55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe

Analysis

max time kernel
154s
max time network
116s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Size

8.9MB
MD5

684c4fc3683b5123a1ef42f92c6ef64c
SHA1

4f804fc149d0f460c530ce4d2e8017c7d9987e48
SHA256

55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe
SHA512

89e1d627bce754ee75fc85b774f074161b449d3a78bbf1c5506eac8d1173a97b23b0635cae9235fc3b09cfcb69eff3d857b19f3630282951c6bf3833931d74f8
SSDEEP

196608:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxQnKnqVtxQu9OryfEQncryfEQuWCLeybAZ:i7effIPEsy58doQaTzwZ8Jq3QKnqVtxy

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00090000000122e8-57.dat	acprotect
behavioral1/memory/1248-58-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/memory/1248-64-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/files/0x000a0000000122d6-73.dat	acprotect
behavioral1/files/0x00090000000122e8-74.dat	acprotect
behavioral1/files/0x00090000000122e8-75.dat	acprotect
behavioral1/memory/1576-76-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/memory/1576-78-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/files/0x000a0000000122d6-84.dat	acprotect
behavioral1/files/0x00090000000122e8-85.dat	acprotect
behavioral1/files/0x00090000000122e8-86.dat	acprotect
behavioral1/memory/796-88-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect
behavioral1/files/0x000a0000000122d6-98.dat	acprotect
behavioral1/files/0x00090000000122e8-99.dat	acprotect
behavioral1/files/0x00090000000122e8-100.dat	acprotect
behavioral1/memory/1644-101-0x0000000010000000-0x000000001010B000-memory.dmp	acprotect

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Sets service image path in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1248-54-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/files/0x00090000000122e8-57.dat	upx
behavioral1/memory/1248-58-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/1248-59-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1544-62-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1248-63-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1248-64-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/1544-66-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1576-69-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/files/0x000b0000000122d2-71.dat	upx
behavioral1/files/0x0007000000005c50-70.dat	upx
behavioral1/files/0x000a0000000122d6-73.dat	upx
behavioral1/files/0x00090000000122e8-74.dat	upx
behavioral1/files/0x00090000000122e8-75.dat	upx
behavioral1/memory/1576-76-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/1576-77-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1576-78-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/796-82-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/files/0x000a0000000122d6-84.dat	upx
behavioral1/files/0x00090000000122e8-85.dat	upx
behavioral1/files/0x00090000000122e8-86.dat	upx
behavioral1/memory/796-87-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/796-88-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/1644-91-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/files/0x000a0000000122d6-98.dat	upx
behavioral1/files/0x00090000000122e8-99.dat	upx
behavioral1/files/0x00090000000122e8-100.dat	upx
behavioral1/memory/1644-101-0x0000000010000000-0x000000001010B000-memory.dmp	upx
behavioral1/memory/1644-103-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1080-107-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1508-109-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1508-111-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\M:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\Q:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\L:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\F:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\O:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\O:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\T:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\H:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\L:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\N:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\U:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\I:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\I:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\S:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\K:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\V:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\V:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\N:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\V:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\U:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\M:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\P:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\F:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\R:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\M:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\V:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\S:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\H:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\W:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\X:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\Q:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\S:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\U:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\K:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\T:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\S:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\L:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\N:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\X:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\W:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\K:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\I:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\P:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\V:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\E:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\N:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\O:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\G:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\M:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\V:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\W:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\O:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\M:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\G:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\J:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\P:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\Q:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\H:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\U:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\E:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\X:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\G:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened (read-only)	\??\X:	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ftpdll.dll	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened for modification	C:\Windows\SysWOW64\ftpdll.dll	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened for modification	C:\Windows\SysWOW64\ftpdll.dll	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
File opened for modification	C:\Windows\SysWOW64\ftpdll.dll	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1576	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
796	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1972	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	27
PID 1248 wrote to memory of 1972	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	27
PID 1248 wrote to memory of 1972	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	27
PID 1248 wrote to memory of 1972	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	27
PID 1248 wrote to memory of 1544	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	30
PID 1248 wrote to memory of 1544	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	30
PID 1248 wrote to memory of 1544	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	30
PID 1248 wrote to memory of 1544	1248	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	30
PID 1544 wrote to memory of 1576	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	32
PID 1544 wrote to memory of 1576	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	32
PID 1544 wrote to memory of 1576	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	32
PID 1544 wrote to memory of 1576	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	32
PID 1544 wrote to memory of 796	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	34
PID 1544 wrote to memory of 796	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	34
PID 1544 wrote to memory of 796	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	34
PID 1544 wrote to memory of 796	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	34
PID 1544 wrote to memory of 1644	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	36
PID 1544 wrote to memory of 1644	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	36
PID 1544 wrote to memory of 1644	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	36
PID 1544 wrote to memory of 1644	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	36
PID 1544 wrote to memory of 1080	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	39
PID 1544 wrote to memory of 1080	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	39
PID 1544 wrote to memory of 1080	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	39
PID 1544 wrote to memory of 1080	1544	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	39
PID 1644 wrote to memory of 1508	1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	41
PID 1644 wrote to memory of 1508	1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	41
PID 1644 wrote to memory of 1508	1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	41
PID 1644 wrote to memory of 1508	1644	55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe	41

C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
"C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
  C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
  2⤵
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1576
- - C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
      C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
      4⤵
      Enumerates connected drives
      PID:1508
- - C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    C:\Users\Admin\AppData\Local\Temp\55f5bde691e69325bb2e8f7e7188d833a77c7686afc5b56ca7d457afc02424fe.exe
    3⤵
    - Enumerates connected drives
    PID:1080

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
f823836bc01249fd47b713dddd6f685e

SHA1
1d245e9117e5d2f65bed102d799df29566cf170d

SHA256
d0707cd293f0882fa64318102e1b45e8851339a53b685bff3c0b5d0c30eb5b25

SHA512
8dd3b00a6ff667919b5d6813def76506d5247d8d60471503167bfdba7e61e635d0e5c00fec05219923fcd7157f9e3808f2ed66b91956b466c00fc3f8cac3664d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
279B

MD5
4067aae3423b2b07ca7caab7c9503277

SHA1
f427bbad70c869f7e4844cc60e8b6d19719eb44a

SHA256
f4aa7ed4c86465f043dcf128992d7337f24733d21a184a3366cffe31be698ebc

SHA512
b17655162161ac10e52efc904742d8b090c26552244057c9754a85b8b1ef9442fe3cd103dddc219cad2483299637b1b3c494106d4b5023d08c8652d8e6cfd049

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
2d45fb778c1ff4ccfc2a252cc4ca9269

SHA1
f3853862932ded5f941e748082d335c2a8c3daaf

SHA256
bcf3182dfcae16c4b4798f61193a678affe94cb56a0c8981a3548026b72e5243

SHA512
cdb81adaa7e3bb7216235264e6b06da2d334f778ec52c169b291ba818e6402dac22e1552c8cb9c98cd6719d0081fdd5443f786edcecc5a3f3683af14d5fb4eba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
340B

MD5
ef31d514002e5be17b7aacbef0691c7a

SHA1
e862f5c746337b4b2094e6398d0b59dc54a2b265

SHA256
e39a156745ba9dad92912f425792701f5290edcd143289963460a8579eab6f6f

SHA512
535253e67d4de16a10ec58bdf53997aea32e1b71957476afa6fa9dfb48d7d7c1ab8e8f1ab1fc21a4d76f68a8c96c15c2f2df3a0e4a08776ec27c87ccbfbc1f55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_C1D494D2F32AEDC4FBA6C14F3F436273

Filesize
426B

MD5
d0459afb32321b94bb47b228d42d610c

SHA1
e5a25770e44d364de09c2692ea6178e7411727d9

SHA256
907c20f5f79f8630bda8df29ee6dd02be076cffd36092bf48499621488962f25

SHA512
87410966fc01e69f8d4d74bb3cf9e01acfaa733c77770cb39a9e45879b60f37479a76eb582612eb7dd7a7354fa9c19fac38f3a03c3acd785ff4560a5e36abfdc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
8.9MB

MD5
1db392db211423bb21feb9a5670d5887

SHA1
da067fbb8beab4e14d14deb6337d49a5901f50ec

SHA256
51bfd4e8939e3baf16a3f2083ae8f687aafaa55402997b01c81f08c5a923070e

SHA512
2e85f54da38a5908b0f934437727ffa3e2f00f8440d79f469536d87380f8f9d16a5f57d46fd9b1224d71b24c0c9a85cc215cd8501914899c182b637385090b6e

Download Submit
C:\Users\Admin\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Users\Admin\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Users\Admin\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
8.9MB

MD5
856e91fe0e9e12f9e5be06d8eaa33791

SHA1
4cb97d5a71436775ccdef6de0d9edd86273b8977

SHA256
78fc30864078be084a9dd67a73cba08bae584202da087898d45a75196142e0fc

SHA512
b596b2943fd029a757433564b6a53adfdcf82977fe3801064701ba41ca97465070496d79e5b535638feb31a875fa58ebe1223d14b8fc49e85e17215e81ee130e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
C:\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
\Windows\SysWOW64\ftpdll.dll

Filesize
5KB

MD5
d807aa04480d1d149f7a4cac22984188

SHA1
ffd5be65fd10017e34c11cecd105ebf4aa6c0cd9

SHA256
eddf092d901afe128322910c3ff41a3f242d33d6b4cdf91ece327076b324ccbb

SHA512
875543583c20ab164f37a4fb2587d234ce0a15d649d22b0d1dae5933f0a7683db170578746ea4458c51fec26e2243c6ec00dc10db8d4289789e50d5800cf863e

Download Submit
memory/796-82-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/796-88-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/796-87-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1080-107-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-61-0x00000000031C0000-0x00000000031E6000-memory.dmp

Filesize
152KB

Download
memory/1248-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1248-56-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-65-0x00000000031C0000-0x00000000031C2000-memory.dmp

Filesize
8KB

Download
memory/1248-64-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1248-58-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1248-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1508-111-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1508-109-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1544-90-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1544-68-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1544-106-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1544-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1544-102-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1544-110-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1544-79-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1544-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1544-81-0x0000000000270000-0x0000000000296000-memory.dmp

Filesize
152KB

Download
memory/1576-77-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1576-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1576-76-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1576-78-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1644-103-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1644-101-0x0000000010000000-0x000000001010B000-memory.dmp

Filesize
1.0MB

Download
memory/1644-91-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1644-108-0x0000000002760000-0x0000000002786000-memory.dmp

Filesize
152KB

Download