18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
18-05-2021 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Size

147KB
MD5

55dede435e9554e774c6261a28a6bb7a
SHA1

3c33d40755f495fa32c912f4b27098120632618c
SHA256

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950
SHA512

c07ce045112569fbab87a93e39e1614fd21913387cdb022d5fed5da069d3a6cc4e694af084a41538fb6638544c2d391092a0f7c265c5215e13a610483d94041f

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Modifies system executable filetype association 2 TTPs 22 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 44 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Loads dropped DLL 1 IoCs

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

pid process

1944 18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\N:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\I:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\G:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\L:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\R:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\N:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\Q:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\I:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\Q:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\I:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\K:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\V:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\K:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\K:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\K:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\J:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\J:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\R:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\Q:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\U:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\Q:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\L:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\J:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\R:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\R:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\V:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Drops file in System32 directory 1 IoCs

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll 18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Modifies registry class 22 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1640	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1320	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1596	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1436	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1068	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1536	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1192	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1924	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1160	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
936	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1096	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1400	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1084	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1060	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2040	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
844	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1076	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1224	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1872	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1540	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1664	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

pid process

1944 18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
"C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1596

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1436

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1068

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1536

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:936

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:844

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1076

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1224

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1872

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
23⤵
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
828e22a79a1348e569dfb07700b84001

SHA1
5dcec7332c4aac82e05992f423e3f3a2cabde045

SHA256
bf4169c9c59f47313fd2d8da18c8c13d0f544b9808ab5ee6d8ba6bc5ffce9b69

SHA512
a44c2e67aaf38b017cbe7ddd1a220b906355d65e5ca29ae827fc349cee3d7320094f71c5691f79cdcbcf8b04f0b6bc30d0777b66cdcc47f1fe317c9bb7eb2350

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d1b44509959d67b9b681859dd72fabfe

SHA1
47aa56562a732de0e89fe3127966309eedc55f2a

SHA256
82ea6930d1c69660d775057001e5ea913bcdd77304eb45ffb88bf32118e73ef2

SHA512
c03db1a7493f5d86e9f843cc897d86259b22d468ba31f5b89bc64d8db08de244513515241ded3a078dae514f790d4dfa2ca4e669c6e0f59dc918716d8ea4e93a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
ff9eda178cdee7adc35693dec9cba779

SHA1
ee1e439b55800d262d0ef0a2f637dd271d805aac

SHA256
b52571a7edaf18d8884284218eb0df58e69560b95fa2b6628aed5c62d9198282

SHA512
eccc0792ab0891c57b128d70bdc02ab9650a7f5b99cf97a6412f7a97247369b1ee7766ba8b853c8e12dbd81d4e6cbef8fa50b55fcd9785bacd1609c3785d615f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
9e7adb0d2c823a5df629c68855badbfc

SHA1
e8283f2751958374933a033ca64d8923a45214d9

SHA256
76bc57d49dce64cfcb81a861182d147f9c28f45fbcc9318450e320c6e8f1a92e

SHA512
4993ee0310cc48276c7e59c099115122a114b9fca38f4f068f3b041444a506eb31d44908c40776675078d24e27d2d5cc22bb7967d38f49a386cea8314e4de55b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a02df094ace3a7f5a1cb8fed3f2e4206

SHA1
e15b6cbb268ca8ed0fe2ad72ba3ea4ae72f9404e

SHA256
9b1520f330ff40f087e8e3b7a79f0af9b3eee22ba0e208bb776efed33efc9666

SHA512
4125572cacc3cf691fce4c92b211bdb2f14d3a46197baefa17d7c6bf7aeacfb723db77b51bfcc82a5c45e656c889c47e7a92c89bc7e112a3799a2b9fe7df56f6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
54f52dd54a981e3e7d0348303175e845

SHA1
edccd8c12a54b183e6eabeecf6ad3d0161c386ca

SHA256
1fee5bfa13d250714a0f11461538d87b625d6fdcfc450ed74152b39769854b7e

SHA512
56a42a9159ed6171f8ada97e0139742941cc1c7eb83c417724d7910a9f657a98760569de3b5b2cb68e60330a9e1258b19dd945e866edfa107927de094f2ce051

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e100cb412d9f9a8a4b5c1c97f2ed6eed

SHA1
5eb84465739895641505850447271348bee77c9f

SHA256
4da78e0c94380750d069e0e2fb45260cf329ceea50389574a588d3548e81bf47

SHA512
5797c8bc9f3db0f26ff9171f94ba7f3b359c2b2451a88750e1b765659e82b5cd8e5e650e4b185d5fe2f2de9173641035c79afc4ad2e2d4b2cc3a86a1cafac2f4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a39ab61f9f267845dcb34c7401b897be

SHA1
b8fa9b435893711225a8efa0f22dcb1e680ca319

SHA256
7f41c36d04e598dd90f5335f8ff12b943eab1b22d727d6d668b1a9e9fd814f62

SHA512
d0b3e2805552d543583ee327499574659ad42b184c5cf925f81b635ef64fa2ac6fcb04ff93517564944b96f91362b53c7b9f6acd40d3dfa960dd76789ccce168

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6698657ffde9286d140e8e3075686147

SHA1
18a570aee04645c2ff279a582e2add08b2cc9cef

SHA256
6bf7152e70a5f846ad851cafc053a594a9fd29d42156030acfd5ddb9921fe4f2

SHA512
cfdb98ee6507d0f63639f23ed92fc7d699ae48ad18a0784d862e120ecf788317a298dd6b5552a04892f976556ffa01b1a5239ac155a240e176eacb043f3ee171

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
bf4a9505e8cc1c3c8a8cc5ae53eb5fee

SHA1
a9344ad61e8b00102223d8ca0c352b770280f28d

SHA256
a54bfa39c6afe1d39675ad1b757e9f6685443cb15754da8f2b5782ab9f737862

SHA512
0f278da1c69f246c6495902649546123eac092fe4efe2dce2e3d250acd6f54a7afa9748e17615029adff9d0bfb5d9931e4f36fcbd486b7408806dadd6f0572f4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
95a66def27e73425a9f0b1f6bada2627

SHA1
cdbad8a0c139af49e29f6c02f8c714030f37ecaa

SHA256
61ee12c11501e4cc859fea0b76d63550fba75c1368e4b35dc6d90319b9606098

SHA512
a8300db6d5e041842d3bc1c418592f77b58bf3e370112020cea92956bb5d19ba9c5a6239edb2f116f53f61f30838bf0282c9277138c6f653c8a77e538f20a1cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0d2296db3cb99b639d9d8dfb5dc4e9b3

SHA1
2c943fe2b06d00b37dcf9184c038abb8728205f3

SHA256
ff2f63d6b8a7ca4da05c89462fb74000528814360af04a13ea7c53a00c8a8599

SHA512
75f79d59271fd1538a302c5ea53e749f1b32e4b9d531853b812d5e5b8008317a0f394898f0d45f61173c00984ae7b811f07cd381512153daaf1952b2f521145f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
41862b127f3fcf592e1dcd38ffae9f59

SHA1
c55c855af39685e2696e8f111ceecede049e3fb7

SHA256
8f88845d1d435848ce490aac2f2adee317b41e3898326237bb9206ca88e0bffb

SHA512
624e2ffb2ca957b1a2b5466b83eb8adbbe2c3f4dd9621fd89b004d264cf645821155dd185e6190b6d2ea7c26709550204f713a1e539dad161825ac20c2929e86

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1aaaeaf2aef7cb1d5e98db1393dfc9c3

SHA1
27bb7774840dd0e74da6b745e0e73da48f64e3d0

SHA256
217d2bbb107d5fcd02df8ad8e8cd7baf0fac49f60829365264f3bc289b0e71b1

SHA512
364048bd8b310d3887912b900aafc6bcf81f350cf704a1c6ed7177b837a53b4b5010555f7a35cae008546a4a2517649322bbea893a72dbd599163e2ea13f56ae

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b0d2933814be776c343c5991d50a10a2

SHA1
d8ce282cadb4322239172b888b42400b97076dca

SHA256
5c8401eed3b2907989cb6e9bd5345497eee5cefb9d7763843d9080cf9b680d04

SHA512
1a5218448c1d36b24c78460b51493dd4b12698908bc8d9ece47961355a2a7bdf1e109d0e8ffa6532069965ea7f3869195e4509f3f50445586459ae583674e2f5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8a01cd927c7a30429a4b9734eaa238b5

SHA1
797d8beadf8c8ead2c49cd6c3e3624a2b4c038cf

SHA256
ddcd06159146c4e04a559980de9d90561354876d6af2874af79f973bbe89a3f7

SHA512
eb894913a06a649ace91fa99f9d2283423d11b84e2c391f73b01b27aa7bf5bf0e97884c0c8db8b9f4ac0f5f5a6797416578a023f978ce6fcef0d4129865c8130

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
44ad523fdac5fa9aa8c8ff22af0e87eb

SHA1
b2d862582564dc1acc2e7937bfd9ff4ecdef87d7

SHA256
f8b87f0fd29be882f094ed6759fe989944bf22e59f346751281eeee4aacf315b

SHA512
cad2f7ad59e4af25d5b4932ee11fac34590e317cb715cd51799cfb83b123dd2d0211a6b024a858166a9cd23be1b9ac61f053ec2b08edaae8be85d29226119998

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5e3d5ea2d99a3885e2a31c3d1514c520

SHA1
717cf02c8f1c10426a29a92fd330b10972febb28

SHA256
111e5f2f1f956818f7cae520bae6eb4f3323a1d65bdd95297048ba3e51315622

SHA512
e71c80a068267c9dde28dacf2f4866ce138105b0bedbed97e619eb26d6fdb5b3f87f0b8d2a66053f16c5cbf157a36375a943f29f05180545f981a9f282657c55

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c8b0b7fdd188d0044d2e61bffb4a3966

SHA1
2309519ca62b475d5c5c3ae664291d9cc3808a25

SHA256
852a6a766ec5c50232a371fba9f6da393c972c57f500648ca6994987dbac863e

SHA512
7b38651bcb2411239145a189f89d4436b92773de5c44397f6ff0c7577659ad6ba7f7debf91e8d43d84b6cc081dadd65313be21bc723f58fbf89243cb8ff12093

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ac9eca64c66356c9694750327870dd5c

SHA1
610e94b53a370e045692400e06596a8ac0c908ca

SHA256
aac34071e38e262670e565cf4abbd626fd399f6b77325e1b2323dbd9ec374ea1

SHA512
0034ca16a3428f245c939a058c78fcc9e644a06aba3e661d703a3ed18d2cc8469deba8b423ee8a6b650e5ba809d046042c54d4788bb1860ac9e1f8899380cc72

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1b02643778b1d2998b20b13bb7326300

SHA1
31987909d9830f82bd91e5669c904d38b790be1d

SHA256
03046678ce7b7a542f37866561471fa7b700c8f257fdcaabb5bea514f2e8528b

SHA512
77f0f54a725d10179656b0a6f0670dd86fca60bcf145e242566d6592bdfc34a32f6444386714c332cdf6c1d0c41c5a78cb22d3c8a2f01438a12921bd934785cf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
08fa85db77c9cfa53ede574a338482fa

SHA1
10e344b58188f5ba4ac7c3f40737c28cb308a20c

SHA256
fbb07a397153ba74872ddf441977aae911cdee4b5b4ffb7dc584b8bc4c7bd535

SHA512
978be2c15d11a4369e8287fd91237159b4bd30e0cff6a6f5c25d308298b7ddef9b2a5dd6cb7661e0b145f573ef890242d4a188db9c4b9742674e9eb8b8ef5972

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d2bfadc0f1582a59f2ea5c469200967c

SHA1
ba9beddbb96a9f6427a4ff836356c681342759f8

SHA256
a880a4c7df4582ae792a9d5656c2093a178b5ac54bc014335e40e872703eff0b

SHA512
869f9a54e4f78910d9d37ddf9804f58abea7523b3d0e427791a4fb3450a6b4b10a38e7acf626f896b15d5431a5a61c61b046dddb738f746668d26e3fca3c8a0e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b274cd7b38696cd6140039203f5c3667

SHA1
25b72443f5ffe796ebac06510cba03986deca4d0

SHA256
7485d45e205fb0d445b9c64b67e32211b574cf23487a56018794f8faea9569fb

SHA512
b2b0f231abdd5603ef9b91d001fdc6c27f84ee9f8353ac72dc766a297ebec241b08a60d584c905737db783f445ff056ff3b301241b5ce24230ec8954a133df1e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c93c0e6111423c6132318671d90779cf

SHA1
e776304072385dc196a86a011c207a14baaf29f8

SHA256
f36baa03386bee1f9cb4f0113ba781cd7a7121f1df5768acb41410634425144a

SHA512
10b2847a207c795cc360311ff21ffc89e5db2d75c743840150dc9bc042932e08df8e9ba7513424933e002612b6be7b634adab94d571d6f9434b84af08bb72293

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6146f32b6ad6982aa830392c42ee784a

SHA1
67f3129116564cd2af2f959370ff13499ed4b281

SHA256
8f985d3234eca6e062d48a41b419d9a101ee689e33e1332e418733563f9ef2f7

SHA512
3cc2ef5559da53611636ea8f41b935c6c89615665fd5c210b434cae19ae5562a3a0b92298fdb0547251091f97213061e3176839bc53de738b9535234e464e316

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
680c7463196d6af4af69b08e94a2d2e2

SHA1
3f8a141049d22e03c97c5e76208e8f6527327347

SHA256
75d00abe358594acde50b4f323a39c7ac13f6ba4ca49bd41db138257b5539ff2

SHA512
f7ed59544715e6baeaf2c05694a2713348fa8ac7c22cf98f796e1fcb3ca4913f9c93aea0a3712814655c5994f01cf5dcd009bac87c7b5696af13111551614dd7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
69b672dcd08051b01f45f6eea85bdb45

SHA1
d94709b193d98ec2c5d778f81a9dd6a52ec25ae7

SHA256
32713b2de4ba7f74374c6cb0a0bfe019abf80dfc8a203466160d608ba6038225

SHA512
c59d69a691beba7954379f4d9ec13b30e9a8255936a0f9af116a182d759f75cb33770e8c42edaf243c20a2f645e1906d7cc97e613a9274194f52d998a6c8329c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c3d1d5e1d1738ed386bdb4ba23a0477b

SHA1
df17101c0175f0134575351d28b629aa11ddf037

SHA256
bfc60964feed7b67a06ada0684eb755dd1be7e3a194e21b39f1d503478d416e7

SHA512
4fba991e333366a04e7bdb44c05847fd4cd3d4764e2ffaa9166a13225dbbfa97e6999f58d5d46620d418491497cf990f9cfcefe0c5b20b9ebc629efb18d802b3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
abe3f68ee78a88cafdee29572299e0b5

SHA1
3d4a0ded4b869c2d0bdc10cd2abdab3e8d4fe056

SHA256
510ce088bd39e9c779c4f55f9c0b534a30b70333886e348e28aa7dfefd227e8b

SHA512
f2d8decb08e5bbb76b9bc1b47fb0e168503f3de0dab74d3d4599e425039babcef39b11edc619a8c825c5226e1f180d61ca6f0ccc4c23772f4e4834443e2cbe7c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7cd6b93125d3977850e6b71414edf510

SHA1
bf23a1aa045a1d3e9b4b366bb39bbc32085bc2c8

SHA256
86cec373371e99e3fd47278e433cc528d3659453c3aaf21b9edc7bceaccec9cd

SHA512
6fed5a06296d725175a9a0a098d09ec9c001990d5eb8bcd341b4b94bf1c4c11494756ef71a2de2015062f65cea453ef56b6d8541a0c294799414c6935cdf4946

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1f563c039c5a8a6c37554c245067b995

SHA1
90522ae658ac1e9da63e4df5792852711bdb3a88

SHA256
48d0ae30ff99807bffbae653680357aca35fab9956e561e424e63b968cf94681

SHA512
00fee53d45f87ab48e3f67b5c456643b7cf66f40a3d14ff0a757f7a281aca27f27db8a56bcc4b31efb1389341f71adf18f1da84a3e87ea83c65f9bce7c6b227d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b6203c0daacfd81c9eec85f71f722dec

SHA1
c928efb2d38d07fa6e801420e88e6eb7a3112830

SHA256
9cc95790b8fb2bd3df2da2b6f9a814ee52315b9c038aa0b66b6b7476c95bbe34

SHA512
66f5274e00cd935a1d0a44e7dcbca34471d2afdb7f102131e663e8608e0adbcdc9fbd5b3408369bc61a07a9c9b789b86735eae41d3733627980550ecd98ead56

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/844-136-0x0000000000000000-mapping.dmp

Download
memory/936-106-0x0000000000000000-mapping.dmp

Download
memory/1060-126-0x0000000000000000-mapping.dmp

Download
memory/1068-81-0x0000000000000000-mapping.dmp

Download
memory/1076-141-0x0000000000000000-mapping.dmp

Download
memory/1084-121-0x0000000000000000-mapping.dmp

Download
memory/1096-111-0x0000000000000000-mapping.dmp

Download
memory/1160-101-0x0000000000000000-mapping.dmp

Download
memory/1192-91-0x0000000000000000-mapping.dmp

Download
memory/1224-146-0x0000000000000000-mapping.dmp

Download
memory/1320-67-0x0000000000000000-mapping.dmp

Download
memory/1400-116-0x0000000000000000-mapping.dmp

Download
memory/1436-76-0x0000000000000000-mapping.dmp

Download
memory/1448-59-0x0000000000000000-mapping.dmp

Download
memory/1536-86-0x0000000000000000-mapping.dmp

Download
memory/1540-156-0x0000000000000000-mapping.dmp

Download
memory/1596-72-0x0000000000000000-mapping.dmp

Download
memory/1640-62-0x0000000000000000-mapping.dmp

Download
memory/1664-161-0x0000000000000000-mapping.dmp

Download
memory/1872-151-0x0000000000000000-mapping.dmp

Download
memory/1924-96-0x0000000000000000-mapping.dmp

Download
memory/1936-166-0x0000000000000000-mapping.dmp

Download
memory/1944-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

Filesize
8KB

Download
memory/2040-131-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1944 wrote to memory of 1448	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1944 wrote to memory of 1448	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1944 wrote to memory of 1448	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1944 wrote to memory of 1448	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1944 wrote to memory of 1640	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1944 wrote to memory of 1640	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1944 wrote to memory of 1640	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1944 wrote to memory of 1640	1944	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1640 wrote to memory of 1320	1640	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1640 wrote to memory of 1320	1640	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1640 wrote to memory of 1320	1640	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1640 wrote to memory of 1320	1640	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1320 wrote to memory of 1596	1320	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1320 wrote to memory of 1596	1320	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1320 wrote to memory of 1596	1320	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1320 wrote to memory of 1596	1320	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1596 wrote to memory of 1436	1596	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1596 wrote to memory of 1436	1596	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1596 wrote to memory of 1436	1596	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1596 wrote to memory of 1436	1596	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1436 wrote to memory of 1068	1436	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1436 wrote to memory of 1068	1436	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1436 wrote to memory of 1068	1436	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1436 wrote to memory of 1068	1436	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1068 wrote to memory of 1536	1068	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1068 wrote to memory of 1536	1068	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1068 wrote to memory of 1536	1068	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1068 wrote to memory of 1536	1068	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1536 wrote to memory of 1192	1536	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1536 wrote to memory of 1192	1536	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1536 wrote to memory of 1192	1536	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1536 wrote to memory of 1192	1536	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1192 wrote to memory of 1924	1192	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1192 wrote to memory of 1924	1192	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1192 wrote to memory of 1924	1192	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1192 wrote to memory of 1924	1192	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1924 wrote to memory of 1160	1924	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1924 wrote to memory of 1160	1924	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1924 wrote to memory of 1160	1924	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1924 wrote to memory of 1160	1924	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1160 wrote to memory of 936	1160	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1160 wrote to memory of 936	1160	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1160 wrote to memory of 936	1160	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1160 wrote to memory of 936	1160	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 936 wrote to memory of 1096	936	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 936 wrote to memory of 1096	936	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 936 wrote to memory of 1096	936	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 936 wrote to memory of 1096	936	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1096 wrote to memory of 1400	1096	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1096 wrote to memory of 1400	1096	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1096 wrote to memory of 1400	1096	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1096 wrote to memory of 1400	1096	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1400 wrote to memory of 1084	1400	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1400 wrote to memory of 1084	1400	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1400 wrote to memory of 1084	1400	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1400 wrote to memory of 1084	1400	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1084 wrote to memory of 1060	1084	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1084 wrote to memory of 1060	1084	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1084 wrote to memory of 1060	1084	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1084 wrote to memory of 1060	1084	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1060 wrote to memory of 2040	1060	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1060 wrote to memory of 2040	1060	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1060 wrote to memory of 2040	1060	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1060 wrote to memory of 2040	1060	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe