2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Size

429KB
MD5

e7a88e7e9d684a29c4642040ae274420
SHA1

7ee3a7cfaf1a8db45f6dd2195d2e93ae74377ec2
SHA256

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f
SHA512

c48f2957648e2ec794712a84cc1bcd78c9161578f14853d0507711d437780d1a17ceb9ea91a702e2ea7bb2920c18c5ca31646c9de65c9600ec9d7a92eec0aa2b
SSDEEP

12288:HQ+Qu9piwpwIG5MtQ+AeUjeAeheVqZe7J:Xpi4EMsemeAeheVqZet

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Detects executables built or packed with MPress PE compressor 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1568-0-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1228-6-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1568-9-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1228-22-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4072-18-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1832-35-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4072-34-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1508-46-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1832-48-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4784-57-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1508-61-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4432-70-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4784-74-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3500-85-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4432-87-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3500-100-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2020-99-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3636-112-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/2020-113-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/384-124-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3636-126-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/640-137-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/384-139-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/640-152-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4380-150-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1168-161-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/4380-165-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3552-174-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1168-178-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3112-189-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3552-191-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3388-202-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3112-204-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 46 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1228-6-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1568-9-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1228-22-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1832-35-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4072-34-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1508-46-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1832-48-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1508-61-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4784-74-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3500-85-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4432-87-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3500-100-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/2020-99-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3636-112-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/2020-113-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/384-124-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3636-126-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/640-137-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/384-139-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/640-152-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4380-150-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1168-161-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4380-165-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1168-178-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3112-189-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3552-191-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3388-202-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3112-204-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/796-215-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3388-217-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/796-230-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/2080-243-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1132-254-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/5056-256-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/1132-269-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/384-280-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3728-281-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4336-290-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/384-291-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/4336-300-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/2160-308-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3272-310-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3332-319-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/2160-320-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/3332-329-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral2/memory/228-339-0x0000000000400000-0x0000000000434000-memory.dmp	UPX

Drops file in Drivers directory 56 IoCs

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Sets service image path in registry 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Modifies system executable filetype association 2 TTPs 28 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\P:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\T:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\M:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\P:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\T:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\J:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\W:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\R:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\R:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\T:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\W:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\T:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\P:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\K:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\M:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\M:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\R:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\P:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Modifies registry class 28 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

pid	process
1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4072	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4072	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1832	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1832	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1508	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1508	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4784	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4784	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4432	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4432	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3500	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3500	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2020	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2020	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3636	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3636	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
640	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
640	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4380	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4380	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1168	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1168	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3552	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3552	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3112	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3112	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3388	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3388	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
796	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
796	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2080	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2080	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
5056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
5056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1132	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1132	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3728	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3728	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4336	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4336	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3272	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3272	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2160	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2160	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3332	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3332	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
"C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
- Installs/modifies Browser Helper Object
PID:3216

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
5⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
6⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
7⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
8⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
9⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
10⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
11⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
12⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
13⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
14⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1168

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
15⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
16⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
17⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
18⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
19⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
20⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
21⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
22⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
23⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
24⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
25⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
26⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2160

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
27⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
28⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
29⤵
PID:1196

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
451KB

MD5
d661d3ea0b956f39435f5e06e36fd7ca

SHA1
defc3b59a7605f99383724798dec9a7380603909

SHA256
cd1687b2f0ec20d99fbe7ff11c0a28de3cdfa1e5d56941b855e9b76bfb865976

SHA512
23308bcfea992bafbb8d4c9ad0f4d9ff3746fef97f6db4326f80c7a80dc999598d680a62d0d07fa1f010849f65adc03f46c8a5502ef23711eb8d235ff3e7b1f5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
435KB

MD5
ce13204909e702ec378b6f517c7c96da

SHA1
5f2cef9e711cf7abd426516c449a2f738dacff78

SHA256
3ec87cf5ee589cdfca9f525b899a8a23b0884421369b82b0cf7fb3e184950ae6

SHA512
66d3e8e1a876a96ba4e56933ada8f29d648b9ccf2498ebe87540df79de8a6e56afd6bf0e1512a7fc2598cf9d629cc45020480f1cbf9285b406ff944cbeb64201

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
446KB

MD5
b99ce4a42edd44e520253589ad8c48b5

SHA1
57f5034693c10391b18aecdcd79c547f5113b173

SHA256
b8866915e65487222306d226e8194652232812bfec035769701cdcef656862dc

SHA512
c137ca3f64cba0f29e2c9f4acf227d38879c4a2b755947c82b336dd052f3fc348d602329ca63a53fc16bb14aad5175a24f4fe4c5d3c5783f32812dbed17f5c12

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
432KB

MD5
c7a927488197dd920e984ede0f214120

SHA1
ff34e3bf3065b873d36af7c02a9b7b599153d475

SHA256
d4cc44b5e688088afbbcf363aa3343faa24947cbfd0b70fee45e12482b466708

SHA512
2758e4a17b60236b1973de061f5cd594203fa769262fb921c845b057d9a06d240af9728a4a494849b3953162faedf95f7399150e6b5c071e611461aade28e338

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
452KB

MD5
b6bc8b90fefd390b2862e200aedbb244

SHA1
54539965e8775bc7c0eac1d3c2bef549dbd0c92f

SHA256
ada2fa9fca3edc15a69412faa84fe146afcd835ad38276ab4879797c8e330ed6

SHA512
bbdf14b412a4d2a39a9fe004a5d87d142ff6aa7baca7df1bc6c89092875837ad0208d3b7abb7bebbaed34b209d711b61e73ca4514729992750bddf78867a606c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
454KB

MD5
91c41692f24ada076a0968452cdcd9bb

SHA1
c2975edb80680f0e71aec549779a3ec1b0919cad

SHA256
f6910458a03a775ce781f6c2678f4ae6608c9f289ee1e9e0801063b72c50268d

SHA512
33b489fa79a12fc22ac548720d9b7787ceb99cf9abe5b0f7e6468edc22cc37b319dc53aac380fbaf8ac7dc8305a3cbef315fb7ed7b29bb58535a91ad412e092d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
432KB

MD5
e74b10216af7b73474e8d9e4e15e89f0

SHA1
83d080cad354c11b8e6f3e714c531cf7099542c6

SHA256
73b9b89cf7340ecd2848cb7c34f033224e491cfef5e06410bdb35502cdec9da5

SHA512
de26000bf5ee126b73abf7c19b135fc782de0b470d5e1e6c4275b87b3824898167921c61fa61842cdea77e2017b024137ca82cbad12639809a7fd5df0f817f63

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
438KB

MD5
d19676d86db2938b7db022f2b4321905

SHA1
a6e10968187d88b10fd71c1d3747f19b8f32c47c

SHA256
948b3a7516710cedc65753eca7308a59511987bb00aab42b07d0b10b2f744ce0

SHA512
4b131809ac581aa6c3509de9633737b9e99404904c56285b1ff78460872c75522482c76ef3d2983a50c16d0dfa8282b6a5b2dfad50f4eda93becd25a0f686c6f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
458KB

MD5
c88fef40df2a5f1b1d05e4948a14763f

SHA1
8952dc34470d48d251c9ba385d9dfec6f4023f4c

SHA256
aaddf34e161e5ae5454b5af9828482932e117ac824e72846fc0884f646a379e2

SHA512
2e61785b4eb603ea2c98d183bce6ac406e71ffb7cd185582d1df7214e4007418149b1e361210929d150b3ac62ffc977569c3d6c372cd62ec75f938a1818f0ce6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
448KB

MD5
3bcf56940883068bbccc47f34c1b6e41

SHA1
0c6ed41e58d56faaa72908c66b7103d7bf65cc71

SHA256
04acbf4d440a41762f10029539af42e17e0aa9eb69de684719f316ff7860a868

SHA512
b2ba1ff2db4b2160e0508c28340c478213ad47bc1a9a40acd720b11e32753f7568ff3bec4677f5e143b84d4152b9c73038cfae8a62d213794932537749bf4aef

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
458KB

MD5
8e415db1f343c22ca6f112bbc609a819

SHA1
9c5f9ebbdf4ebf7c27ae97ed1dcd678e31a07f13

SHA256
f6d989fa86ee86e0163596b6994f534bfcde6ffa938f9f1789bf3999f4df751e

SHA512
689fe31e748eb77cde523c4ecbb035fc41f2d0db70221614d268de59223e4a6e162060914438fdcd6d9c75bfe1daf52086938b200ded8777884c3927874dbf40

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
458KB

MD5
0f209b443dd4706ccf506a3fcbff0566

SHA1
c91d9437974e0b3d759b494700cdc8a030d10436

SHA256
a0e0b82fe98bc8c1d47bfba0c128f60aed186ac7a721d25fd97cd3d705765d06

SHA512
a051acb032d2b4e80e2da6c21add2b51a68eaef812fab32dbd197eb5b536f7e20a7158e53d9c648a28d1d9b2b6650cd889ad1a1efb43835d584f95cf02f9225d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
458KB

MD5
89247a2e7ea22a34afe7122373dce776

SHA1
98313873f7e7eb59b50bef3ac24529b2e6184211

SHA256
39cbdef0aa97eb435fc5a702157c2d72065b521b01bdf3de2030032937987178

SHA512
991845243e4b373387559e57e7ebc36df2ccd40858f73be244e4f361151475a3453cd98bd2bc9c922cebec16b768c7378e825c496d34781a12a8faab378f0fa3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
430KB

MD5
a66ef5c049862a404af1af484ac758e4

SHA1
33b15a731e06eceeb12ad95ff1cfbd8995f36c03

SHA256
a4e892a9dee19b6f9f46d6b63034f78d27e86634b1651f5683cd2dd590abeabe

SHA512
f2bf963a6c29823f1cd7cb417e0b6eef8cbd2ddca476d874ced28e5d41f3c0120f1bbe7c1b5d682891a7795649d2ee1ef992f3b2f63badfee4bdf826875c6de0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
445KB

MD5
c739a50df019a72b090299bb14175e6e

SHA1
ea63223a6d983cfd29554d1b5e65289084945be8

SHA256
f81202085fe44a673620199eec7d700d791dc8ffa57b762b2274306f672c87ba

SHA512
dc7fc857992fc97f094e72b83ba937c1927089c2ad726492dc6fb5c6871cfe539ecef7b1b9440402d755cb4c6d44a547b9c32a319fb1f47ec52ccd8dd1ec8ecd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
437KB

MD5
5901c9128ef6744d4ae52c4dc7f1a96d

SHA1
cd11487d2261a6c4125c9f70796e1dbb97ff4d3b

SHA256
d14815117a5ad2f408ecc21b7fea36638144c6503460b5d2c2628fe9a3eb571d

SHA512
4b3ba5d6f5a8a852d0e253a9bc65be8d2e0d59a541f11daf7712cf35a5ed10e0b1fac9b567db387fb0df499cf30c29968823cc66d4b6c104e7765ee2314112a8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
432KB

MD5
5b54b70e3a5c266676f24ada8a895ba6

SHA1
4f2bea9aced3ad9f2416f5b53e36397dad374555

SHA256
3588370ef61a6005d71dd1d9f95c9d1130f0dfa749c20d38b6dd3ba4606a1593

SHA512
d935079d285b3b4adfc328ea885483b9c6f21f4af3ebd58b49271d7c979acf500fa4be3c284a94a4eac48516c1b6dd1e1ce4dad95d32624821538edf58df8716

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
440KB

MD5
6a25eeeab544368901466f81c5f22cb4

SHA1
7384c5c5c6c022c924b8cd82bea0733a34e3688f

SHA256
8d344fe972777906ec2cdd16dbb0db614befc5cb2799fff2be7d2f5c85e4a53c

SHA512
359d428da49039d1f9c53b38a143b455b7203d02aa4af1945cb622257fd27a9ffef6ea02ec5c10f7b29ad4f00f33ac1d3a5d45f27decb64941ae1826c5587992

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
434KB

MD5
f4d3c9306a6f1195e97ca1c1b908f3c2

SHA1
ffc76bd0dca9a00e349db826377300a919e03929

SHA256
32b11125406daeb524da6669103d1d7c659b51292389aeb72f5335d943574ae7

SHA512
7b303dbf5c3f16232079ad844ef15dc6f632c341ec503b106adfb609f979dffb363af0b846e52e70499cfd5b22231abc4f0d6e4115d8e2a2aa705aeaaea8277f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
439KB

MD5
efc8186c7d67a301529288fad9369472

SHA1
196129fd5e7249a434a1ddd86086943e665e3ebe

SHA256
d68c7678475cb464616e950f92c5dc05c1e83911921eaf6443c844790b14b108

SHA512
4201a879b8a36c9ec153d44d566409f0c535ac74029acbbbd3fc37e979e67167d4bce9003038f874f2d3f3f37a1d0794f7dbddd1c6f79a71ea180601e5fee007

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
434KB

MD5
851068966ba21c9db3730decb30d600d

SHA1
f6a4c6a9bfb070d1a85211d85199775aeb08cf1d

SHA256
1e752457f6f059fd6fc50c67abbe3f883492ab67abbb34b815741c34cb12049e

SHA512
38a73136097f4f7ff1cf55cfb9cb5d79d4a5e94d3b25e0d8248b28bfb2bd5f33c703e18143ef59a14a75ef9eef5ccfb8d8ca62dfdffc4cf463bfe323601af96d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
432KB

MD5
bda391e89428e7219993d6e88deb1f72

SHA1
84e9582a0ae45f68bb9534b1a6a25dc3e740e419

SHA256
95a2e34188962e195e8800a3396b800c950cc2d53d07fe3a922dce89fa2e2aa2

SHA512
0b8b474a7f03233d983271ac0f700bf1623478b4f0c9f1c1efaef7555bcc62dfa30326624161533797d840fc74bcabea0b812907787da90b9635eafe7b86ab08

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
445KB

MD5
e302a43d3f88576fa1dc346077b3b564

SHA1
5287baf3f423d0810b2244c7573c36a87b2da9e2

SHA256
c98e8557026d9614823e22debd1f99fe613184e5a0a71b4a34c3111fea8cfb36

SHA512
4f0caf34c76271206632712da7d1283c086eeacfd513091082ceb848b567e2421485aeaa2b50b051b0ea3b722ee41088e2cbdbb3c049b5531e940b6a51d79b37

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
461KB

MD5
2899cf4f1942a7e2a7cdec7bf6e841a9

SHA1
b7aae5efea0f8f4faffb1bc8d84e56d7f89b312e

SHA256
a9d99b7f13c2e60d251c0401644885246cf2f4d4ff5af6d1ee5b747b8a619ded

SHA512
d825e8ea5c7ef58a1dab9937729a6ab45a37b01cc7194d8247474e76949af6fafff7cbc58fd43934875f2552a7e6c1ea0d3b2d37ac3a61e12f3a815da61895e7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
432KB

MD5
4656f65a2b37a1bf2a0202e1ec86301c

SHA1
facfad1789c4d402676cd4cda985d6ee9d1b0c76

SHA256
48a7643bd31d793f7ca19b42984adf65add87a085119bc38dd717fbb08c85647

SHA512
8ba91dadef9757af4db807fc5789cce7b64d5f14a63796f64bd7e60fa231e6a37e8c6f632bab08f4bec779151655183732d5da346fca1e940e8e5c2a93fd6718

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
458KB

MD5
7bf79a3d74faf059ea3f4c43b893b5bb

SHA1
c55a443e27fa935cc2ced9592c24f5c3d51cabc3

SHA256
a6940b203fa106f34a0512c8e254d35a3407d18e7de8f026eea0a0a71e48c1ed

SHA512
9866a54329009ca0e22b73b3368e2b055c057f398c9acfc7d90141abf37a2b99f1d41e221de7b3477e2a615cfe76f8351774217d7edb66838a0105a5edbe2e36

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
453KB

MD5
616847faf599c3e5583a23763ac5518c

SHA1
71ccc3f36947a28a72c8a9a7b23455282754696e

SHA256
fe0ed982ce9875e1840e9b319dfd56fb5935c2030905cac208702ec06d9cc332

SHA512
bd86eb67d97ef71ce4df8da48e5466e6810a1897b3a7c193cea48e071a84e842e903c61da0f2ee781428df9c5384d5e1b409e262ea04a4ce1a67cee99086adb2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
453KB

MD5
f95f57ea622250696e6dfb630637a3dc

SHA1
4bda62e94b228faa2313b9138d214ef385ac02fb

SHA256
3f4e750ca1bd2654ac4280e4062077c80faedc416492026cffd9396fb95dddfe

SHA512
2a247f93f7c45d3f5a87014aa7da21b327bfe9bf7ec3ba7c307615f481a39dc9c35c1fedc4394f5bd7002724f3660c56f46b93c8032ece81697da134076b3410

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
442KB

MD5
f81ca1e340a707117d25650114c1e98d

SHA1
7b49c11adb51ea5f1efc243b174e9a815a5303dc

SHA256
1461dd9773d0e3afddd0c191920851852eeeed8307d82fc6534211703c50991f

SHA512
f0e07f226f883eabce0787ae77bcd6106386fb80153b913eac27f73f58901004424944712c328763983ac57e343ee4e32527360df801e728fdafc0f95e4ab30c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
440KB

MD5
01e6e03a5feeead6a6c8729157db1396

SHA1
c84d5bdc9d4a6becd36c6f1d9ce1d3a6b1468477

SHA256
767a5b9a8ba505cc932fd71ab8528a47176c566606a10492558150392c797b7d

SHA512
d9d04a4dfe4cd232b4a64a548c0ef70a3762dc8892cad99e93824a702465a2362347c5a747f70247a24dbd45c8b21d7deb3e806cf7182a3c7781a65be606f5e5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
440KB

MD5
ac72fd43ff516f0c58e747868549f148

SHA1
a7b58b6ca99db21c6a40f26d2bf5210117be0244

SHA256
7a981ee976a9d302d65b2943c6f20ae17cba2900e4feb9a31d667eafb8b0dc50

SHA512
1776e47ff994aff3d8262eede690092b33af00c769fa9b620978c351e48cf7b524ceea5dba4f8edc10cc8ee51fc866f3b8ba090169eac4fa09dd5099caf27f23

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
434KB

MD5
2c10de7ad0dffd14df655d8888a5977c

SHA1
e89e0991c305eef0926357bedadeda6d8d705474

SHA256
79c5a5de0f0587e43539dd0f846f497380eeaccd6ff471d78d2619cc893addea

SHA512
1e3accc5cde5d33276c9158dc9cf0eb02bc2edc8f671791fce167c68bace9d52d00efc7716d804b07560ad6fb6607600256fcf7044989e7691910c3703c98653

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
429KB

MD5
b5a464bcae9415860066da88996d0e7b

SHA1
27e937c5a49e2cd355c723c554c4d3365eff8c10

SHA256
fcd43b993a523e40a83ef213fe4893fcf93b77f3657ccc61d6942cd2fb04989d

SHA512
44080af48355ccde9bf8dfc483cf435fa908d49e60cf6c8d5f72304e0244bbc2784f4cfe1e4315d5a9771975a68e074b7d7434a94a4a8d36eeeaf1be485e5b55

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
451KB

MD5
cea3aa5f1d8043d9fd788076d2a132f4

SHA1
925c6d1e45a545d15435c10a2768204186a8a96c

SHA256
667e83017c575b87a21b6736842f758e46e1212e1ba69b08880d865f8d7d701c

SHA512
35a6428896d30a0c2485b680b76e025e0352a48d1dcf7ca02e07cd7e4d5f5a02a548c6315778305eb7c2f8d8c6bf53b53ed925c32e4184a4be6d7052edae1614

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
440KB

MD5
60b56f4d7b31e0eb9db16867670bb005

SHA1
0fd142263254024b7d8a81f3efa27fb93fd269c7

SHA256
d8401c36a864a3823cce085087046f322a135ec246faba206990d54e16e4a489

SHA512
11ba939f244aac8d086dab9eaf3952a74003b9eb21c230e10892684a6846a1ec6a96321d9d82ad1cba3697dcfd68bad151dad01b83181d1daf61f23c98823e65

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
443KB

MD5
fdbe6294ecea4d0fe61f22571511adc8

SHA1
1c2d24077ca32488f06a15913e29d93498d30ce9

SHA256
a8dce234bc2079bec0b6ff03274c4d5a63fc81c41a57e4a5214f06627ad7ba39

SHA512
9e54dd840c25328de078ec8a03e056b6b7b9ab411f6dd5314dc7412d86743f88f58574fd4c05ace8a0e71d8fe46348dbd30ec51c5d6ec002f3ebc5947dc8da6a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
434KB

MD5
567cb69849d67bae39d15aa97b03bde9

SHA1
bc4041197e6efae2b50a7a92eeb6f8e298f61957

SHA256
b0284a7e9e43e6d7e99bf7af7df50c0c45fc53789e33fb947c81e5a1ff081e99

SHA512
388a6e6ad9d0b937b7555bd82b60009b52b23a7b806edfacc2c5f3b9c46152e49a9d69d9bb0de9fc3e15e6c248939937ceeef266e094f2977185cce881973021

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
440KB

MD5
59c8182485f44eb6b2b7490fed9cad23

SHA1
30671ff1589167b7cda9650a6885073ca612d5b3

SHA256
184876f1cf7cc27176524c77e7952f5e40edcefc90624662e485ea0281c26cd5

SHA512
ec8d31f88fd103c02a1c4999cdf2f9ac85483f6be44d4a1a74d6a83c7a300a6bc8e79decedea2f3ecd0f4adf0d5b14b7da062c2ce2930e1f455a5d2d3299c250

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
459KB

MD5
7a84b812fea299547b1d9ec98b26e6ed

SHA1
1214ffe24d573f335446d6e4f6aa34ecf1ef2393

SHA256
8bd5a55be9b9b6b2222cc584cecbe86cd3e2c60ed2c502b3fd01090e1d5fdd91

SHA512
c1df350e7830aaea91f9b644d8c4c7d3e281675106fc383ea7cb39dec4e5a20795d7e42cbf67571de0ebf3fc33df12a8bbf29a757b0948666f3034a91775c129

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
442KB

MD5
ec344d4b935ba19209e2df413eb2ed2c

SHA1
c497803b65bdd0311cf73452bd9151c551329e5b

SHA256
51ee9ee7b5d2c42817421b6b243989617c1681f9c076acb4b986e0a00b48b4ef

SHA512
22ffeeae3f9e92c9bcb782f175736dc7ea91c37ee37265d924527a703cc2ff63b212280ca94b814e63ed33fc8ddd8a35ce0151a763f139e3c1e4ce8b931ce6c5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
456KB

MD5
ce7eabfae8846d624ccdf6a11674f323

SHA1
c3dda8cd8be513068eb5808d220bb476a73dd93c

SHA256
f3e7b44c773b183f87383345bad05383105496af9511f81cc98ef4aa2a3504de

SHA512
c29a89a11abd4e225c551603607cff2033c263a7e1fd5502901398a90f2716d3734385c3dd8088581ad6bfc839e73fb439c59e2c5ed048babf685f8340f0e928

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
440KB

MD5
cf78dd0db1f0888bbc98d2481d83c818

SHA1
27fbb761b788eaaa6fd03892ffb2f40cf202c049

SHA256
e5ed4cea4132c39b8711b32cdd85367bb5bfceee0f56b76943353bb1b73cfba3

SHA512
0d8931a9e12e6b4566149609fb324a33178be0abdd185a9abe59e215af48f3ad18644651ec4da6f7fac8d08aa8dc013c4ea0f6fc06c6ee347f6264a09d860545

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
453KB

MD5
1c8dc56063d3683b5d66cb70cd44ec14

SHA1
6d38edeedb9a2e10c35de0ff51ee2d5f6daa154b

SHA256
f5d3c31aee40e08dd8029f93d04a4a3ba3fc6c1481efffce50f75c713af5d57b

SHA512
69f1edb90e3236828f898d994bbc0aabacbadac77c5d72cef4ae2140bc5534d16666ffee75fc582ac21e2124cf46481e74972450be031e1a0f4648f67ab6c812

Download Submit
\??\c:\stop
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/228-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/384-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/640-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/796-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1132-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1168-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1196-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-61-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1832-35-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3332-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-85-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3552-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3636-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4432-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4784-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

description	pid	process	target process
PID 1568 wrote to memory of 3216	1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 1568 wrote to memory of 3216	1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 1568 wrote to memory of 3216	1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 1568 wrote to memory of 1228	1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1568 wrote to memory of 1228	1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1568 wrote to memory of 1228	1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1228 wrote to memory of 4072	1228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1228 wrote to memory of 4072	1228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1228 wrote to memory of 4072	1228	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4072 wrote to memory of 1832	4072	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4072 wrote to memory of 1832	4072	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4072 wrote to memory of 1832	4072	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1832 wrote to memory of 1508	1832	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1832 wrote to memory of 1508	1832	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1832 wrote to memory of 1508	1832	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1508 wrote to memory of 4784	1508	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1508 wrote to memory of 4784	1508	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1508 wrote to memory of 4784	1508	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4784 wrote to memory of 4432	4784	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4784 wrote to memory of 4432	4784	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4784 wrote to memory of 4432	4784	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4432 wrote to memory of 3500	4432	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4432 wrote to memory of 3500	4432	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4432 wrote to memory of 3500	4432	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3500 wrote to memory of 2020	3500	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3500 wrote to memory of 2020	3500	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3500 wrote to memory of 2020	3500	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2020 wrote to memory of 3636	2020	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2020 wrote to memory of 3636	2020	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2020 wrote to memory of 3636	2020	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3636 wrote to memory of 384	3636	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3636 wrote to memory of 384	3636	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3636 wrote to memory of 384	3636	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 384 wrote to memory of 640	384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 384 wrote to memory of 640	384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 384 wrote to memory of 640	384	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 640 wrote to memory of 4380	640	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 640 wrote to memory of 4380	640	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 640 wrote to memory of 4380	640	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4380 wrote to memory of 1168	4380	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4380 wrote to memory of 1168	4380	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 4380 wrote to memory of 1168	4380	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1168 wrote to memory of 3552	1168	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1168 wrote to memory of 3552	1168	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1168 wrote to memory of 3552	1168	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3552 wrote to memory of 3112	3552	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3552 wrote to memory of 3112	3552	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3552 wrote to memory of 3112	3552	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3112 wrote to memory of 3388	3112	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3112 wrote to memory of 3388	3112	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3112 wrote to memory of 3388	3112	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3388 wrote to memory of 796	3388	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3388 wrote to memory of 796	3388	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3388 wrote to memory of 796	3388	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 796 wrote to memory of 2080	796	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 796 wrote to memory of 2080	796	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 796 wrote to memory of 2080	796	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2080 wrote to memory of 5056	2080	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2080 wrote to memory of 5056	2080	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2080 wrote to memory of 5056	2080	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 5056 wrote to memory of 1132	5056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 5056 wrote to memory of 1132	5056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 5056 wrote to memory of 1132	5056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1132 wrote to memory of 3728	1132	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe