43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9

Analysis

max time kernel
151s
max time network
151s
platform
windows7_x64
resource
win7v20210410
submitted
18-05-2021 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Size

137KB
MD5

b3b5ff59f6ce47ba7a2bc777c455e0b4
SHA1

ae14e201706eb2a1806bdc0370f33bacdbdd30e0
SHA256

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9
SHA512

7b313bddd7da2aa198b275028f799a063aff67ba921dc24021a57c1a5b1a375b87b19b21c7e41b05bad1454ed9b3a685c2d6d7e90fa5bafe104768bb0350d12d

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

ACProtect 1.3x - 1.4x DLL software 30 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
\Windows\SysWOW64\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect
C:\Users\Admin\ftp33.dll	acprotect
C:\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 42 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Users\Admin\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Users\Admin\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\ftp33.dll	upx
C:\Windows\SysWOW64\ftp33.dll	upx

Loads dropped DLL 14 IoCs

Processes:

pid	process
296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1572	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
936	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\W:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\Q:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\J:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\X:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\T:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\J:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\R:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\X:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\T:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\H:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\O:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\G:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\V:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\U:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\T:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\J:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\R:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\X:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\U:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\U:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\I:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\I:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\O:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\O:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\J:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\O:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\V:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\U:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\P:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\O:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\Q:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\H:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\Q:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\T:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Drops file in System32 directory 14 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\ftp33.dll	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Modifies registry class 21 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

pid	process
296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1612	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1984	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1104	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1668	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1572	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
936	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1804	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
456	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1368	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

pid	process
296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1572	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
936	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
"C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:608

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:324

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:936

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:456

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
198985d4b5d15ac2179eca0042f13dc2

SHA1
3276b6015898ea39036e6ced77af6f52763b070e

SHA256
b90ccdbd88b843b0d39fec9e228dbb694ad4a044f5dd373ff2349b781deb93e6

SHA512
9b331370b4a854832b16d3f7462b9d9199da29c9b1160ae09305d7cf2f84cc324a2f4ee363de4a5232c6a21865764cfc100b15cedbceb57ae8921edf4a82f081

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1424e50f4c5db28673e5afa37812f96e

SHA1
000207a53bb02d591ec0238e034844c64e9d390c

SHA256
8f7d905c775325a13c5292b462381b4b315026fe44871c3ba2f0ad23953dd770

SHA512
adcd3f739518aca0d257c37bc270b685de173393948bf8730a02eb10488b7a693f11628578337b53c84beceba7ad649b66cc389f0235d06db207418d841cfc67

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
9f051d452230e6db0c59c794f665e0b0

SHA1
c74e4674ec18062b52f6d1e35024997d9eb7c37f

SHA256
0501c7fc6d96ac819f29e3891dc05ae23d12c321e6b41b602ad846eb28218f0f

SHA512
a74fe7c071a3cba0215afcb58be1b2dab7c7d636028425f48acb8f53d1ad44d09e7cb9457d175b3db7f2df0fc63bfeb5f17efe3778b7e9b5710b30bfab75205b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1424e50f4c5db28673e5afa37812f96e

SHA1
000207a53bb02d591ec0238e034844c64e9d390c

SHA256
8f7d905c775325a13c5292b462381b4b315026fe44871c3ba2f0ad23953dd770

SHA512
adcd3f739518aca0d257c37bc270b685de173393948bf8730a02eb10488b7a693f11628578337b53c84beceba7ad649b66cc389f0235d06db207418d841cfc67

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0c0c55e84c0e385cde7d2268cf76cfcf

SHA1
8f55b543d42e9145bf387748344ea1fdc6003442

SHA256
c5a1c46db150e174d5eb8045954e7631f44802ef15e01191ad5031821d6ac2d3

SHA512
36ef2dea940aa2ab98c918f00434f94e3163bd6624d871cb14beaf5e271b382d34961eba3d5f4d67e32a9c17d60c398a464497f498f1c1f780e43f440b9d7390

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1424e50f4c5db28673e5afa37812f96e

SHA1
000207a53bb02d591ec0238e034844c64e9d390c

SHA256
8f7d905c775325a13c5292b462381b4b315026fe44871c3ba2f0ad23953dd770

SHA512
adcd3f739518aca0d257c37bc270b685de173393948bf8730a02eb10488b7a693f11628578337b53c84beceba7ad649b66cc389f0235d06db207418d841cfc67

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e568d417439f098f468efa19453b8292

SHA1
e6923fa00969840021db9ac696a9c5668bffb279

SHA256
016bb1b3cc4ac4d6744be6a3963139ce5808bde41c452e10c9938a12fe4ff10a

SHA512
90ab07045d3f451ec0182372054939a0c131c21b05d12451f95f9cf8fcc0fac4583e69eb1119dad1b63c8935265c0d2b714922a1012242af190b5b21de4f9035

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1424e50f4c5db28673e5afa37812f96e

SHA1
000207a53bb02d591ec0238e034844c64e9d390c

SHA256
8f7d905c775325a13c5292b462381b4b315026fe44871c3ba2f0ad23953dd770

SHA512
adcd3f739518aca0d257c37bc270b685de173393948bf8730a02eb10488b7a693f11628578337b53c84beceba7ad649b66cc389f0235d06db207418d841cfc67

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b7859d781536e063d3ec08ec3abbf920

SHA1
c3aee9216ce896c884079e02198368721546c2a9

SHA256
3e5ad306cae5503a9fa6ab164bb32a150a11a294a41e9c0ea5ece061420f8e98

SHA512
6518dfc67cb226b510b42f1c97f139a8a6031dcb8d6315ab640c209811fbf334fa23fec97bcb4a5406ebbdba3615dd2276855f81b35c6a78ef3fe07e81b223d1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1424e50f4c5db28673e5afa37812f96e

SHA1
000207a53bb02d591ec0238e034844c64e9d390c

SHA256
8f7d905c775325a13c5292b462381b4b315026fe44871c3ba2f0ad23953dd770

SHA512
adcd3f739518aca0d257c37bc270b685de173393948bf8730a02eb10488b7a693f11628578337b53c84beceba7ad649b66cc389f0235d06db207418d841cfc67

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6cc34bd96593c3fcead45c1c0e0a0063

SHA1
377647f8bc15517dd6660d6f6581fca88893f612

SHA256
f37050535f2aa575562ad80f1f95ffe922d00773b09fdbb8f348de16d7e11ac4

SHA512
7101c506fb4b09877ed28d3ead67074f9b53c61c891aa82cafb3fd659ab1625a1ae0073a6bf5a7ff2ef265e14dee28ee1a5d6c6bac0523ca9e86b5323f8c299d

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Users\Admin\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1424e50f4c5db28673e5afa37812f96e

SHA1
000207a53bb02d591ec0238e034844c64e9d390c

SHA256
8f7d905c775325a13c5292b462381b4b315026fe44871c3ba2f0ad23953dd770

SHA512
adcd3f739518aca0d257c37bc270b685de173393948bf8730a02eb10488b7a693f11628578337b53c84beceba7ad649b66cc389f0235d06db207418d841cfc67

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8e9473d6307210d068233411f64ad6a2

SHA1
318ad4b77c11372594ff651817d4560bdd082868

SHA256
426b772fc81fa47938e0ae1d3c9e9fab76577ff6b6d5e2a704b9a1f14bf64bfe

SHA512
aa18ac0fbe0b4ca4dab36efb5f5260b1942f490d35cbfdedd7337c6eac2f66b58fc727a1c734470abe7c566fa251c9a78a6fedec7146a992c3e89e6233ad75b3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dc657e3cc7bb492cfa906a09d0371815

SHA1
f93d8ee5324e95efd48e97780af825019711a3de

SHA256
a2c36062f04955636c2d043756b996746f1ce0e914037cdb3309323060529a20

SHA512
60a90283e205e702d0ca99e0a921731d61f5b61d734c5586d278e44dfc1e0c73c028295bf9f7e9b361d572f4c24cd8e5543e34d1a66289562d52a518261a7a2d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bd27416288dbe39ceaf7cdb174ff7679

SHA1
c3c56cb1b4e4684b80a0494163c7b03ef4b3061e

SHA256
3613c6a95c262c7ec27d9bbebd8fd6eda3676cdfaa1bf2661c156a6a8bb38dc6

SHA512
fd517f08ec73e82c4ffde1f4ba8c1a5d2e02a5b971a5e9418149623255075a2b687eaf1d420effa7a42835ab82dad4f077222d78c749783f569830c5fd2e8342

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
82cc0818b30aa3980a39936cc7f7e01b

SHA1
9dc90b489f7a85f48e4bca0990196e7826cc8af2

SHA256
96ff7da1d5870abb4963e03438f7a4d7edb832f8173107f2d26fa302e31b60d1

SHA512
948bc152797a6f49e385e992442caf9aa71fa002b2b19cfff68b9b285b566378b1772ae3ca6ff33f9a2f92fac898eb8b31faa675d7e3fb04dc7333b6f45d0c95

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
224d5ad62f5a9c8065760fa549c38d26

SHA1
9aa16e66be189aed5ca8934394dbc76743074325

SHA256
511a3609d2723038c03018210ea844a34fa1aceb4581526c8f655b96b8d41d56

SHA512
4d43a428bf0366c066fd13f14f927adf43fd9cccde2609979d1696a9070d1923b5b33b94b69cde5b387004a372a06f0371edbaa1a5594d47c49950b1a67afa04

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
39a2a2e3c8f4705d360b286a7b5ff826

SHA1
8b3b4e1af98bfaefc49d9dfc88b051262698c6a2

SHA256
72e04f44c7fa77707ca7f3f76253d3bbcb2cbdb291afbd39e6d7283576fe87b7

SHA512
d1b6741b677b2deb4f1cc7f687cf008774ed3cadc8dfd242006b28a556b8335829af8e7ecb3ff964327e3945c1a16e30c30802d3529683226187d3b50bd5abc8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1c60e06a5bdeb99be896abc5eaa8736c

SHA1
ad343f1750d3fb5a765a98d69b9b0ed3c5c6ed1c

SHA256
4df8a1492224fd7cdbbbdb3f3f3aff1f4a71acebf16d759b774655904f643bcd

SHA512
869a24ef53f92c3e65d1f9f955eca57cafca42c39b6b3e4ea1b1ec96bf3ca00c6bf58260a1ea4005b0dd5863622d9ac171fcfdc5f78d60ea535f9550a62cebcb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
08c45a109f0b9bb377ec38bb57dda1e2

SHA1
7b4d11a4475259057423049b0ec521786dcb3b48

SHA256
e5140c05fd4e5fdb5e4c538923df397a56beda8cd80afdb32923d507df43901a

SHA512
f7596ede7b9c92321b7fa216e0ece4ff62e3f55eee347230bde91a76a91e2800ea7fade4e7af47e1816c9e9273647d3e1c755e8525ed36c11ea71a44e73bcaf4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fb637bd47e485624f1003dd4c8c8eab1

SHA1
ffb210e792642f844b1d7be96a0a2bc23cc74944

SHA256
046ab552b12bbbf25d91776967a5fcd09096abb4e4e4048fd7283679319b9cb1

SHA512
bbce35734d058ba606ece7599e83a9ce4db3fb5b48536e70891a49c72cdb5779b27955efce2e3bd99adef542569ec1250c78bbf508716a248bd8245f233d79ea

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e72b88275e0784f91e5999801b420500

SHA1
9249ae66491198b3bed72e97678403621cc1e538

SHA256
46d26e5197df3b40005bf6af0e521b6f05899a81a99c1c21f5c5e4689d696a26

SHA512
0ce329a73c7cb76869bfcd7cb1c196aafe0017c6c8b7f3f5fb9be9734aea9b61cfe5363deb551f531c77f6f16a35e1f52505579b42680cd5a885ba8f283da3f3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
eb6523c53078904f002286165e65d01b

SHA1
4bdf47b286d41a7937c2f16cb4ca6b1c64b964dd

SHA256
5853a4ba5a9a13d9c3943ae63052366e0750034afa5b72014944f6cd94cf2ade

SHA512
dff8315c1d8458c6050550147888b28fd1397baf4ef5cb70f9116e3fab0c87a50817e8af0024491502094d756b50e743933d3822af2e939b894275dccbee728e

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
8ffa7d4ee52fd3b532b0a0fec4ddb9dd

SHA1
2669ef7838ab6abfa14193747af4f19dbbbfe54b

SHA256
2112e23b3eb7d354b7275261d529702489bdea108f766246f71072357ce8561f

SHA512
982b88293e80399b85bd4f26d0c0d83610ec57b32fc6db8fba0a8c37af6af18991b35376017cb8a918e8af517b9bd71761e8ae843e3a98054a1ea54f17046e8f

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
8ffa7d4ee52fd3b532b0a0fec4ddb9dd

SHA1
2669ef7838ab6abfa14193747af4f19dbbbfe54b

SHA256
2112e23b3eb7d354b7275261d529702489bdea108f766246f71072357ce8561f

SHA512
982b88293e80399b85bd4f26d0c0d83610ec57b32fc6db8fba0a8c37af6af18991b35376017cb8a918e8af517b9bd71761e8ae843e3a98054a1ea54f17046e8f

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
C:\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/296-61-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/324-145-0x0000000000000000-mapping.dmp

Download
memory/456-162-0x0000000000000000-mapping.dmp

Download
memory/608-84-0x0000000000000000-mapping.dmp

Download
memory/736-105-0x0000000000000000-mapping.dmp

Download
memory/848-76-0x0000000000000000-mapping.dmp

Download
memory/936-158-0x0000000000000000-mapping.dmp

Download
memory/948-121-0x0000000000000000-mapping.dmp

Download
memory/1104-152-0x0000000000000000-mapping.dmp

Download
memory/1160-100-0x0000000000000000-mapping.dmp

Download
memory/1192-129-0x0000000000000000-mapping.dmp

Download
memory/1348-137-0x0000000000000000-mapping.dmp

Download
memory/1368-164-0x0000000000000000-mapping.dmp

Download
memory/1572-156-0x0000000000000000-mapping.dmp

Download
memory/1612-93-0x0000000000000000-mapping.dmp

Download
memory/1620-60-0x0000000000000000-mapping.dmp

Download
memory/1668-154-0x0000000000000000-mapping.dmp

Download
memory/1784-71-0x0000000000000000-mapping.dmp

Download
memory/1804-160-0x0000000000000000-mapping.dmp

Download
memory/1812-113-0x0000000000000000-mapping.dmp

Download
memory/1932-63-0x0000000000000000-mapping.dmp

Download
memory/1984-150-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 296 wrote to memory of 1620	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 296 wrote to memory of 1620	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 296 wrote to memory of 1620	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 296 wrote to memory of 1620	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 296 wrote to memory of 1932	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 296 wrote to memory of 1932	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 296 wrote to memory of 1932	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 296 wrote to memory of 1932	296	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1932 wrote to memory of 1784	1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1932 wrote to memory of 1784	1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1932 wrote to memory of 1784	1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1932 wrote to memory of 1784	1932	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1784 wrote to memory of 848	1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1784 wrote to memory of 848	1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1784 wrote to memory of 848	1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1784 wrote to memory of 848	1784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 848 wrote to memory of 608	848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 848 wrote to memory of 608	848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 848 wrote to memory of 608	848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 848 wrote to memory of 608	848	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 608 wrote to memory of 1612	608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 608 wrote to memory of 1612	608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 608 wrote to memory of 1612	608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 608 wrote to memory of 1612	608	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1612 wrote to memory of 1160	1612	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1612 wrote to memory of 1160	1612	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1612 wrote to memory of 1160	1612	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1612 wrote to memory of 1160	1612	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1160 wrote to memory of 736	1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1160 wrote to memory of 736	1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1160 wrote to memory of 736	1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1160 wrote to memory of 736	1160	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 736 wrote to memory of 1812	736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 736 wrote to memory of 1812	736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 736 wrote to memory of 1812	736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 736 wrote to memory of 1812	736	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1812 wrote to memory of 948	1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1812 wrote to memory of 948	1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1812 wrote to memory of 948	1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1812 wrote to memory of 948	1812	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 948 wrote to memory of 1192	948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 948 wrote to memory of 1192	948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 948 wrote to memory of 1192	948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 948 wrote to memory of 1192	948	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1192 wrote to memory of 1348	1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1192 wrote to memory of 1348	1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1192 wrote to memory of 1348	1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1192 wrote to memory of 1348	1192	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1348 wrote to memory of 324	1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1348 wrote to memory of 324	1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1348 wrote to memory of 324	1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1348 wrote to memory of 324	1348	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 324 wrote to memory of 1984	324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 324 wrote to memory of 1984	324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 324 wrote to memory of 1984	324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 324 wrote to memory of 1984	324	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1984 wrote to memory of 1104	1984	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1984 wrote to memory of 1104	1984	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1984 wrote to memory of 1104	1984	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1984 wrote to memory of 1104	1984	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1104 wrote to memory of 1668	1104	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1104 wrote to memory of 1668	1104	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1104 wrote to memory of 1668	1104	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1104 wrote to memory of 1668	1104	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe