f1d10b9078cdfaee5d84454bd5fbf8d95e0da16fce677d29943ed503d51b4fab

Analysis

max time kernel
150s
max time network
141s
platform
windows10_x64
resource
win10v20201028
submitted
14-12-2020 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b320b2d23159f10e47d51db6efad1e4b.exe
Size

384KB
MD5

b320b2d23159f10e47d51db6efad1e4b
SHA1

f734ad3f90a01113a57b6d48ce7429f2cd94f8d6
SHA256

f1d10b9078cdfaee5d84454bd5fbf8d95e0da16fce677d29943ed503d51b4fab
SHA512

0b7e6454b4fdacd51cbe56558d77f0fde2f5d8df41da27f7caf6aa74ee1bccfaa83c859b08b7165ce1903ac39895b6f6abd00ada35b2b6167eafc1ef3792fa38

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	b320b2d23159f10e47d51db6efad1e4b.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

b320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exeb320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	b320b2d23159f10e47d51db6efad1e4b.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 116 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	b320b2d23159f10e47d51db6efad1e4b.exe

Enumerates connected drives 3 TTPs 600 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\L:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\I:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\L:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\G:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\E:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\K:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\I:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\G:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\T:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\R:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\U:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\G:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\J:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\K:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\M:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\X:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\T:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\R:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\I:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\Q:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\M:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\W:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\L:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\T:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\F:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\I:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\O:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\X:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\N:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\V:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\P:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\E:	b320b2d23159f10e47d51db6efad1e4b.exe
File opened (read-only)	\??\S:	b320b2d23159f10e47d51db6efad1e4b.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

b320b2d23159f10e47d51db6efad1e4b.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	b320b2d23159f10e47d51db6efad1e4b.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	b320b2d23159f10e47d51db6efad1e4b.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

pid	process
1176	b320b2d23159f10e47d51db6efad1e4b.exe
1176	b320b2d23159f10e47d51db6efad1e4b.exe
892	b320b2d23159f10e47d51db6efad1e4b.exe
892	b320b2d23159f10e47d51db6efad1e4b.exe
2752	b320b2d23159f10e47d51db6efad1e4b.exe
2752	b320b2d23159f10e47d51db6efad1e4b.exe
2188	b320b2d23159f10e47d51db6efad1e4b.exe
2188	b320b2d23159f10e47d51db6efad1e4b.exe
3948	b320b2d23159f10e47d51db6efad1e4b.exe
3948	b320b2d23159f10e47d51db6efad1e4b.exe
1056	b320b2d23159f10e47d51db6efad1e4b.exe
1056	b320b2d23159f10e47d51db6efad1e4b.exe
1100	b320b2d23159f10e47d51db6efad1e4b.exe
1100	b320b2d23159f10e47d51db6efad1e4b.exe
3936	b320b2d23159f10e47d51db6efad1e4b.exe
3936	b320b2d23159f10e47d51db6efad1e4b.exe
832	b320b2d23159f10e47d51db6efad1e4b.exe
832	b320b2d23159f10e47d51db6efad1e4b.exe
976	b320b2d23159f10e47d51db6efad1e4b.exe
976	b320b2d23159f10e47d51db6efad1e4b.exe
2156	b320b2d23159f10e47d51db6efad1e4b.exe
2156	b320b2d23159f10e47d51db6efad1e4b.exe
3992	b320b2d23159f10e47d51db6efad1e4b.exe
3992	b320b2d23159f10e47d51db6efad1e4b.exe
3544	b320b2d23159f10e47d51db6efad1e4b.exe
3544	b320b2d23159f10e47d51db6efad1e4b.exe
408	b320b2d23159f10e47d51db6efad1e4b.exe
408	b320b2d23159f10e47d51db6efad1e4b.exe
752	b320b2d23159f10e47d51db6efad1e4b.exe
752	b320b2d23159f10e47d51db6efad1e4b.exe
2164	b320b2d23159f10e47d51db6efad1e4b.exe
2164	b320b2d23159f10e47d51db6efad1e4b.exe
4076	b320b2d23159f10e47d51db6efad1e4b.exe
4076	b320b2d23159f10e47d51db6efad1e4b.exe
1336	b320b2d23159f10e47d51db6efad1e4b.exe
1336	b320b2d23159f10e47d51db6efad1e4b.exe
3880	b320b2d23159f10e47d51db6efad1e4b.exe
3880	b320b2d23159f10e47d51db6efad1e4b.exe
2068	b320b2d23159f10e47d51db6efad1e4b.exe
2068	b320b2d23159f10e47d51db6efad1e4b.exe
1384	b320b2d23159f10e47d51db6efad1e4b.exe
1384	b320b2d23159f10e47d51db6efad1e4b.exe
1184	b320b2d23159f10e47d51db6efad1e4b.exe
1184	b320b2d23159f10e47d51db6efad1e4b.exe
384	b320b2d23159f10e47d51db6efad1e4b.exe
384	b320b2d23159f10e47d51db6efad1e4b.exe
3196	b320b2d23159f10e47d51db6efad1e4b.exe
3196	b320b2d23159f10e47d51db6efad1e4b.exe
1000	b320b2d23159f10e47d51db6efad1e4b.exe
1000	b320b2d23159f10e47d51db6efad1e4b.exe
500	b320b2d23159f10e47d51db6efad1e4b.exe
500	b320b2d23159f10e47d51db6efad1e4b.exe
1496	b320b2d23159f10e47d51db6efad1e4b.exe
1496	b320b2d23159f10e47d51db6efad1e4b.exe
1440	b320b2d23159f10e47d51db6efad1e4b.exe
1440	b320b2d23159f10e47d51db6efad1e4b.exe
2172	b320b2d23159f10e47d51db6efad1e4b.exe
2172	b320b2d23159f10e47d51db6efad1e4b.exe
2052	b320b2d23159f10e47d51db6efad1e4b.exe
2052	b320b2d23159f10e47d51db6efad1e4b.exe

Suspicious use of WriteProcessMemory 90 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
"C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3544

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:752

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2164

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:384

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:500

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
C:\Users\Admin\AppData\Local\Temp\b320b2d23159f10e47d51db6efad1e4b.exe
30⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2986afc25a476738684606b3db01135a

SHA1
bfcdfd4b4e90536b4f8c2e31e2aa4829a1cf19a9

SHA256
1e92e9215a2e3ef30dd34723e45d280bd749bd6c1c644c870eaae0c5ae1b11a2

SHA512
32916b4d22b99ec8709aacd87895fb97f2cdda9e3600930ec17edb0d6b4d69f9c2b9b0cde8e0fe9f62a8dfce3a5f7d4678397cb3427bfa67fbce04ea69886435

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
41df25dd84904d36bb33c1005e8151d9

SHA1
1b3ff2db3c62d47973e87fa419df6a0aa4fc494d

SHA256
222db366c6af362216a9df953542a8c3ed31d5d7c318494f14b59e185a8bdd23

SHA512
34c4a14e8ff59bf1508eeb9cf74a37061dc7eec88622414f159ac40fd811242a48dacc7293269be815abd95b4314392c5f1d446c38888fa23922126a7edbce94

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4f9a21b0ae57352bd4e084b07732a740

SHA1
da533f776f8604b86a55f66c201af2432f7d7b95

SHA256
921fea4721b6c7cf8ed5883089475e23a3bb465a5a909346b669e6c9278cd2f4

SHA512
4a16c99c826e24b8c150de5adcef16714ddb910be1feb8816b50278fba9e4d79ad3a39629792ba4e1fd23d04b3e08583abb8869e1ae1ceadfbef445ea083c7ac

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b73c45118d2d87a0f1d37e3bd43f6db0

SHA1
f9f5b716afb33073acbf0281099e86a29c02d54b

SHA256
17af58749940c37221a0bc4d719eb87ceeef77e532867fa9cc58faa0f94db3f3

SHA512
656295cd009e920322f12180f3e84150a2a1a325e5ace512bd9e0aa910f8508fa49dc443cd39ff1f84c899c03429bc61012291614d4d55bf571916d3197bc609

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ababe3ddb48574416d0c1a7566d84a47

SHA1
181b5ad5c8c1a2ad4d46846fac980b4895e54f19

SHA256
64fb75c4ed2da3c14f90185397f4e784c27bf5c0bbff0ce0b8c99daf2efea20c

SHA512
b42dea133658af5421fb84acafaeae97f7ef3e748f626c3b86c1bd0c821bf276966b4b791fd02501418873370b215700fbe58f378c99676cf05f4dccfd87d525

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f49aae871c0efe9cbe280491afc69ad4

SHA1
6b895664ce1b2ae33413b80e41bcd733022bb506

SHA256
b8e5df1dbdd8244ae94f26b8dbd1299b2de6fc9621bae92dcc9d67a6c8886cf8

SHA512
256469af72068a479a735d209d82f0f352af1fac9dcd0a72079311ec8e8447a185bba57e3b57da1922c6b96749b880c07ec0fd9283603ea97d350fe281deb947

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
951ed2d3c4d7efb53d2235379638c397

SHA1
f98365486175a5889cc1c0d6beb5715fc685aae1

SHA256
6df628b4b4dae7622ab7b79a1d9e22ad14ddddd3c1c0f123ad0af584d01773b6

SHA512
1fb6d3cc4a9bb89bbf8371aa3fcdf0bae6f169098a9e72e01029ad4086c23b149f253fc7ea7fb02004cee5ee4e0fcf1a1d7aef25f0171891e151e506a5c22ee7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2748c4e654a596ab9376160c6960e270

SHA1
066bef2e0380de37c885f27bcdffc5ee5c93fb3e

SHA256
f7956f38215def489ed005f254fe841da9b91d7a9ab84b5d7453bb4625503e31

SHA512
f631f93a00f0436a27f0619616911c242b431b54b7d4d2b94a86e6729a1b004c5bf8fa5e1317d2f749c2229c0e564b63fa53a2b63f206d3fcf3d1400dc341615

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
14553fc244e501184b218c1852e7c392

SHA1
d680ef8d9940a3cca475cac11763c3430505b2e4

SHA256
b2058abb9da7f86342faaa3daf1afe7a08aaf0e2a4d893e7ce4adcdbd22ca014

SHA512
e07c1e33c6071e61df8799999f2f99f4cf55e57ea81f308a2f16df5c945285d65c69ebd75c3f6553e6f2070ad4008708236bbf62895d62821a86334cb63a031a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7b15d8e1d73eb56d78f2b3287aeeb303

SHA1
3649a39837cf58338ff5b337c3d2900f2e0e56cb

SHA256
1b5128c6bd860d71fc481eee0537cf30a579886b4fa306e42b9938e06f58cd70

SHA512
a0f2796d5e26a7549eb8823287580b89da223c453a1d5ca36bed3a067a55421ebf27cd7cccd6085373229be1260c67d7c926811d887352132a75c6927bb04109

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d88e5df9d65b068fff666d1d253d654a

SHA1
5550032a937807448f011c9da0f4923cdceccc57

SHA256
983bd1d952a8a370ac0a834c4b87b4a39a40c83db879ff51930ebcf5217fc7e4

SHA512
99b1a65ebcb72b8e3ccc4eb0b5f848785ef3d45741f2b57935623181ec7af390b045896f48aebd7f8d2f5cdd4e040ea144becc875eae4d22f30988dc6e26aa95

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9b1b20cc6b004249fca54389578adcd3

SHA1
741d8d6df5ba270757c6b0106b1f542c3c765e3f

SHA256
aa3aa146fd3d1175fc3493ac22e1b3da28102d51ea1476326809211319a20f95

SHA512
2a6f75770cf6bd6fdeecbf725a86983d71680bae51b3709c0e1779550e449b3130c891f7b2030ba3a85cee5124ca6a7391abc6de297294eed243d4d0b29199d9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
60732ab1246c74f6cabdf62230b968d8

SHA1
4a443e996cf452bcfbee36d5acdc5b2e873e43fa

SHA256
d5d0dce2c221792f89a28dc206e50ff3eea237877ed90f62a0fcc514c0c6f9a9

SHA512
00e20e009fa35ce8d8c5e5571b27730844352ccc4941426baac1c3439890f70d7225190ed76b31c04b34cf9969ee86c75b293bb5d6e90e9f806131af5bc7a321

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f68ace7eeacf03c76fac3756b4b86aab

SHA1
734206d0f619cdbdbab420aecaeab2f86b3d8e2a

SHA256
a1647b228714ee25667f7aefd5a31e5736ebb908d17c9cb1e4f4ab092c4642e9

SHA512
943a4c3362bacc6e0c0d4fab10ca70815977a1c6d6cc8e596374b37ee5d2b4f77fa41131c001bbcc47614178b9cab1c11b37c60cb2a653dac129fce2ca34e466

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7debf9c10362fde41c6b048047f4a2b5

SHA1
a90e31498400f7ad4aa83ed86df41395a677ecb2

SHA256
819ace3216de43b420505aef1b28d04d12aa70ef91890e9f8be2cd8a27d4d026

SHA512
21fdc602340df0ed6a7049db8b38aef6e63064070d92dcdb9ea5dd0c973ff12fc7a4fa02f52dda3f3fc36e5269517b7ca9fa7eb9508181e6cf67df977b11aa14

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
27c08d8138543ab929b8fc03c0805a15

SHA1
7a9db0bb85e9dae23a36dc6d9bf4929fee350b80

SHA256
d9e5170797774b1f10f5aa84486ea59d044904f64a71bac7139897bc141d77c2

SHA512
811f9c08dc9cf8e6f938b7ae80d8ed39ecf4fd385162ce24d397057e5b2d0904fd6a869a2dd1e1621f8e436701809d597767300446928528d9d68015813d8964

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fdef83b036aa7da9a2a79fbe80df7a4b

SHA1
2820be2776ffbe01d0a8a7abb7d42001f7804bb5

SHA256
90184776cb9376e5b0b0a2404783541ac4af549c2b8445b375254908caf5e53c

SHA512
e6e88bbed66bbd62606fe4861b86616f14b3b7c6e500ab9456781421955889992a4347b6232fdfa559a118a0c6e25516391b996b1bac0523611019af01080bbe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
037fdde2eb0f1fae5c49c10a94a3b6b4

SHA1
16a7873464027cf06444d693dc288f44a3743fc0

SHA256
38e15f67810a2bde3b97935217d76d0fea9b29b5c6806312c223bae6df83f9c2

SHA512
fcd43999d8e541ce18fd822e6b4cad3e237a129fc742451f3a5f4dbbfeb468356f6b489c905a0da738cfcc94f15c4ef5ecd000971ecb854c281f5b88e3cc7ecf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1408ee37284b2790f10fd3e636118fad

SHA1
d46f953117a51ce6d48bc50cb109cb712f0a9288

SHA256
403cf93b6d84fc4c841d2cf30f9cafda1640cb13e5783ffd2e682aabfa70257f

SHA512
dd69d411bf9416da7e4712997032f55cf40f1d1886ccbd8858a3827ea5ecb586eb37914b8516787dd33ee9c2a80c0aed5097b269621c00f4b64ca04206f0ea7f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0f8a1d47a6f82038bfc8a35115f07e1d

SHA1
6c7d09ad99138d45bab4eb9b6c59b3a56369139c

SHA256
06463f258b0bd151a1c44270da66cb37d129880f9e11ac661208d1255f8ba4ac

SHA512
24a709cae57be5e8abd34559edb908a175db17b0321d4f012c466553e4766d6b233eee90f0d937b7be264c23b2c25eb9e10ae308f2a17491e47f92ff731312f9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3824eaa8ed5148671880921f485e1d78

SHA1
743d9572a59de6ddfd24f0f4ec8361281e9f30cf

SHA256
e5a665f8ad142e40aa710efd05b88e14b2d6d73686dc514c8c26749b3149ddad

SHA512
4382af95588873be9a285f6519e4c23164186d81da0e424cdb8acdd8a65db00eae883f4c356d1f7908cafabf27c9a7223053275079f1bf5daebc63fd17d746d2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7730aa536a57b717ea707853a32ef04f

SHA1
dd0671530c630cdd2b0e9cf9f4dcaef69982809d

SHA256
5f9719e1edd2f11b414d476e7e9fed172400c0019ca06969043abc7a635df0d7

SHA512
a1c117dd268329a71180a80a43096665012ce1944bcbc8679cfaa363b4636dfe2f984bdf2542a1bd96ecc6610795902eafbc0baf93294b6a6b4891a5a4404dc3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
75e7bbbb28adcb3d4a0647085653c789

SHA1
12939c262cf0d33054bbe419cf9167a921902701

SHA256
20bfb17288e0d780f40c581d9f7acb57fbe43309b5e6edced38d33a2a349f11b

SHA512
afb604937aee727207d7d931318443a65d6dff85eb4bea4dd5ffdc0ce5e88e80b28bfcced304243d5be455a593cf301d365790c8be8adec04f91844c82676ab6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d5eb341fa082b5231cb0501068172b95

SHA1
11256794e39ee77b40d87faf8b85fa0c877deee7

SHA256
856a52e976e7031385145a2ddfc43de1c1cc3ca58c167d0520019d6af93e37ac

SHA512
c03d4f7c2fd95ac6fc51d274b7c9c41f21b1749978a399c8f2a4fe4278979d3959bc661f9d99d7724a48ad6d763d7f09b6931136cbe407547d86ac7c4a9de203

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a5ac7fb586bd06b932275840f0aece6c

SHA1
66fee94ee85fd77ac44c1d59872a112c343fb3be

SHA256
273163dd1d6de2e47adb1800236db585958b7b0e6a2191d6f22ba1107f2e5215

SHA512
318a6479da087081d3a67c99c5df755a502fedeff298d7dee0c02ba593ea4cc8e2ff237a02f6a8d4f5a743f41ef9e318192dd5a24cf48ef5423d1712c458828d

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/384-87-0x0000000000000000-mapping.dmp

Download
memory/408-51-0x0000000000000000-mapping.dmp

Download
memory/500-91-0x0000000000000000-mapping.dmp

Download
memory/752-55-0x0000000000000000-mapping.dmp

Download
memory/832-31-0x0000000000000000-mapping.dmp

Download
memory/892-3-0x0000000000000000-mapping.dmp

Download
memory/976-35-0x0000000000000000-mapping.dmp

Download
memory/1000-90-0x0000000000000000-mapping.dmp

Download
memory/1056-19-0x0000000000000000-mapping.dmp

Download
memory/1100-23-0x0000000000000000-mapping.dmp

Download
memory/1184-83-0x0000000000000000-mapping.dmp

Download
memory/1336-67-0x0000000000000000-mapping.dmp

Download
memory/1384-79-0x0000000000000000-mapping.dmp

Download
memory/1440-93-0x0000000000000000-mapping.dmp

Download
memory/1496-92-0x0000000000000000-mapping.dmp

Download
memory/2052-95-0x0000000000000000-mapping.dmp

Download
memory/2068-75-0x0000000000000000-mapping.dmp

Download
memory/2156-39-0x0000000000000000-mapping.dmp

Download
memory/2164-59-0x0000000000000000-mapping.dmp

Download
memory/2172-94-0x0000000000000000-mapping.dmp

Download
memory/2188-11-0x0000000000000000-mapping.dmp

Download
memory/2752-7-0x0000000000000000-mapping.dmp

Download
memory/3196-89-0x0000000000000000-mapping.dmp

Download
memory/3544-47-0x0000000000000000-mapping.dmp

Download
memory/3844-2-0x0000000000000000-mapping.dmp

Download
memory/3880-71-0x0000000000000000-mapping.dmp

Download
memory/3936-27-0x0000000000000000-mapping.dmp

Download
memory/3948-15-0x0000000000000000-mapping.dmp

Download
memory/3992-43-0x0000000000000000-mapping.dmp

Download
memory/4076-63-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1176 wrote to memory of 3844	1176	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1176 wrote to memory of 3844	1176	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1176 wrote to memory of 3844	1176	b320b2d23159f10e47d51db6efad1e4b.exe	reg.exe
PID 1176 wrote to memory of 892	1176	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1176 wrote to memory of 892	1176	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1176 wrote to memory of 892	1176	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 892 wrote to memory of 2752	892	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 892 wrote to memory of 2752	892	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 892 wrote to memory of 2752	892	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2752 wrote to memory of 2188	2752	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2752 wrote to memory of 2188	2752	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2752 wrote to memory of 2188	2752	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2188 wrote to memory of 3948	2188	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2188 wrote to memory of 3948	2188	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2188 wrote to memory of 3948	2188	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3948 wrote to memory of 1056	3948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3948 wrote to memory of 1056	3948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3948 wrote to memory of 1056	3948	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1056 wrote to memory of 1100	1056	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1056 wrote to memory of 1100	1056	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1056 wrote to memory of 1100	1056	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1100 wrote to memory of 3936	1100	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1100 wrote to memory of 3936	1100	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1100 wrote to memory of 3936	1100	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3936 wrote to memory of 832	3936	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3936 wrote to memory of 832	3936	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3936 wrote to memory of 832	3936	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 832 wrote to memory of 976	832	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 832 wrote to memory of 976	832	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 832 wrote to memory of 976	832	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 976 wrote to memory of 2156	976	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 976 wrote to memory of 2156	976	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 976 wrote to memory of 2156	976	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2156 wrote to memory of 3992	2156	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2156 wrote to memory of 3992	2156	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2156 wrote to memory of 3992	2156	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3992 wrote to memory of 3544	3992	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3992 wrote to memory of 3544	3992	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3992 wrote to memory of 3544	3992	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3544 wrote to memory of 408	3544	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3544 wrote to memory of 408	3544	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3544 wrote to memory of 408	3544	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 408 wrote to memory of 752	408	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 408 wrote to memory of 752	408	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 408 wrote to memory of 752	408	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 752 wrote to memory of 2164	752	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 752 wrote to memory of 2164	752	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 752 wrote to memory of 2164	752	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2164 wrote to memory of 4076	2164	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2164 wrote to memory of 4076	2164	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2164 wrote to memory of 4076	2164	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 4076 wrote to memory of 1336	4076	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 4076 wrote to memory of 1336	4076	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 4076 wrote to memory of 1336	4076	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1336 wrote to memory of 3880	1336	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1336 wrote to memory of 3880	1336	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1336 wrote to memory of 3880	1336	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3880 wrote to memory of 2068	3880	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3880 wrote to memory of 2068	3880	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 3880 wrote to memory of 2068	3880	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2068 wrote to memory of 1384	2068	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2068 wrote to memory of 1384	2068	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 2068 wrote to memory of 1384	2068	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe
PID 1384 wrote to memory of 1184	1384	b320b2d23159f10e47d51db6efad1e4b.exe	b320b2d23159f10e47d51db6efad1e4b.exe