8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
17-05-2021 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Size

303KB
MD5

efe50c9d27ab0e34b6ce2563abb8b33b
SHA1

073c4b1237d24ca46abe3b8a44844ee5f127762b
SHA256

8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e
SHA512

0571ec6e821923fc4133d5ddf846797e90db0569cef9b6965f7652cb16f9538167ca20ac16acee15c148a89190daa869cf4357cabb3276e636a22ec03f152a9b

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Modifies system executable filetype association 2 TTPs 28 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Drops file in Drivers directory 58 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\G:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\L:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\R:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\N:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\L:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\S:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\J:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\E:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\H:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\R:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\T:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\I:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\I:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\I:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\F:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\O:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\S:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\M:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\E:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\H:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\U:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\R:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\T:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\M:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\I:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\P:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\K:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\E:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\Q:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\T:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\X:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\U:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\T:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\W:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\L:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\V:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\N:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\M:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\E:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\R:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\G:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\M:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\J:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\M:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\O:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\F:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\I:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\Q:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\H:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\M:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\G:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\T:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\J:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\H:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\N:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\O:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\T:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\V:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\U:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\F:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\K:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\K:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\P:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
File opened (read-only)	\??\R:	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Modifies registry class 28 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1784	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1784	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
4080	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
4080	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
840	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
840	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3860	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3860	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
620	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
620	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2992	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2992	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1148	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1148	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1736	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1736	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2288	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2288	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3164	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3164	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
4024	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
4024	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2760	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2760	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2952	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2952	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1756	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
1756	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2312	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2312	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
388	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
388	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
752	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
752	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
"C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:624

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3568

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3164

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:708

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2952

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2800

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
PID:2288

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
PID:2172

C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
C:\Users\Admin\AppData\Local\Temp\8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
30⤵
- Drops file in Drivers directory
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c8fa0eb3993e6b357f84cf743b7e8e34

SHA1
dd9e5723066aa6c7fea4fbc5ec99954667774ce6

SHA256
1425ba9ca5e0984e674bb317b68a40528bb379089100b45a4f4b250137ee7cfd

SHA512
a70b84f3e4b46d197fd4b4f1705b62c41e28da6c0751e57d368dcec6d5348c33912c2cdd6dfd10049964721317e9e6f9f2ddb18ae4c33b32159381a29605459b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
88f6eb6b2de519ddbfc9e9d98f711b34

SHA1
04fda839c4d335115b3f4c3afa86487fd23e6c28

SHA256
d71479e858945ff0814f0bd42e7e41b5d508e3a6cea3af0b9f0f71ff4c1a5dad

SHA512
8c7e6103458ff8304fded8f15a10e9b6776cdb6acc91eead71284147e8534eb89de80b1d8ff7057aec4101a5842884377691d77f98517ca9dfd99805a773f373

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1d99dc8272810ad71510793363384d45

SHA1
427698a67737046bb87b62809f60fcf7984a1dfa

SHA256
8eb0f2f06e889159fe3a7f7495a11c9c9d9133957efe30f20a88d12b3c11146d

SHA512
2c655530e42cfb7cb4d2117e7101184f3570b6ab6295a94ba828dd2c6b58078510c0b8a3cb9ab3eace8c62c73f9d9bc9506ea23a67d445b7161dbf9d9cb11578

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
32a74f663c9766a95011c5c732e59fc3

SHA1
0abb9e76e48407b97e7aae175d7971200040d002

SHA256
cd1bd590fc8d066f33e0e6d5e59c131ceef8164257fe367e95927dd94acdb7e2

SHA512
137da0b690e1d8766962dee348f32d5dcf151749415e53493fd8eb85e1999412345e5add57efa15fe5bf020c4d472fcc1248049d003ab8bcb6ac7321d9682fe8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
61d0bec44bc956b9fb2d6783310fc379

SHA1
e515d86ac116e641c8fb188050c8f0ec0f81aece

SHA256
50612a9f1a1ab03af6124502fea231e64b689e6ee1b3de503c1b54e8cec464ec

SHA512
b020e98dc4b5a29156879709ce175872cc852980b9b760142fd981889c2cb255fb5c9bffa3ad78ab0295d0e3e39bb6d1b018360df9f88b533fec6e375ef1b620

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
33a7f46d9cd5301a1994ec95f81afc0b

SHA1
0dc20a18d31e4cd79450fc4213eb5df3b494eec0

SHA256
720ea68484e082d8918e3697c9e3a9188847475c3d496d9e38ecbd6f1fbb1602

SHA512
9f069cbb4590410a6bf95955573dbf0965b9147ccce44de88196bd0a8eab5a698715c34d1b3a9f191e7bc8fab1c9b33a796f11a274d19e39267b22ad88928dfb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
56f78a64cf42029e88178146173cfb80

SHA1
ce102d7b38be1fe6da75f2ef66ee7dc1fc491b2a

SHA256
591693245b69b16ebcca355645c6137324c06873b3431e0f49b5e6ccde762547

SHA512
9f1eefb0cc81a7d8ef87c689b1af8f81ac4001aa97ef7a0a02214adc220050ff0f55f248d23eb92cd01b77830d9eb3262b6440e844600fb205b18db44cef4277

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7bacad25f64f8ef835d1054b5c492f07

SHA1
27876c21710d1330fecb09586b97ac9a35ec10fb

SHA256
47dd17f3240bf7720261bf8626a98f13cbad67ba9d2e78fd346ce87c99b0258f

SHA512
1f8588415d17607fe27febe239463e5dca75cf2a37a4706d25f356f091473237916ab578b66861f50801a9478d832506d92c342d1630feaa5b889cf17ed9a5fb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b349064e33897288c516cee0ed817674

SHA1
ff421199f574cb7020bc4c2ea9201c6e20d42ff9

SHA256
91dd518212ec4a5902e9bcd9124cb285b72984ba8f1cd06c322ecc42363fb125

SHA512
4639cdb95112d643d6876bbf04297c72fa992b1183987f5edeaf37168fc703566c656ce8efa47e17effa5c8283beb002cb3dd86b4bec08f241e911989fa78c88

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b15c5389af89765f4bbcf86677422cb6

SHA1
f353d6a5f2d6cd0bffe1d63c91016043064e01f4

SHA256
fd4b63412b1419304e73d6609e4314ffb9aa1b7cb12a64513b6e9a3e746ce54a

SHA512
fada98c4d2666618115d457eae7a15e1103b03469cc862b485fd949f8982800bb4980c9e8626ebdea2703bcc0b850bd1a25aa6aedcbd59f34366176d6968efca

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0bd1bf6cbdfa446865911b9d58eb4c20

SHA1
a834228abc73a412cfa708898f00f904bd6ae900

SHA256
53fa0a9e9f390f9ec9aac3569d868d517945534b7f1111877b5360c3f1229c76

SHA512
be62177ee16409548935ca7e1d4585ecfe6e9c1ef91d1bc4ca20f3b689f6fe1e3544e962702e1dce6c00bd4747f463387dd7809f03c7c2735b72d0cab348b959

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
660a0ff9ea57a12c127c7eaca2507df8

SHA1
dccb8b81d4a39a25bbd0253d614f02c22dbe139c

SHA256
73acd4fed13fc18255846d22bb0d78de2871090637dd79d1dd8cb1a0bfd1d465

SHA512
0b2bf88da367c56a63287f039b64e4ec038feee7647a09e0222b1027c54fda93de348354f158721c9ac273a6d35373259a614a77703a2be6329545749e237bc2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
742b859fb943f6621be400d699c8082b

SHA1
ef8527aa3f0f4e97720ecd64112d22cbddb6218b

SHA256
cf1c41d39cb23dd186e8dbb83643ff0ea96cb7ce62d6bcbd200a1135b9700afa

SHA512
812a9fc20ca7bfa12e9cc172bc3f170cca7ab62e2067fec3e9c5fe94dee104aba326e8b90087c382cbcf6732dbf784dadf10a9543ddd226d85485d096edccd2c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
66bf7f008287d7e393283a8cddf3150d

SHA1
2c094068e94e8d1ec503b3d0ffd67a440f5cc3fd

SHA256
bf453e86a333e21fee347629657eebd3f5df69bdc6009809b23c356cf62f694e

SHA512
9669fad6d516a5026797834fc80868c858fd9bb3cbb084934af39015acd88a5679c9d10569ea92b6bdff7bdfda398e78d70922b15712f52e8031101238b77036

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d6f71e7c0efb14368088c23cfcdc2dd5

SHA1
9792aef0fc823474fb673e0eab3d8f101ca24cc9

SHA256
27cd1251f6647575d1883e6b1d3634afb9551d6cc72d535bcf2e7d51529856f3

SHA512
804701dd4d3eaf4cc60a1c78f388b7f13d459db42b59f456e9aaef3bab79dbf3329ed0f7ad7ca62713741f67757887cfddc802998d8e37c68e5c5c78dd29b62b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a200dc25a7942e7958f5673a129c61a9

SHA1
1b179c32183d6658b8eb3ec34853b583924a088b

SHA256
411bd8a11293c5e0144f09eaae547dbdb7e385d7e7c6267e1cba5c3c93804841

SHA512
30f5080a07d96a90e512ce89066ab419a623c3b63e139c023b637a6d6798c3b042153b1a72ef9f3481d1b67e3a560b565c9731461c1b62b80ed2cccc6a4c9c3e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a8be3afc53a7cf98752d535ef95fccef

SHA1
9fda41c427c62f7e3eb3530cbbea3fcaed1034ec

SHA256
0a95338c6f0bb0810a8e891a5da34e4957df8af24354acd988f9767f90e49f60

SHA512
afb4acfb6e2b3ba2aa55b7c1d4fa1abb195abb3a3f6cefb5201ce10bc7a815291adbd20dd9b4ac1a060df5b884ad9485d2e14be9db3d9f0da36d3174dbb75e17

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
79be3793e4801bab4edf57085d1be098

SHA1
df1f3387646c8b9abe3278ae1b9e1dc74446a975

SHA256
4aa2d1bbd143d1d754c6ec22cbd2fe8df56c84740b1a8b2cb6c64bcef9a8238d

SHA512
6d6ae35966a9da304d847aeec54f67e63649dc68023acad80460754b94b837c9bf479b166c5535b0bcc08006014d2bd915f61c04d8b6eb5f3a773cfde0a22155

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
24d63a757c3bc4435083f12a7900d162

SHA1
6d1b12c98add3264b53ceb671fd31cdc54a5775b

SHA256
dba6559fe2e93e4e0a6039d77f28317bd7fc788a5f20427dd1b3f692681d11ca

SHA512
cbe2db378015ed89db9b2b244793573c0cc014af2e5b23deea9ddfd6d13aa5cff269ab3cc6688c27197a7483c56248feca124b6d403d951080fbc522300acc43

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0419d9cd614d3f2fa80be2f2a421e72c

SHA1
82616718f78b82a7c79ffddb3400bf5ab0f48cee

SHA256
1cdfd4038ae39d59ca9bbe21ddfdc0872083943b1dd60a65f8451e651167f6d7

SHA512
9e6a35a10895945f96a2fb5ac9c2faa0ca677646ad7cb223bf818578cc7f8c11e4724bcd42f29e4c87b872f926f66e5b37c1e8c80a094f0792b119c7572f83e0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ec64fddf1399c4173cef87e4ee907c31

SHA1
0241fb89b9b011bfa4cfbc74f13935ae17ff2cc2

SHA256
fd721c1969e742e85072be5ed269e7ce0ab4ba0a9d65cd3450eec9626e08af62

SHA512
ed34feb69ba27fe631c7c99b54c31a84449996f83e20d7294f22ebf4eaa39a0fba7d6f5f0f4a6eff1003411da26f390e48222e3469451fea758e6ce56a261df4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b3fde0a8d6db61de19f85afb2440c55f

SHA1
fa16c882d61882047bafa041cc5aa2e413c13fed

SHA256
e4beca3fcff14d4812aed48429b28a2da3ec9d6ab66b62fd3e8294943521ebb6

SHA512
fafa109d2a2f688112cff1491fba995967527ec46b623b8ab4291ca535a39cd5baa6b540d770f951a3d30e386fcbf5df1b6ce57a2dd705621d95dff1e5bed1c3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1724d5dfed2c69141fa0e0962f874de8

SHA1
6d70651832daf408e224a336460fdbbf94bc6f36

SHA256
f50982ec698b50512e0d7b50e9c1920178fb7cafa581d71c0da6e2b2fb95736a

SHA512
6c4b1f8c01f39415f3fa3f07dc20f357dd3463efb2f5381bcc91f62d21c95a8a0b45fe464b960f7ec3a0a2844de251eba873fc546d75463baa415c718e3bcaf4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ef9445f8c08b87b5e5b8e12694707948

SHA1
08c072aaacd63f657ec6a47e89ab843608460ec3

SHA256
e4efb22efb9601ad251b70a4a277a24bfd128ba93d79d0e6700921bce25d31b7

SHA512
2ff6f523f5ca417013b7ecfdbb7589b28fd9f59935be55063dcb7f8544ac43d01115cd7da7c54c6f52a6cd75199db068fa8e72cbcac21098eff21dc1df4c719c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
018f982046164cbfb9b952a1ca05b4bb

SHA1
9127999d2b50163e5f95c0f47bf4ad6ebd5971c6

SHA256
2493c80d535d13f588b5af90987708f33ff7f6a57edd497f8b217b816f8b63d8

SHA512
ecab7ca43260702244ccd1ed8b6fcd29c32c9101b143986bd5c7e52c88bfee85cf707d7ea7c5d62443685a43d88e50bb5910c492d4ab1359b3f2f2e6725bf695

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
50f110d16c1328963d527a36738ceadd

SHA1
3bb1d5a1d0f21bf0aa1684d2059f34b5a67a05b5

SHA256
4794839d51c1fd9b35a61383456702d8e12e31ef7cb4f501db61ec41997eac36

SHA512
10cb93d684cc4e3c1638ae9f0093ac8e10386e4e5645225ba4ba2bf9c022ac97bdd678b79427780903c384ace1d05e453dbcaebb94080ca266df7b3532912560

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1b55b3f669fda3da6ef27251338ead90

SHA1
57be48e590cdd0b4bef1d2466d511e7d9c3227ba

SHA256
a69a7ba56db1c867febcf86b450a354633d173ab7aa49da543a9824508d35259

SHA512
d44fd412ecf8520fbb8b7c3815111304b522bee2347fa4271108bf0658ddf90d406bf33602bb0cdf8ab7905622a0434f107d3f3118bc2528414c40281c197325

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
cb856f56745827abe7f88b765d215f50

SHA1
6cceef3a4b44f2ccdaebe05310ebce8df44ab516

SHA256
ceb1fd6544afb564d3f37397be9e559026f6efca84b0822448a975b69d40394c

SHA512
12f293172479a84be2afa979ee132b5d03678d814bf9cdcdc94d885dccb8deb689f50d648b8fc43977432247844ed826421cb92f2f78ebf05af5061306b6e6b0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f490e2822cc97868ed34055204a533ff

SHA1
a2b23d83f624d085b6768e35ad2f87dbea025be8

SHA256
751fbd0dc9e19725011bc1e30c03ec110a0077a199319355af080c4e0a00ec7a

SHA512
26ad22d24bdf5aecc1eff3b5c64d39de0c5f7c6cbc0fddead871f448d987cbc5cca39a3ade2dcb0af1811f12b466fba83cfc03e5410b4aa051fa55297a2894de

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/388-203-0x0000000000000000-mapping.dmp

Download
memory/620-140-0x0000000000000000-mapping.dmp

Download
memory/624-144-0x0000000000000000-mapping.dmp

Download
memory/708-176-0x0000000000000000-mapping.dmp

Download
memory/708-136-0x0000000000000000-mapping.dmp

Download
memory/752-204-0x0000000000000000-mapping.dmp

Download
memory/840-128-0x0000000000000000-mapping.dmp

Download
memory/1148-156-0x0000000000000000-mapping.dmp

Download
memory/1244-207-0x0000000000000000-mapping.dmp

Download
memory/1308-160-0x0000000000000000-mapping.dmp

Download
memory/1736-164-0x0000000000000000-mapping.dmp

Download
memory/1756-196-0x0000000000000000-mapping.dmp

Download
memory/1784-115-0x0000000000000000-mapping.dmp

Download
memory/2172-206-0x0000000000000000-mapping.dmp

Download
memory/2288-205-0x0000000000000000-mapping.dmp

Download
memory/2288-168-0x0000000000000000-mapping.dmp

Download
memory/2312-202-0x0000000000000000-mapping.dmp

Download
memory/2364-192-0x0000000000000000-mapping.dmp

Download
memory/2364-124-0x0000000000000000-mapping.dmp

Download
memory/2760-184-0x0000000000000000-mapping.dmp

Download
memory/2800-200-0x0000000000000000-mapping.dmp

Download
memory/2952-188-0x0000000000000000-mapping.dmp

Download
memory/2992-148-0x0000000000000000-mapping.dmp

Download
memory/3164-172-0x0000000000000000-mapping.dmp

Download
memory/3432-114-0x0000000000000000-mapping.dmp

Download
memory/3568-152-0x0000000000000000-mapping.dmp

Download
memory/3800-116-0x0000000000000000-mapping.dmp

Download
memory/3860-132-0x0000000000000000-mapping.dmp

Download
memory/4024-180-0x0000000000000000-mapping.dmp

Download
memory/4080-120-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 624 wrote to memory of 3432	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	reg.exe
PID 624 wrote to memory of 3432	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	reg.exe
PID 624 wrote to memory of 3432	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	reg.exe
PID 624 wrote to memory of 1784	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 624 wrote to memory of 1784	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 624 wrote to memory of 1784	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1784 wrote to memory of 3800	1784	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1784 wrote to memory of 3800	1784	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1784 wrote to memory of 3800	1784	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3800 wrote to memory of 4080	3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3800 wrote to memory of 4080	3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3800 wrote to memory of 4080	3800	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 4080 wrote to memory of 2364	4080	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 4080 wrote to memory of 2364	4080	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 4080 wrote to memory of 2364	4080	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2364 wrote to memory of 840	2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2364 wrote to memory of 840	2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2364 wrote to memory of 840	2364	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 840 wrote to memory of 3860	840	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 840 wrote to memory of 3860	840	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 840 wrote to memory of 3860	840	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3860 wrote to memory of 708	3860	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3860 wrote to memory of 708	3860	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3860 wrote to memory of 708	3860	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 708 wrote to memory of 620	708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 708 wrote to memory of 620	708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 708 wrote to memory of 620	708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 620 wrote to memory of 624	620	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 620 wrote to memory of 624	620	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 620 wrote to memory of 624	620	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 624 wrote to memory of 2992	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 624 wrote to memory of 2992	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 624 wrote to memory of 2992	624	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2992 wrote to memory of 3568	2992	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2992 wrote to memory of 3568	2992	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2992 wrote to memory of 3568	2992	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3568 wrote to memory of 1148	3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3568 wrote to memory of 1148	3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3568 wrote to memory of 1148	3568	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1148 wrote to memory of 1308	1148	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1148 wrote to memory of 1308	1148	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1148 wrote to memory of 1308	1148	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1308 wrote to memory of 1736	1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1308 wrote to memory of 1736	1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1308 wrote to memory of 1736	1308	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1736 wrote to memory of 2288	1736	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1736 wrote to memory of 2288	1736	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 1736 wrote to memory of 2288	1736	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2288 wrote to memory of 3164	2288	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2288 wrote to memory of 3164	2288	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2288 wrote to memory of 3164	2288	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3164 wrote to memory of 708	3164	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3164 wrote to memory of 708	3164	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 3164 wrote to memory of 708	3164	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 708 wrote to memory of 4024	708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 708 wrote to memory of 4024	708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 708 wrote to memory of 4024	708	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 4024 wrote to memory of 2760	4024	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 4024 wrote to memory of 2760	4024	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 4024 wrote to memory of 2760	4024	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2760 wrote to memory of 2952	2760	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2760 wrote to memory of 2952	2760	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2760 wrote to memory of 2952	2760	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe
PID 2952 wrote to memory of 2364	2952	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe	8a4dbc201541d2173da41d67fea5fa92e2efbc22e2f41303a4550db13bf66c1e.exe