de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361

Analysis

max time kernel
151s
max time network
145s
platform
windows7_x64
resource
win7v20210410
submitted
17-05-2021 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Size

142KB
MD5

3ac5c99e799afc95948387e5a11111cf
SHA1

d72af183d37682353dea2913c3d1e1bcc991498d
SHA256

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361
SHA512

7517d3d41871b3112cc3395412754cd013a9dafd8cac5dcc9d2ef391f78dd05dde138446978c82c2372b252c3d8d4dbc1bd552a91fe8b317fbf5e6cef32308ad

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Modifies system executable filetype association 2 TTPs 23 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Drops file in Drivers directory 46 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\J:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\I:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\N:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\E:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\J:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\T:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\E:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\R:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\N:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\T:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\E:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\O:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\O:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\G:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\I:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\R:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\E:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\P:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\O:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\K:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\F:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\K:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\I:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\K:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\G:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\F:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\N:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\G:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\G:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\P:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\T:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Modifies registry class 23 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

pid	process
1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1084	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1032	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1932	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1480	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1504	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
848	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
900	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1988	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
896	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
948	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
644	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1996	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
296	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
940	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
344	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1036	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1600	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2024	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
"C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:704

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:896

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:644

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:296

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:344

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1600

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2024

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
885f75c1219899f24b48953e4c602174

SHA1
38c42ce08a30842673fbafd0508319055cbae991

SHA256
754e776ba6aa2268991cd6d56a68c59722a10a00fb5438c44f031b9bdd10afa9

SHA512
1cde2b208e2d8e132a665e1f58a34d41fdfd4e38cef464f8de10f8fc66c14150476c1504773c16f5e8738b45ba754ce0c7bdca2aa0fce3f0f7e5422f727a9d25

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
763d53cdc45ad1c077762c0a5a9568a6

SHA1
113591f576bd3c835a0303c7b429ad06841795d7

SHA256
53142afb006b9b41dd22f8959ecbb7b183b442e89f2239092c8503453e0bb0a0

SHA512
662fbef84fab9e7397ff17e9f83f3986e6e0b242ba3ba056816647af32c07c6ca49b1e3f3cc66cc98ee7829c4a662050078630b997367ceed31c2f5d8c85a959

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
850e9a30f5cb98df720bffc69132c879

SHA1
2150fa498bfb1fd2850f9e94a221638692b022cc

SHA256
689eb1526caab86c7351ad0973b6e5b512df6fd3ecbf1f40b46ab311f371c08c

SHA512
6b1b9db342521862618d1f20a2b940eb5780e34596e5f731f341836e0f809b8bea1c78b044aff0568bc1ef6e8f814bf7d6c52ff1d5b63f5551c207a31a1144a4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a2529067544a0f966ca570a3f6ee95d8

SHA1
89ababdbfdb848aa73da05253fbf235e99bc5e09

SHA256
abb8474d033b3f71cb4c18aec11045add0ef9ecedec325151ff02ecd6da69ce2

SHA512
497898f8b0cff6e3b2eddaef6ddb5add30fa3fb0cb466f953510617fb436eaa6a52642e3c46bcbdf3e557d55680d3865964cbc589aac12a3d8ae2cd64223a932

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
05cf43fa8d2de6dd542998737e129896

SHA1
3080852d06590c7d2b0727732bd25e44248531b3

SHA256
ebc7cfe539ef28aed36fe237f696e1d04b0c9ac684b1751c6c08cc6ccac52ea7

SHA512
2a26fac98dc1b78036d7f8725d28b19c1c39cbb8b139d87a7a2868afd3fc337d855572c7232fc5173d9e522242a1c941509f8a63e23ab5daade407949b011340

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d29ffc758cce844c26c519dbccf1c7a2

SHA1
dbabe1972b3f2b460a762a89b85d214cf8cf92ab

SHA256
cf8e7abd99142f4698f344c3c383012cfcdb3f0e79cde560c80bf3ac9ff23b45

SHA512
e6b37bcda1f187e96bebfcdb673aba8d60bcaa5f09d7858f987116ae1aca44cc85d3dec39512d22250ad1811d5bdb94500667e4fa0aa1eaab5c4f600cc954f1e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
78adb15dcb4bc0a046c411b058e761d4

