bef572465a2cee63e5382b65e7d7b880c5ee5d6f8f054a3a4b45269ba51f21c2bb83913a574373b94e577a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3b41c82bb10f53ce44124dabca615db0

SHA1
001dd25b1cdf34dbc45344115e181f2d169ec03c

SHA256
d3957bfe9caac3c2ad4fecb8469ed271ac0269bddbf1690fd5b0c3ec299d9992

SHA512
39ad41f195de193e6b46b94644190d5e1949df9254707c8c3edd90054d737dbd881a17d35a52e525f2175ddad476b724d26cfa98fd643e33fe521b5c82303b65

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6d207b8c0d233340430de1b77a094a31

SHA1
7dd48878966c4deb54001c2c907bb523fdd87b83

SHA256
6722edb4be55abc2ec7a637553a14963193c714fe92da68395360ab9675895d2

SHA512
cd6777392b481a446f99fefa9a848567f5aa0c9c312dd01704713b4304c7783dc797ea704527e94ec80e69a1cfec436dd10ae0a72294cebb6baeea3b3406d3be

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
71cc0195b19ff02fee3370a2d963a627

SHA1
dd30538f4cb0eaf976aa6dd096e8708765795c53

SHA256
8f19e7fe67b2c0e2e53ab5f996e2193a8453e5fda727abe6c42ea9589dd4d132

SHA512
86e605bc2f165f2e6e063132afde5ea789311e99a4833ee45d8e30d392e466661d3875df8a0ec1a84d81dbcdaf7bc3d2aeced993d227d687dc1727234f8ee206

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4f4c0a31d91873f6ae10bcd0afb602c5

SHA1
a067826b93cae2a5b3ced7104b30b965fa7186f7

SHA256
0bd2ea6b48c02da646dc22b184a632774cc29b24ba105daa34d7edc2f6bbb0a3

SHA512
50f92e477d74f8ae7e48590bef7ddbf4535733d6ee0f472b812e0f30ad488b8f90a6b21d8862e2c52ab682add9b0b471dbf73dbd7ea724ff1539576e3c13a6cd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d672d00a8a47383210b54c7ee60c6bd7

SHA1
3890f157978a19bc18ab80a156c50ce4104106fc

SHA256
0e41158b5275cd06d42de9ce8fe1bb665823ffd94f2746c5f6fbec91ce3d976e

SHA512
6dd2664d5f5091e0194babf42d3fc48b8dfaa0417fc10efbd1619f8f31326ce34fa73dc18389ff1fd8dccf52cea54b6d133744f3d2674d8bf9b88e1033283aa6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
be33478bb748ad87885421a2708eb56d

SHA1
bf324d089caf22700596fe0f7331adb6de780901

SHA256
86b68bae37a6a1d5ad392b58a2c1684e772277e8630f9b2a1c4129448bb11288

SHA512
310fc87a32be1b3003fe8ee702762e81604fc3a2a8741508ffaf1e275ee0c691a7fe9692f69d3c9093a42d3d8a9d32c2bbd5faed83c273c604ac5514bab8ce9b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a5ddf18827c8096973af05eb46ac4dfa

SHA1
3096d1a2dc3202b38a581b0d69cfbdfe2e8e71d7

SHA256
36d57ee65cb6e17be3cefaeaad369d8be31f31338db1f1b0c1377fc9d568985d

SHA512
263e7372707d935b6faa8f4eb361927af3ee7c632129dc91eba937d70d869299a7e72dd43527e592713a81d8459affb114b584db8dc4928dc592f9e73167395d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3abe26402db01340ae4532b9a936e7d7

SHA1
77101c44f05753840fbaf8cf8ace4abe772870d0

SHA256
dfb91931685e40e5080ff0819e4c49de663525ef0dcbac3dc7b33a3cd655b0df

SHA512
1ac4c92ebd1afc7889bca76063aec78dfe70e440cab187016fda0deb07fc9082c0aff4e8524231d8f9e32c1763296a8ab3954b042a89f29a8809bb7f32fba6f3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8ca26f4e050d07b3047d053a7e023cc6

SHA1
fcd4cf7d206eba1b83e1f5adbe65dc45c1225bd4

SHA256
12e843bf070d5e9d6c903cd1ed55f633aef3c01cfb9d99c66ba3b975ca415ace

SHA512
b3cdfbfb12b6fdff7771d8e2599525bdf30784e6f39e41a17450f0ebfd232572545b7330479177ed1063ad702353501f5526845b5dcbdcac8a274ed40b8c981a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
380991806f9a6f8d49db06c9fe2e66ab

SHA1
f26162ad74b5a22f75fe08932543610d34a65c2a

SHA256
845f4b8e20b34513c76e5d341186ce5c5ccf81c145e3f918422e271e291a6c6a

SHA512
8c5230d740c56afa0177d74d9dd2b92cd6ffaa93f08ccbcc61dd2199e5da3efd0567737b5e62cf9bc8e20b470e378974a9d995b53a8c5931741ff3752d9679fd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e1025de703e8220f09977a429dd36be5

SHA1
d1dad5b8fb59c272bbd867294d76b43a9b570d58

SHA256
55e72e5ac7ffa6874cb520cc4723f4e1cbc0f2a1ab20d9e6364ccd3649926db2

SHA512
ca30f174a230e1c2dc94bdf51b7597e417f2ea5fc2de46a3c2a7287ab747352f1e4f1c0e2fd7d9d522f200a594b81b756fe922b6457411c3337925b219f5c162

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0670f941d35478d530d12550bc95b523

SHA1
d93eaeb1344a9a87d4a6e6c1ce434ca8823ad9e9

SHA256
78afe21115b8ed163d5321b565f47a6912c91a25c1ea34111d181d28d22c2b1d

SHA512
dda8c4232ccf488bfaa6759c0abdd317f033bb1c6f4a212bd40c4aacd9213cbeae519987b5919fa2a12662675bf1635155add4b29369f3d5a79965e6f15409c3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bea84a232e4dbc91bfe25f5e764f4d3c

SHA1
93c59c62e63d75a70eb6aa0d5acb9263d4fe5abf

SHA256
560e251bf14e3dd230cce752cd50c38b1db55f1dcf1192c6b629e69ecb9474ed

SHA512
0e8fac6cf6fa49dd0a0f377feb13d587e49e741b9fcc8b3462d03ba3f437b9befb4210dea65ca201d40ef5c0b69d52398f5438a2e4d3a39f853ab17927c2d2e3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
08cbccfb54c50f7e68318a053f4cc239

SHA1
768688f15e5bae13038137c6ce55153cd4ab383e

SHA256
b97db654ae58eb443d165c0237c320044c95ca51cd383fcb07be3ee260ba446a

SHA512
8a0bad560919141371fafc0a02ef078a1e07a9a62a0686b84b2f437373a8d2478afc78f233a0ea0ce5dd382faa29332b6b4e802835c0dc600650d61b4f42f272

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b70067712b6173a73c18eafef09c4dc7

SHA1
3f46e35ce34947b8baa3ded15ce6974a5821a1d0

SHA256
0af829eaf621e91519c4197e2afd879b2700f48a435f6d19738f318cff019516

SHA512
9f3dda6463af197d477e21eb5cbf6da1d35a6de0327b52e17adf5b3574f2a5ad4959603c9f820cfef8377d810439d899f6e1fa59bb95fe4a5f41bdcae807c745

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c4daacab20daa415997e5cbc1ba9a9fd

SHA1
90730cb60d26f562802fb68654d8b6f626bcd73e

SHA256
d3d3c0b28bfdfa8422f86c1776b20a8b489712e29fd1266350ad96aeec0fc9f6

SHA512
5065a5d1b201365f2ce78035fe689108d05deff520896be0406204632440a907763da3ccfe48fe99f664b0180edec63656a20c20bcfdc0d5bd579ee2537a2bd2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
18fb855d287ad6547bc4ae3a926db925

SHA1
5537f3947639cf241ef41b1f34644ee6643d955b

SHA256
f9aa3553bc227590f12c1fdc792e5606ada571287af2f6fd44644c80a51f5d25

SHA512
80f1ebc11e82f96cf6976eb7f9a558321cbf86a8ffc324a26a08f62e24cddf53735576722dc174ff053fbe8a48d69c87ba5bf00aa220e92bd5eb662bcdad5ba9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
73b9644bea004a2730f94ddcc2901035

SHA1
8bd8b540115718e1a6ea2cd44125163b10008b67

SHA256
a41630c1fb4b97dddc711564efc033a21ab2fc17c3ec803e444925c5fe102898

SHA512
b9b8df58c5cc5d629786db55ea368022313028bb5e5cf8cb37eca81bfa25b32fb784205dcbc185f555dbc2396dbb0877579908de39f137317cd1aa50f579e4a7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c24ca9760e99d2e9eaf6f06caecb47c7

SHA1
75ad0382e727f69eda2162044215b413c2e1ad60

SHA256
72b089d5bb8d82d4d2a3b7ff012b32d4aa49e7e7adb006221ea977e48a8db540

SHA512
beab30494310101d3e7a60763b74220816c5bcae1598669062369dcd95daaefe4e6b27368c4a3dc8686fb7d8be6fa232e9ce31987d9be4c9b5051f9193407ca4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f1aa3b3195a891f27f5e6dac9d58672b

SHA1
b6b83adafa022449e668604201b3b6e75f50143a

SHA256
c48f712419d8626f1094e56e24c4a0e671ddc2b628a988c6b6e0d9c8d7786065

SHA512
075db1528067f31dda8eac56e28affeb67dd8ebcf5c1a8fe70a777c0996f74132a6e35aedb9c985ac3ea4a84d6df25c79a2a58f61e5dccc8be8faa37ee113ecd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6bb8cb1e4fc0a18ad4195c68be84c013

SHA1
b02bc3b9d504dafc90a4067d57c7d12affb8fe36

SHA256
337efc7c3329f2b8581937f7869ac5f40da8ffcac5e6ca69eb8513f37e35282e

SHA512
df82522c67983c03b8010e1d101eb8da090ba1d0bf6502cffe965328c460dbdfbc889c4ccc0dc485cc375b3532a190233b48a3820ca3e95caefae180fdf18ed5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6f83e3d2680c2061807267abb2a73339

SHA1
7fa3b70ab840cead26ff1d43b1fa7caac219d3ef

SHA256
a7660384248a26a7bcd966764be742c5ba504e00cf5f554f04fcf7c114b560f5

SHA512
25db74fd82e9a6d356bebce6fb175fc542f1686bdcca515023bddf2a709f958f9011fe0049b0bc1232f3b0a0f476e9ed17c3714e8c3aba418a04d344aa4e9029

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
529da96092818e082ecc881d865b087f

SHA1
42a7367e70e975e5f4c6db11dc07aadb1e5e6f3e

SHA256
ba4d8d49a367c20fad7c6725c280bc4c0116063a7419d323743ca67da1f5dd1a

SHA512
ce0343122b028b30261de33a0529f7545e3bcc9548a5890b1a8d66218a4a12db5ff8a2486488271cfddaacac8e7bc2fb165af1b8b9a6b79a980b4447034f24e1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
56a681ba9121230f05b295bd3dca2bc9

SHA1
90a152af2d15f3a0dcc17407502ed9b2b50e7192

SHA256
ebe712950d455b6b2ed57b5084e157bb5f64ac99f767cb778a895efc4095dc06

SHA512
c50d3e2a745c11c83cb200fa00bae1d56f6f809b7c20138d71d2f12dfad469e69fc7d34df093cb014cc1c6507d93b80a32b34d033c0dedd23df2c0647257c632

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/360-102-0x0000000000000000-mapping.dmp

Download
memory/368-97-0x0000000000000000-mapping.dmp

Download
memory/412-92-0x0000000000000000-mapping.dmp

Download
memory/760-87-0x0000000000000000-mapping.dmp

Download
memory/760-60-0x0000000075051000-0x0000000075053000-memory.dmp

Filesize
8KB

Download
memory/928-72-0x0000000000000000-mapping.dmp

Download
memory/932-157-0x0000000000000000-mapping.dmp

Download
memory/1156-122-0x0000000000000000-mapping.dmp

Download
memory/1216-147-0x0000000000000000-mapping.dmp

Download
memory/1256-137-0x0000000000000000-mapping.dmp

Download
memory/1276-59-0x0000000000000000-mapping.dmp

Download
memory/1276-112-0x0000000000000000-mapping.dmp

Download
memory/1288-62-0x0000000000000000-mapping.dmp

Download
memory/1544-82-0x0000000000000000-mapping.dmp

Download
memory/1548-132-0x0000000000000000-mapping.dmp

Download
memory/1704-77-0x0000000000000000-mapping.dmp

Download
memory/1768-142-0x0000000000000000-mapping.dmp

Download
memory/1780-152-0x0000000000000000-mapping.dmp

Download
memory/1880-107-0x0000000000000000-mapping.dmp

Download
memory/1932-117-0x0000000000000000-mapping.dmp

Download
memory/1952-127-0x0000000000000000-mapping.dmp

Download
memory/1952-67-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 760 wrote to memory of 1276	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	reg.exe
PID 760 wrote to memory of 1276	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	reg.exe
PID 760 wrote to memory of 1276	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	reg.exe
PID 760 wrote to memory of 1276	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	reg.exe
PID 760 wrote to memory of 1288	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 1288	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 1288	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 1288	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1288 wrote to memory of 1952	1288	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1288 wrote to memory of 1952	1288	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1288 wrote to memory of 1952	1288	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1288 wrote to memory of 1952	1288	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 928	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 928	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 928	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 928	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 928 wrote to memory of 1704	928	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 928 wrote to memory of 1704	928	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 928 wrote to memory of 1704	928	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 928 wrote to memory of 1704	928	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1704 wrote to memory of 1544	1704	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1704 wrote to memory of 1544	1704	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1704 wrote to memory of 1544	1704	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1704 wrote to memory of 1544	1704	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1544 wrote to memory of 760	1544	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1544 wrote to memory of 760	1544	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1544 wrote to memory of 760	1544	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1544 wrote to memory of 760	1544	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 412	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 412	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 412	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 760 wrote to memory of 412	760	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 412 wrote to memory of 368	412	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 412 wrote to memory of 368	412	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 412 wrote to memory of 368	412	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 412 wrote to memory of 368	412	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 368 wrote to memory of 360	368	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 368 wrote to memory of 360	368	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 368 wrote to memory of 360	368	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 368 wrote to memory of 360	368	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 360 wrote to memory of 1880	360	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 360 wrote to memory of 1880	360	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 360 wrote to memory of 1880	360	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 360 wrote to memory of 1880	360	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1880 wrote to memory of 1276	1880	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1880 wrote to memory of 1276	1880	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1880 wrote to memory of 1276	1880	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1880 wrote to memory of 1276	1880	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1276 wrote to memory of 1932	1276	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1276 wrote to memory of 1932	1276	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1276 wrote to memory of 1932	1276	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1276 wrote to memory of 1932	1276	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1932 wrote to memory of 1156	1932	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1932 wrote to memory of 1156	1932	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1932 wrote to memory of 1156	1932	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1932 wrote to memory of 1156	1932	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1156 wrote to memory of 1952	1156	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1156 wrote to memory of 1952	1156	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1156 wrote to memory of 1952	1156	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1156 wrote to memory of 1952	1156	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 1548	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 1548	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 1548	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe
PID 1952 wrote to memory of 1548	1952	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe	253480945e2720d5ba404f9bd5bb754aee6ca21877aa040d130eb2cb0f8969c5.exe