de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361

Analysis

max time kernel
150s
max time network
146s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Size

142KB
MD5

3ac5c99e799afc95948387e5a11111cf
SHA1

d72af183d37682353dea2913c3d1e1bcc991498d
SHA256

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361
SHA512

7517d3d41871b3112cc3395412754cd013a9dafd8cac5dcc9d2ef391f78dd05dde138446978c82c2372b252c3d8d4dbc1bd552a91fe8b317fbf5e6cef32308ad

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exede1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\K:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\P:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\R:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\R:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\G:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\R:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\J:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\F:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\T:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\H:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\O:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\I:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\I:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\T:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\U:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\X:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\W:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\F:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\P:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\L:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\E:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\P:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\M:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\F:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\O:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\J:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\G:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\S:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\V:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\Q:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
File opened (read-only)	\??\K:	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

pid	process
3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3980	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3980	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
196	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
196	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2548	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2548	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3828	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3828	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1664	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1664	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2104	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2104	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
584	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
584	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3604	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3604	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
992	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
992	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3724	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3724	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1264	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
1264	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3984	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3984	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3812	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3812	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
4036	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
4036	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3696	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3696	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3488	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3488	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3928	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3928	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2768	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2768	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
"C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:96

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:196

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:96

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:584

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:992

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3772

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3724

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2216

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3812

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4036

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2684

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3488

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2768

C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
C:\Users\Admin\AppData\Local\Temp\de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
30⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
305b33c41a3f4faed5560e15e913a071

SHA1
e28dfc7250b76217fc03a92ee012faf326f99ef1

SHA256
22323d4ea1c9b5184094f2e68fc9eb7985a78a08fc388b2c32afd13ba30358c9

SHA512
49ef054d9bea649e8cb25df68ce2737d8e1e55233740096cfad2367a990fae0a3a2268545065fc59f61992c96c6dd968ed6a10904644b520d9b35e804d0c1d78

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
50445892bad645ee776a689849cbe84c

SHA1
e2b61f752ab112839058ff9755a26c16c2970e78

SHA256
8218e0adbb7c3de281b5f076a1d742d753e6adf08e5bee94dd6e40132cb66906

SHA512
3118a3b057327c0ca2b723a7c10338d6a6714cf6bb887f094dffa1af56ebd8dbbe6d2db1f3e74ea24812d5680ce2027b7188143b3c31240c5c21fcd5da9e21a3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
1b2f97fe2eaf093fb5f581e53546e87f

SHA1
4882f8635d22cadba7898391365206b1ec25d5f2

SHA256
e8e2be638d43236a9a02fe65ce3e6ac461833b65128cd9fc16abfc7e13a48f27

SHA512
a66b12456011b764a604d9792d05197154d6a946905c57ac860270804d14ac3ee4efaf5d36e323ee65e931812206a4ad125564adf6db014ee549a08f969fb2c8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
1a8c066c78ccd55aeebe0c9e7b6ff320

SHA1
2bd9eac10ad94bb19c53fb4d8e86300d8da4ee35

SHA256
05c93fd3350e1f5b994754cf58431bc0ca96842f8db5c2aef1c7f871842ce93a

SHA512
081726e642e4c464fe450da1230d6ebc6e32030f3dd7213df5fafea42e90dafef710f4357198b07b24dd972beb5784f193d0c30291cd1bbe7066d21d7d21d80e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
4a709f106ea89869e6d811e60a3d3ef9

SHA1
4fefc4d765b270fdab1e8f92780a1a1fd77a1178

SHA256
abe399dc8caf4ceb25562ca44ea4247c63df272d5839e7ec4e9fde6f1bf49c79

SHA512
5732f84be1876abda363872f0803d0689807d996ac14103ca07652d881b65d5b5982a8bd817332e501f64115703fe0a0a59ce3e295d71b8adf33d89674d416b6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
a3f0dff580d29ee7ef5e68e397e08804

SHA1
422494e21a887865559f9f75c276094ccc474943

SHA256
9be5939815fd9423ffa23d981894d9bb8123665d447e8c0fbee0b5bb31dee476

SHA512
1c3db10c8df8c7d3397270e1ea27ee061d97bc933087bf174f57ebc4814ecb400e7de3f1f2d3da1409548376a7a9917fd9c3cff76fcdc40a9dff24cef674d4c8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
4af0f5253bbf8f0eebb9f37b50187008

SHA1
6e5b6c5f9c15640a7a1826c4129b64a03924d64e

SHA256
3f6555b9c406af7c0a457357bb791c83f2f6ce8a68a90045e7eac433ee7ab5ef

SHA512
bb5f943c79cff210c59c5938431210dd950d6b3ac14e7ca1f2cccd530eb90a1cf408f5f77f02d7e39bcd052966e800aad820eac556630981071b00ed7188944e

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
cb0e294fc67b0bb02cef70ddc1895401

SHA1
ba1581862aff299dae8199291c95b33a91fd09d7

SHA256
d9ecbd502c3fac3b92adcb291dff8fa15530283961ba3a8357aff2c37f370e8e

SHA512
43a0ebdee103395ad866cbf1cd1a8432c0fab8845c9264876e047225af4de853db8ed70b71fb41cb8c2235eedd8fdb1f1c2030bf0aa5435cc7161ed618b90f68

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
2aba39a5c4de83f1c0279a52d2a7743d

SHA1
8cbba34d4a602a0181de9d2522bb03e1159b4f16

SHA256
5fb4df95fdf131e509dbc369deb868aa94ec2d20a4cdfec45b749381590ff077

SHA512
37f437c2afa05e785a1c2043bfd76a4c40afe52d262eacd564da2cf00fd6fc8694b989177fe1407b4d7dd42a9114d6dbfc9abf225e25f3ee3658e8ec36eb9a84

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
900e01948de0a57cd381ce10064cb154

SHA1
0ace63a7a09b04c38ca6612b74178b4d3de75593

SHA256
b84b099e9b235486ba38d3c25d557864486cbd87469bb14dd5a778fbefa11637

SHA512
b81bc2cd6726a8c71490b568fd5725db79e790eb69ba9f6a2f2949b3a49cb6f77048bb2e8f225d69c31061fed4b03b043eb7b28bf3e1962259f895f65c5a34bc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
7440509f0b062ab104912c39e922ff27

SHA1
4fafb57ce7ac773e3a3f300b914739c7a8e6036c

SHA256
24e02cb660636afeaeacde8541270acf24ae7279a4f99df73d92ec7b79c923d9

SHA512
86b2404703364a8d9d786aa8c6d0c54bfb6aa5eca666ef836b4115868f354a57f4a5e660c091a4f19dccaeb360177783e8023d972f00ec9a77f67a460b9e96b1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
9e095c9210757aef5e53150704930257

SHA1
6c489b94ab6f5525a68f4f625d737d4834724fc3

SHA256
f7b9a654f1ead04fc0945c9e9d140c3246fa3c213005709ea3caea85d5a180bf

SHA512
202cbaf37815bcd5ecef419b427a05e90a43913253fff643a8ad68a4cb513aba72d7030778e0282432a7ba430e5063164eacc3b60667be81196ee0d105496791

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
5f9cc4b17adf954f533d1cdd71c4dc4f

SHA1
1a63e788c829f6c5993450120a3edf275c93b6b5

SHA256
86f8f7a64920ee036f197c05e6e6618431ff6ca5b8a3e5b871af7b315c623690

SHA512
8c1e3d9f27c71b9b695dfbf680f747abaf98464a92efea92e8a113b5b2104b8c36f92f10c8556375bf281b5b874cb7ca0367f427eaf3d86825783aaee4546746

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
ee48193d38b524ed4d3b6d4299c37686

SHA1
ddba41498fb4af46a3edbb23170ae64d3ad4a3f0

SHA256
a35d6edd75100747d7fa6fd799d107467ee14fc42fb2aa736eda8252a5a3e354

SHA512
f05d59d34a55faaf3777be9e64511c4ebb34cde311b3bf7605a71684ec82f9821177d6122d5d06e94cb2d561891325e00af6a153cf45f1740ad745a44e98f287

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
8a20fbbfb943c8217eb69f4378c5ee4f

SHA1
dc56315a4dd4779e5e575bf961364760cc790694

SHA256
e85c3ff32e7cef1f9ca61e7481d5cd8198273428f3ddb7e06f2a64dc73129f58

SHA512
9afb2ecaee790826ad8d12571267b97171d8659de37e024a5f7bcdf26cabde803259ee868e68f4f92d2675b5eff33e51a1e9a9860b493bb5ee3442658a1244dd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
98b04ee559df5b2a9aec5f42c183ac18

SHA1
ab09223595aa178e6e53e21bfe3bb44fe579398d

SHA256
2b4a6539919defb697bdc73102f957e323f09e29f9787fbf59dd51a653b62a63

SHA512
93cedfc0f2c01b7e60d7f6d94068ee870e0519b255ffaf1b8dba5bba1bfaa8e8ca0153e10d6288e7517653bcb5baf24f88e25fe3847665fb90791199d24cd88d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
5dba78ad2dd7e5ff5d6956202b0099d5

SHA1
637092fa5b8a2d31dc27212a614feb53a15ad0d6

SHA256
07c434bd064a83a5d81e901419612124da44498fa25e270b8faa011aacef290a

SHA512
4c6c1b1c4190b2b04a63b7a8d08581f74370ef825e7329ffd677dc32807ab444530313e6cbdfa38ec0085aafd96d6771648ee00560b9d2b0df08d0d531d17de1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
23fda61b7298fed44a582d0fb02b1be6

SHA1
a2cf355e70cf5b5109dff6d6bbb9aa80a284166c

SHA256
86434fc8b56365e1f4574c58e14b3794329332036a26471f9101bb7ac79320fb

SHA512
0d9454997d08bc2559e512c53992decade91e2cb29edbc5402cdec7e420cbce77f19dad5574f64c385f781ab3de03d72c4ce729625209708007d751ba3249cf8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
b2e120f9dcb17922415c2967febdc912

SHA1
6a1981a436618568bc91701da43aaa40b306cc9d

SHA256
a7bd083aff055bd1ad89063c276f008a4e3bb2df237845fdf0d0268035d1cd4b

SHA512
ce411961e24b451d3fe9e55a5baf17424f5dc5e7d8fc665432d0331a35ddb374fe8ee3b04ff1daf085586c3a87b200d734a0a9a758c77e237829390ccdbbf1cd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
c0294f6d6fd2e7568f2640c9e054683a

SHA1
a8aa82636e933fe00710b8ce0dae09bc4977269c

SHA256
8cc6d4b8c380e63817154f0d1e45ca0e152699dc77e9580e08158a21232e7622

SHA512
41e22d4f5d1d555bf5934f6e55ed010dbd8e840b513562edd14dc98adcb249781dccfcc4859d196b65a640c5aa09a56628b33fc483b5f564bdad9ed52664ee6e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
29152cc0d177e6a1e084d4aaf4ac9e88

SHA1
65cac713cdd1e231ed9b3b40860b40b327cecedd

SHA256
ba2e2cec29e1df7cef88acfd403c0873bf812e30ccb805725182a3329be5b77e

SHA512
868576cdd25a97c8563ebd2df30d4d70119120de9270ee4b2089a5f7bcdcb1800b78efa538fab80abf124488da38673289b61c889750ad10d9b167a3f6d09295

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
114e2d2d4591edf3a9d8206c429e09b4

SHA1
b7f93140fbadb47745160d92ec725e06304aca3e

SHA256
2b1eb82ebfab04b2199baae33445e60613f74e7a77dc2dda0d916fece4861250

SHA512
54263d214ad5cf945670842ed53850e7ec0964a347c083d9649473a94b1c2bed8245cf403073fcdb8673c1234030e9b5f48aee20671719ce0a4d25952ac73cea

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
b7f0b5b44a873c470db3ee309ea254f9

SHA1
b0348e51934ad47b5d9e47a5fc3e9b7fe0420789

SHA256
a1e99c73f52352893cb34df030752e8f05eabb86a51011a76ce7838c513bdfea

SHA512
c8a56701c34ebf4533fef0385486346b17c62d372744c20ea0b34a05e360dcdcca54fc0d30c2a75ea2d6f06a6a99e45fc26177a2b3cc1a10ccb2b979cbcd0037

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
88a9594461df4aa34a146a28f6857b4f

SHA1
d0c004dc724b75def5f87e4078931a2587868c65

SHA256
949dd333cdcdb2c03ea1d01c98340ff32ce597785d6e75af6a9b861a7caf0f24

SHA512
f586e8e20f6604193ac25f9bef79f21f3b1a91a0edd2b662ea8fda25aff7fbef6139f6e4064085d5ebf3da91dee6b89acab2f0828f2c2c609aee6a43cd0fac24

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
7c04354aacff1d4601f98e87cc8b6275

SHA1
83e0a3d3a4e27ddcb778ccb04838bfde0f779680

SHA256
f3b4a6d51113529e99d0c0a129fbda6b98451ddfd6a16a85b58000bb3efc3d96

SHA512
68a5c19ec4900d940b8585d0d9f8b8edfd904cdd004357bb1afa1394c46de2e7c385275f2d784c4f76c6fd420b99a0059e66c2cb11c3076f632d6f128472e2a8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
a71027758d34746956fa591bce16af47

SHA1
0aa387ddb4be083d2e9de6bcb2d4406ac5f53c13

SHA256
dafef85a5f37d49acd6fb5940a3feea17b44ff0ca159617cdd50b80f87851834

SHA512
ad603d4928bc861889b80f274de59b40091bd1eb1766a47b5a00456f1f81b0a3013b3cbab8827034f14d099f55f4edb358f5f49a3fc4a666f5c56b6e8e11c094

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
2dcd5181553f56711b0b4532fc48126a

SHA1
64854634a7f87ac4fb0252e89e0a3764185ab65b

SHA256
2202a61d7f1184c8f8af7a18d4cb259ed698368c2c5570104b1229ffe006eb9d

SHA512
530dabfe858a77b5c4cb5b3053ee7d6b9b10807aa4a5353d92a0967d939b3f88552d05c2c455e9dc9b4df9a25f996372853489c89c3a63bbe37c7b6dce568fdc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
1da6f45d4242951aef3e32d0eabeeacc

SHA1
ad22f5cb6f435ce98d4ee8f18a2ac1039c90bef4

SHA256
84534ebe21c6c0974fdd4bfa86c53a2e626bb380d85150feab322ee70557afcd

SHA512
31577efc09137956c85adda1de132392793d2da83a170cfb4127ae16a6e9231fefe51d37002cfc5e38220a5cce2aeeea215b32dd1bc6e6ab8f1db37620bc5f8f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
2964cd277cf66cf40cdad40c87f57581

SHA1
0bed688d2128cbb8004507ba8f8b4ff075dc1eb1

SHA256
a0ef3eb6ba9ebe4bfb337ee44ec10ba0057c5e9c876a28b0d490520ff781a26c

SHA512
61e4bbcfc94fc78dcf866039cf3ddd39812ee2a12b52a67cac6d1db75c4d18c2833faa6458a519651059f7a17d1c97f0646f20a85b396f24519b861e66d33e79

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
55e2f066a9b2c2512ada22469c2f6f8e

SHA1
c374d843cd5bfb58a736592206df5625e95be73c

SHA256
724ea6c5f72ae442bd9d828b6ab9a0cd305f590e104da8351f8726366ef9629c

SHA512
4b4c1377c0c38d9602380d537efd036870a4ea8f4c8537f60dfdf35802181bb5984c51da2c48da0f84b4092829d1ae6f5d7c1e03376b9eadf1c2947628f42645

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
3c4df1863c40caea2a2dd8c6971a21b3

SHA1
7b71eff2daf399693c9dc8b1398b9e3b2c82ba92

SHA256
97e3c66a836461fceea20129143d55559761a594a97a4248f2290eb6ef41e05f

SHA512
9e5be2aa9dceb9099b0053caf6d234f5e5b1290c0ad7e0d7356a1e920943a92628a48de13d7e096c07a6c43f55a83ede9edc945819a9752fc32d790b096ca4d9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
ab2cdf5e516e06dc78f12ad46ccbdd26

SHA1
5129614479c57e8a2c3b396889f963cdd82dc77e

SHA256
66492a0d9010a45cf794a99f43122732c62e7a18602e7a38b95057a59c73f123

SHA512
3aebb2e21f5201ca9350fe6b9f7f64fd917d5ade82a825e2eb5551717f09d35bde4901d2f24de29462594891cd76c24719ddc3c060550309371998e565f37b51

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

MD5
8eee23c24d39840ed3d2e97814f0c06e

SHA1
47c8b78871256766884b8ca4ec7fd59668ae1e04

SHA256
76f06f8fd3a824dc281fccfe7ccbc08762deb0e5ea9c5e14c207019f804687a0

SHA512
68089996ef3fd02cc43021cee440c31dbbcf2c6299b226cce66c59527d0adc8ce98dff5c0475a55de662137ddaf6cc9c51f89b002a9a8d383fbc7f4d657054c2

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/96-115-0x0000000000000000-mapping.dmp

Download
memory/96-135-0x0000000000000000-mapping.dmp

Download
memory/196-123-0x0000000000000000-mapping.dmp

Download
memory/284-207-0x0000000000000000-mapping.dmp

Download
memory/584-151-0x0000000000000000-mapping.dmp

Download
memory/992-163-0x0000000000000000-mapping.dmp

Download
memory/1264-183-0x0000000000000000-mapping.dmp

Download
memory/1664-143-0x0000000000000000-mapping.dmp

Download
memory/1772-175-0x0000000000000000-mapping.dmp

Download
memory/2104-147-0x0000000000000000-mapping.dmp

Download
memory/2216-127-0x0000000000000000-mapping.dmp

Download
memory/2216-191-0x0000000000000000-mapping.dmp

Download
memory/2284-159-0x0000000000000000-mapping.dmp

Download
memory/2284-201-0x0000000000000000-mapping.dmp

Download
memory/2548-131-0x0000000000000000-mapping.dmp

Download
memory/2684-202-0x0000000000000000-mapping.dmp

Download
memory/2768-206-0x0000000000000000-mapping.dmp

Download
memory/3488-204-0x0000000000000000-mapping.dmp

Download
memory/3568-114-0x0000000000000000-mapping.dmp

Download
memory/3604-155-0x0000000000000000-mapping.dmp

Download
memory/3684-167-0x0000000000000000-mapping.dmp

Download
memory/3696-203-0x0000000000000000-mapping.dmp

Download
memory/3724-179-0x0000000000000000-mapping.dmp

Download
memory/3772-171-0x0000000000000000-mapping.dmp

Download
memory/3812-195-0x0000000000000000-mapping.dmp

Download
memory/3828-139-0x0000000000000000-mapping.dmp

Download
memory/3928-205-0x0000000000000000-mapping.dmp

Download
memory/3980-119-0x0000000000000000-mapping.dmp

Download
memory/3984-187-0x0000000000000000-mapping.dmp

Download
memory/4036-199-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3156 wrote to memory of 3568	3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 3156 wrote to memory of 3568	3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 3156 wrote to memory of 3568	3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	reg.exe
PID 3156 wrote to memory of 96	3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3156 wrote to memory of 96	3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3156 wrote to memory of 96	3156	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 96 wrote to memory of 3980	96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 96 wrote to memory of 3980	96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 96 wrote to memory of 3980	96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3980 wrote to memory of 196	3980	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3980 wrote to memory of 196	3980	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3980 wrote to memory of 196	3980	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 196 wrote to memory of 2216	196	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 196 wrote to memory of 2216	196	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 196 wrote to memory of 2216	196	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2216 wrote to memory of 2548	2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2216 wrote to memory of 2548	2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2216 wrote to memory of 2548	2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2548 wrote to memory of 96	2548	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2548 wrote to memory of 96	2548	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2548 wrote to memory of 96	2548	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 96 wrote to memory of 3828	96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 96 wrote to memory of 3828	96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 96 wrote to memory of 3828	96	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3828 wrote to memory of 1664	3828	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3828 wrote to memory of 1664	3828	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3828 wrote to memory of 1664	3828	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1664 wrote to memory of 2104	1664	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1664 wrote to memory of 2104	1664	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1664 wrote to memory of 2104	1664	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2104 wrote to memory of 584	2104	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2104 wrote to memory of 584	2104	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2104 wrote to memory of 584	2104	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 584 wrote to memory of 3604	584	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 584 wrote to memory of 3604	584	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 584 wrote to memory of 3604	584	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3604 wrote to memory of 2284	3604	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3604 wrote to memory of 2284	3604	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3604 wrote to memory of 2284	3604	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2284 wrote to memory of 992	2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2284 wrote to memory of 992	2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2284 wrote to memory of 992	2284	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 992 wrote to memory of 3684	992	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 992 wrote to memory of 3684	992	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 992 wrote to memory of 3684	992	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3684 wrote to memory of 3772	3684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3684 wrote to memory of 3772	3684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3684 wrote to memory of 3772	3684	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3772 wrote to memory of 1772	3772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3772 wrote to memory of 1772	3772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3772 wrote to memory of 1772	3772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1772 wrote to memory of 3724	1772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1772 wrote to memory of 3724	1772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1772 wrote to memory of 3724	1772	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3724 wrote to memory of 1264	3724	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3724 wrote to memory of 1264	3724	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3724 wrote to memory of 1264	3724	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1264 wrote to memory of 3984	1264	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1264 wrote to memory of 3984	1264	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 1264 wrote to memory of 3984	1264	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3984 wrote to memory of 2216	3984	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3984 wrote to memory of 2216	3984	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 3984 wrote to memory of 2216	3984	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe
PID 2216 wrote to memory of 3812	2216	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe	de1293de8b41fea10aca475420a1657a7640743369199d86640f9a97e9321361.exe