SHA1
7264e5d9c6f630f26c063302caf6083d47184c29

SHA256
7a463f9f41a57b101d4cac98acc84e4d00245c4c6fcf4a1678afdc7b4b199fa3

SHA512
3c880a27c30acd7f76594e82455a8fb3cd6b4368cb8eeeb451caedc63517cb6e430253e903477c0a54408645edfc7dceb78e88c63b0afd91b57f443c5742b5b2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
75295a327d280c29c6823f73155d0623

SHA1
b99e3a5620b4158c68352ac8a1653c612a48ca0e

SHA256
50c95e1f95fb893a1c41229d098ece8fbd6c88357747b186025548fc6809cf95

SHA512
32fbec6f72df2a47b0d0c58bb0ca700bb908fb2cc6029d97d1c24cbf404dba593cb31e6ee4396b8dab6cd9b59057ddd151848887df9770fdcf62413985fb1104

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c942241c7f97c9dbecb0dca0d1314e5e

SHA1
a5b59a1686fe1a40e650a6004b1e37210a868c66

SHA256
fbff83afff356cb5b92d04cf7bd08bc82c122a785a1f43c274e0c4ae0d793c4e

SHA512
b21ca86e32c41b398f629c7543984fa12719f28490fd2ad3babc51b0fd3762043945c4fdcd6cbe658985de021e678a23e0da6f92938cae7aa48d28aeaaad0490

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c968c398da73b7c04475b71d0cdd1f99

SHA1
ee0cb26c9b3044878a728f42cf363ee69126ed4f

SHA256
fd126bdd52c86a36436c34f1234b3dbab956e418c600bc85376c7d8a92baeacd

SHA512
ca3964dadd7853299a1fa715298abd87d8656a6b8af8a5ec574c659143df46b8d156638629e2275f112daf34b2e37979b1de15efd421db605ebe09304ecb8078

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
bc88a3a82d131d3985775c9354816391

SHA1
8e752cab266f227fc64097199e8ac957c9f098b8

SHA256
605939778de7b76abb10ec96e5929878d8108b50a9b559d1cb9317a9319f73ae

SHA512
7460dc1e90652b355a2e68d1fbf9aabecda6b36540885b78b9e780105fb7d22cae260ca50015ed5336911426158a457c82a3ab30439b0381f66dc5d05350536c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
48f8e08412d0aae079d1062754fbb14a

SHA1
8a2328fd74176522cc55090822b4bccc27570095

SHA256
e479ba6fde13621ab65b82e9be50c8fa839412d233b19f02c6530b12d2e468f3

SHA512
7851768185e1af5aa93de749b1b53f5fd93ce5c75d8956d238ed47dc54b3a20612e1ce0999d3aed25babef93c4d30d50043296bc14fdd669d73ef7c5027560ed

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1d0f02fd6e79be8eee4050e2fb178eec

SHA1
832d0c3eeea4bbdf6adab11770b2ddde90cb4dfe

SHA256
c6d0f338d033f1c3610dc1fe40332e8a2ab824d696d353f1fd9021ca0b09fe46

SHA512
4c93c6adbe290d52231f1e5675eb7e825baba853ee82d33d6ae0654b0b0eef310cf15ae16fb76d36a275013149e0eaaf8956553f1a9a00e84a3e33200463e865

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6a2fb88cb5cc8ebce2624659aeb6963c

SHA1
44e33bee11583ed790368a4a2d2ee1b2e03dbdf4

SHA256
b4f304f40d323009001030612e3da9f7624298e329ac2bdcc3585d4c44bafa04

SHA512
4f25d58c0ad5cd3b468dd9c091c3803cfaceab82972d4666393e5714f368271e690838eff4618a3a5e54229be35837b3757a23c0299a68bf1187d2b726cefe23

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e299bb62012b312c63ef7b75baadbfdd

SHA1
13376833f39334d3c4e02e5d114af4187897fbdc

SHA256
0b3a09e7d072e3242506afc12f60ead69d690c106775277ce5c715c00fb14d90

SHA512
a9055c00a6ad0c62766b9d4140d18b061bce6cb285129853bfe8df094ca4319d366bd480711f92184bd5fe7829b6f6a0e07b6b04709c69b21a88a82b56b5f42c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8eb127aaad4d377e95d9f6153ad8c7f2

SHA1
5ecde10869693adbefed65cdb81bce31aa347cf4

SHA256
56b9a187cf45273091a80092ecbea6db5b21f72fe0484db19045062f646ae179

SHA512
2d142b4fe53f1e7442cfa6e6e390bf97f186d86dcce357249f9f7a6be10dcb3714a2bf77985191e6b7277f9a69fa460cbf43ffbbcd9fa80cbc972f1480c8cb6c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
07a79bd66fc3d4f665200b57f72e7960

SHA1
426aae8f8414c601511741f49531c5724e9c791a

SHA256
9f89ae0dc1bd5e2a91facc83f21c7903e7f671c21e1d61a578925b0e365521c8

SHA512
230fb041200b18e82d9f13bce1ff3b79e625ce7362b3346a99d03cc6fb59cbed6bc0b08623b8515758fd77284d767b54352699b1b6973561dad18eb859211cd3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a40445aa5166a3f2154e2842d38b1f8c

SHA1
3e2a06cd1a0b7a49ae06a85fced71ed85121680d

SHA256
8a2a0e3526cfbad60fcf2fb6c79f9513605eac8e4a3c7a8f62f717e14bdad00c

SHA512
bb85df6920a09a1109e87e38fdac3b3d815aa3b0cd330b99352c2686a323c9717c984310dc24d3759b62413623fed1512407c75368e3da5ca32e6f9fd6707f59

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a198a601d154285cee403bd23cbdcc0e

SHA1
a322db992d6ace2ee0f3154eb5ac21abf9ecc4de

SHA256
55002ce72cd126d7921ab98bee30b77fedb7826c2b2ee2ce19595b0904a664d2

SHA512
e91205639489a0e95468a8df90b9cf682000f3c17e2a928cc6fc4ffb0affd25407303f66880a36d6c8c074a70f7055bfc725fff88d1830e87547dfc55968d5cd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f6af3bf1654fe6f0a6a70dbe2de8d19b

SHA1
fe71bb9f1d8bb91a275a1c2996e5a54947c00bd2

SHA256
bcedb2c8bb55769ddd897f2f15b88c40f37f0836e91b95378263d8d4f5fa4bd1

SHA512
9b0b53688c7a94e97b24dca95044f6e32430b2c9cde03ac937e858a751207cd023e465b275ee9fb17e4c024ca7c7d53e37c103bc7e9844db6ceb5dc85635f684

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
39f8e1cc29a67a7c56c002da5d2a92c6

SHA1
28dc38964470e5209d896e0da3496252883d4623

SHA256
d3efdce702b269d9c22e6417781d10c0d35fe1a565e53b503f8e9e0394b75c0b

SHA512
a6db2dfe5651ef1b08fa09b42f7902d195645ca3411edcdbf8bf9246da22150b33752d6eddde2b1c5e6e033fb43bdd5d99bd912b516ff881870ed89a425e560e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4798b3d998ab4e2703d340129b2ac325

SHA1
f2d55552b9d6028074e2e2043021fce6ab2adc07

SHA256
4ad81049b75a954c96bdfe6f842f4850989d1e188eafba6af693943a027706ff

SHA512
bb32b2919d34fc848b9ee22153800fb876a6a670b28ddd3a1d91842911a0fc537b6e81fd07d8d49a42768a0c0f78119e5d2bfbba764ec0d653138efd57f469bc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4f39ec355f7d4ad2f289e20ccab2b4f4

SHA1
24d426251efecf9cbb738e07bf6606973722b1fc

SHA256
cebb367b6897174020aaa446cd7f65d0b9d75f5b2a29a8ba0d9a571c105e8dca

SHA512
92bb758089d9ab58caca988733f2bbd68104ec6161626d54eb72497816240c9a56b2317015403ccc68b68289df163abf38df965257b9f182295df820e037ca7b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e5a115f6563020711e70991cc8a99aa8

SHA1
447b76b9b620096497190c4ee4ef0bdf71fe5142

SHA256
9cd205119f43c374e66207c2c9a4f9c240a5640324293e3ca244ce0998fde6e5

SHA512
540dc82c4a467bad2e4475b34fe3e6e533dbf417d8e5febc6c41f4aea79233d49a39b15b5c29c1ad698264c7746318ca9f5e162b1c8678bf5a784156247f6135

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ffc4e3b2e8e0103a7ebb0d1d054dede0

SHA1
f70bac376a4d769ae6191ab5769a937ac84c51cd

SHA256
502523fd8f0bc666575ac500f13a734d7c8c8dede6c54ac70fa355ad57c5a7d1

SHA512
20256f121c930f208c28bea4bd35407bb62a7d85832655d6f9f6f5cc69b277cd42ac3b19b4529595462bb47934ad326d020e3e6493ebdf7a3aee81066c6a553b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
22b65d738091290a9c2f2cddad291e2e

SHA1
b9f41c366aa420ef941188c2138bea300a8e0c6c

SHA256
8030555e4108b78bad959e0f1d9a45e25e26bb96baf9a4d3a44c971416dc4773

SHA512
8aabb6cb78fe333eeecdfbdddb6701260341cdf9c27189049186af42687dda2310f8e0c1adf22de78c726a03c74637f12af76ce1dbc5f209cc367610913bf899

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a3307f79aa33835c65535fb8074a13f2

SHA1
0cf97926affbd05405f7112c2b33efea61851df6

SHA256
1d4723ed443c9a675708e4d385523b33d29363cfa42504b39211f37e1ff7a673

SHA512
bcc8d83c4b137f9e7ac41e8bf6ccea9db3f729ac465fc291a2599630882907c529b6189efe80e3f0de609dc5a8372aa111c43b1de87a0c8e8d6468648975d547

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
06a6798b3f4671bd03830bd362fb005b

SHA1
b982d88b029bf7d0818eceab7c5a512153dbd7e5

SHA256
a9c242f0bd3fdac7ce0d0c8907ef1e629637d2e6e8496be7a57925268eb5f5e3

SHA512
85d7f43d0aa7e66cf389cc4c480ffb974472eb31dafa1f0a66211daefa8be2efc30cf5e472f992d98e2de0c19eddd324ca3e2f6f35452f4c0b63d8e803c48bcf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
28e05ba70d0b2c0102ced20967575ffc

SHA1
da183417b214492f7acaa36db78f3bb720892fb7

SHA256
151e43db96d4a71bfb4835214850273b6313b7407b6e679afac68f3cdffbe984

SHA512
b24f5758772ced88ceb832a448b2dc80d0afffa53273007283b91f0d5e87e1335067f50f7b72c347a88f833e1ceddc274e1881b252b00aa614c49f61de83e93b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
62f92ba35693e765280c5fd39783f275

SHA1
b2c782e317e9cc0df63f775c50002c45aeeb2572

SHA256
013295775056257e478aa79b1383bf62c2b97c4efc4a491a654a1f1c3a6085ed

SHA512
9e66c12730035b44b7da5e8949a87b31317d4e55c13fc3ef9d697af7fe1489757bc2df2dce870867eb032bec21d686cc2d431577af0a2077df0af9c2867f6a22

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2d7773dd09cc707c631886d30304be63

SHA1
449f99e615357e12224b5892d62bce8a7a457773

SHA256
d7357f452cf9de3363a5ba7afddb82b1508f2791128cd5e95a2caa8ca2874b17

SHA512
f4dc31a89ebfde96824790e83ceb6fbe3b5c64f59486be5b6ed0c44e81cc9744007d6113ef6baf5b6514d64f23159dc0d56d687dd4a8aea9c3c113793f7991a4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3a385222133a63ad491ee30809e8c908

SHA1
f1e1673d039d620c798f7251eb893ba08da81d32

SHA256
47f8d7466ef5bc8e4d7b90b5a3f57e5a04a752f25f17ae925c35dbb41c44a653

SHA512
6c60d0392085080c57b95f4f8f6b8cf7efc195b27db3ccba617e472131e57eacfa5568ee6b760132907807a0ae4d29f2628dc4142bd0f605f70d9fb8ce91119a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
db648e2fd423e4029c012a1edcca0835

SHA1
2c1d5b0f13f277f1df34f62bd0b7d4adba9f3e60

SHA256
1292bd8287d9835fd542a863d98531beaf71ada941f09a90091b373b8f2ff657

SHA512
7e7fada59f496aed95ad97f7fd7c54e5488b3a5fc4a6b4aa16ddae70ca59302a04bc1b7fb2a47f412b4a23fb21ee6d46661f588c90212a82123811c7e86b7d55

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/296-140-0x0000000000000000-mapping.dmp

Download
memory/344-150-0x0000000000000000-mapping.dmp

Download
memory/644-130-0x0000000000000000-mapping.dmp

Download
memory/704-90-0x0000000000000000-mapping.dmp

Download
memory/848-105-0x0000000000000000-mapping.dmp

Download
memory/896-120-0x0000000000000000-mapping.dmp

Download
memory/900-110-0x0000000000000000-mapping.dmp

Download
memory/940-145-0x0000000000000000-mapping.dmp

Download
memory/948-125-0x0000000000000000-mapping.dmp

Download
memory/1032-65-0x0000000000000000-mapping.dmp

Download
memory/1036-155-0x0000000000000000-mapping.dmp

Download
memory/1084-61-0x0000000000000000-mapping.dmp

Download
memory/1212-100-0x0000000000000000-mapping.dmp

Download
memory/1212-70-0x0000000000000000-mapping.dmp

Download
memory/1420-60-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1480-85-0x0000000000000000-mapping.dmp

Download
memory/1504-95-0x0000000000000000-mapping.dmp

Download
memory/1600-160-0x0000000000000000-mapping.dmp

Download
memory/1640-59-0x0000000000000000-mapping.dmp

Download
memory/1704-80-0x0000000000000000-mapping.dmp

Download
memory/1932-75-0x0000000000000000-mapping.dmp

Download
memory/1988-115-0x0000000000000000-mapping.dmp

Download
memory/1996-135-0x0000000000000000-mapping.dmp

Download
memory/2024-165-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1420 wrote to memory of 1640	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 1420 wrote to memory of 1640	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 1420 wrote to memory of 1640	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 1420 wrote to memory of 1640	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 1420 wrote to memory of 1084	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1420 wrote to memory of 1084	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1420 wrote to memory of 1084	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1420 wrote to memory of 1084	1420	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1084 wrote to memory of 1032	1084	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1084 wrote to memory of 1032	1084	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1084 wrote to memory of 1032	1084	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1084 wrote to memory of 1032	1084	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1032 wrote to memory of 1212	1032	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1032 wrote to memory of 1212	1032	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1032 wrote to memory of 1212	1032	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1032 wrote to memory of 1212	1032	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 1932	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 1932	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 1932	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 1932	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1932 wrote to memory of 1704	1932	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1932 wrote to memory of 1704	1932	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1932 wrote to memory of 1704	1932	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1932 wrote to memory of 1704	1932	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1704 wrote to memory of 1480	1704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1704 wrote to memory of 1480	1704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1704 wrote to memory of 1480	1704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1704 wrote to memory of 1480	1704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1480 wrote to memory of 704	1480	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1480 wrote to memory of 704	1480	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1480 wrote to memory of 704	1480	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1480 wrote to memory of 704	1480	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 704 wrote to memory of 1504	704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 704 wrote to memory of 1504	704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 704 wrote to memory of 1504	704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 704 wrote to memory of 1504	704	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1504 wrote to memory of 1212	1504	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1504 wrote to memory of 1212	1504	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1504 wrote to memory of 1212	1504	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1504 wrote to memory of 1212	1504	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 848	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 848	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 848	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1212 wrote to memory of 848	1212	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 848 wrote to memory of 900	848	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 848 wrote to memory of 900	848	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 848 wrote to memory of 900	848	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 848 wrote to memory of 900	848	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 900 wrote to memory of 1988	900	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 900 wrote to memory of 1988	900	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 900 wrote to memory of 1988	900	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 900 wrote to memory of 1988	900	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1988 wrote to memory of 896	1988	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1988 wrote to memory of 896	1988	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1988 wrote to memory of 896	1988	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1988 wrote to memory of 896	1988	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 896 wrote to memory of 948	896	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 896 wrote to memory of 948	896	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 896 wrote to memory of 948	896	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 896 wrote to memory of 948	896	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 948 wrote to memory of 644	948	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 948 wrote to memory of 644	948	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 948 wrote to memory of 644	948	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 948 wrote to memory of 644	948	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads