e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3

Analysis

max time kernel
149s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Size

148KB
MD5

5fd4f9d442a932fa1d1196383ae090e9
SHA1

3ce0f7e864bd7f34c7a6c4ac0f748de78aebac21
SHA256

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3
SHA512

4a6bd2e8d17e3036d8e232896328174cce51900d6ea269dd11c4a284f6a4f62a30f7fee4c5468e5fef457dedef37fc535ddf2f6ed09b0c38abf01dba2b2e9b4d

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exee3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\F:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\F:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\G:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\Q:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\V:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\K:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\U:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\M:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\W:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\K:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\H:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\K:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\Q:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\V:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\S:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\F:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\G:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\O:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\X:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\O:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\V:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\J:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\H:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\K:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\E:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\U:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\P:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\L:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\X:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\P:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\S:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\M:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\U:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\N:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\I:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
File opened (read-only)	\??\T:	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

pid	process
3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1356	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1356	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3572	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3572	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1848	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1848	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2184	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2184	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
404	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
404	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3192	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3192	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1820	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1820	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2272	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2272	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2808	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2808	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
4036	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
4036	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1132	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1132	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2104	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2104	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1844	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1844	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2544	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2544	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
4000	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
4000	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1892	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1892	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1780	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1780	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1852	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1852	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2552	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2552	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
"C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:404

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2832

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3980

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4000

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1892

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3980

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1696

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
30⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:200

C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
C:\Users\Admin\AppData\Local\Temp\e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
31⤵
- Drops file in Drivers directory
PID:1448

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:2496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b4fe1da109438ddc1e5474818242c5cc

SHA1
b4f4b29da483d2affe8f9deb15dc288f1e1d8f8e

SHA256
1c2c3eea8597753aa5b68ee2dc961ad4134a0da1cfb8fb7a7a8f6e01e5790fb9

SHA512
4ed0941cbe10b38cedfde65c11f84c6e13b5287b9c606f9cafd8928c59a3f4b61379bdeee85edf496604847df71ad8a1471af07f302082e98da622cdb5ffba9a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1c5345c4fb8a10b8ece405b39bd5672f

SHA1
370f6d703ca767257a11f0e57682627514f8dac7

SHA256
da50689482b1cb82f87d0905217bac67cbedbfe9445dd17b38ebf949913e4f80

SHA512
a171d275c9ed7ee5264d682d5d10a6793c20aa7734e7d3087e3f46dfe8882f52e739b069f5c71b150cfd3b5af24860ad58c2d42361ac4b7a07787f343ff5b33a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
55eea560107b96d78ea59d4199c64fca

SHA1
b1cf23b0c97a607cba0b48acf9b9c50ad550ec91

SHA256
e516174019e254fc826e276d4bad30ff206a1d7104d0e99f5347503200e3ed57

SHA512
6e1f2570b37e3fc3f0f42dbead577c86577b3295785a6046bc338ea5d3b70a8e810d88cfb28aab4850fa6a299edd1173053cbcddf62beb48d88f2cae6ecaeb94

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
bfd7075b25300a642778b4519dc77372

SHA1
ce1f475615472919df06facbda9556d627821765

SHA256
409edcdb56740ea378cd5c053d6958cffb561f3e5fdca4e804ca782ff0270fa5

SHA512
4e227c77895e3c73a0399aaed9d006ec5fba3a84ed420fe1d16673a64c203172d6118fcba31a2d8b6418d67be9dfaedb551aa07f913e8899eb9d98aa8d14c4d3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b450680f20094a4649eb08e7af234439

SHA1
d0a5e64ec45f565485a82eb5b0af4e718e3f02ec

SHA256
5a637b3bd304e6a4102efbe38cc482b07381f16bd32b5688f1d66ae17346268d

SHA512
9520c05c91d6884e189cc994985126e67bb8ed82a50af3a55cc1ac9e92f26b9ff05adf3d2fb10428c446ec1bc80a48af637b64b807dbef8fd08083f90607e682

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f8479020edcdb2f26d70a85ea0e702d0

SHA1
b8645aa5f3db7412ce16a1095203a2578e443d3b

SHA256
1d26c941cca11cc78576d33bb002f4a1b1a65e25ba37e1d764315b663d168bfe

SHA512
7adbefa66c6c445ad242c56784d05b27477a8543709ec60108a56f5adbdaff8223bcec2c2263a402568e0b0cec0fbfb9c4b7062f8c68d7f06f4c9b30771d28f0

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b5dea575112c09b8039fad8b34a6ab1c

SHA1
a12d2e559452eb2925a8b8a870c276578e803ad7

SHA256
2bf67f77260d3cdabca34250d61da8004ac461cc94c0c076c5b8f892bf672945

SHA512
8804ca8057c9d8b8ac1e1b88eb580ae9a263f16773f23b95f9b8ff6e8f18bcb9c5e3887b16bb24c22f51859cfbddb2c151d30d2350dde4ab8fee4d2b9c0793d9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1ad1d03dcf3c67f5c4201a3d77fa37a2

SHA1
2f891f4e08b018d3e4aa1b9a95c6858df72d8b74

SHA256
99d7c4b94ec436a4846246e0b7218851c19f7bff5d0f77ecb6df7373642124d1

SHA512
dc0f72c765069bd08b579c2f6065cefbb3d61f95322bc2dad522a73d507845cb32e9b6e8b252375c2b9bcd54c26fc7756c632ea5c0382bc0ef3e7c8abc3fa7b7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
f5201714ede0d5c23d09035200edab64

SHA1
2edfaf0ca66b6cab104d9b53a344c54c3ab31150

SHA256
6b9a8d408c5d3a3e266f996d0835ff97c2c28c2783873cd2b88e4f40c2a58d27

SHA512
8868f9814b9da90f1e0c18b18bdf61a569e4bb1c8ce16027a65114b4a2fb8066ddc7fc3558757cf99bd1365f4d725faa7b10254e980e554b258b320a8b8b3d93

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f5eedec4a36dabaa5fa42cec3e5f95ce

SHA1
a02ef10f1a7980a4415d39d81ed867e65b4ca1c0

SHA256
f11b53d7371ee62ce8b5fcf274e1609265af56779e54206aaeb5d6451ab2914a

SHA512
8586afe85a10387493d078da176576321b18344032d6a21349225fe6ef31c8044e48edddfbf89052f13e2497bf9b0c46a7d72bce17e5ca92593f25341b6bfdee

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
aa25c213e762d515770c6a84a2c14b24

SHA1
5055a2dc74ae9bd52722a64e44dbdbae211d6a74

SHA256
f5279edc52c5138b608d81c5e789c317dc0cf2d52dbf7bb65c476ae0a1f26ae8

SHA512
b02757e1a291f953fc56a1133ff64dcf705abffaf2f7116e07fde4b6f51ec811adf5b0ed602cb1318f410838a07449fccedd207fa024779710eb48ede14204b9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
adebdedcecd4591b95cec591bdbe2daa

SHA1
08fd17966536257cfe4d10435876a9c098c0bdcb

SHA256
b0723da78c99cef026fa360b8364bc043562c9aa61d17e76a397a8ef48c56b22

SHA512
0b79f5ba534fbde20a26c95f260acb514c23d0a326ba15bb56b00727bc70aef5483297531016b7c382c439f452219d187ccdd97b26fd7f4fa8118aba89f77517

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e3301494c41a2f638c67f60cf514ecb9

SHA1
0ddb9ee6053ed767173e5c21eba097e30ac7ec78

SHA256
2612f0e7fc9080295c3e9abc93b3256402c56947f1bc2e3b14adc88a71f1eb07

SHA512
49f4eac5aca080439be958291f96ad39a32b7ff07314665cb43bd8a04e4fb3657d26b7e1fd631827b2853a8438e95f76469d8c847f75bd2824a08d4c23907f07

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
314504cae8bfe1eeefb935fd0d851874

SHA1
de9516c0bbd109636e82149ec026eaf8e924a138

SHA256
4b987d70d893e278681d3a9697d1b1c8cf8ae73090b74d7cee308cc6d0af3d27

SHA512
4868a815342c1f96eb9fb5b632334c02b8cc11bd7818ba2c0d7a58511f2cfe21c94d57f4c71b4cf2d451f2dd81a311391cd73d2262eb049ab21276488578692a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a477efd7e767d1778f55b961796f5420

SHA1
2c1643a98a3931ad4e77e652c9f9bd4a7b0ee337

SHA256
60dcd18c46cd4fbfabe384771174ccd212d13ab1627009ebe97a287767c8f23e

SHA512
0d21e0461dff44540ae115dd598641ad3fc9a743cbd1a44090fb0dbf781d7774aeca7c078265fd454fea40309cde5424d6e0e797dacddaa7beeebfe26046495f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
95391bb662a83bc21836a839bd1a28be

SHA1
43ab24a61239d83c702976458bc2f51bdbbc8b17

SHA256
ef7c141437bc8ccd78ffa691bb37cc0c0c3a035d9fc0900fe61cf0bdd9c5ca25

SHA512
2a52b46d7f978f2afc61d4cc2732aa69029961f8b9dc94856a7fb8e0330848a3d92cc7d001b87a744ccfca321aa03690e74df8bda072b2c1b53659f6cd1cbefd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6151e0f792cb52aa351584560ba2f1a5

SHA1
c14dadc7558216e6cb14ee0f692b38f3dbf6f792

SHA256
0e5ebdce601a316c2f726e73a8b75ac9888fc3c5dd0cdcc46f3e7a8db8408644

SHA512
5ee1f73e871608a6983394b5992546d122309224a7179e51d7dcfb423d7a37b7b9efab06bc7ac91f0be67662f4dc895a8cc9c9fb32af03003b3b23c20f817a4a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fbfc0d29a74f24cd1d686f39f0ae7349

SHA1
218021115e08783cd64fe80be3a93679256270d8

SHA256
83d8f1de4813d4df4e16dc0ee9d1226b7cfc58623565c1343e0bd7f30f57f0c9

SHA512
42aeacfc2959fa98e409942eee5dd460332b27eb2c95efa6eef0c7b3a502cff058aac581969a4d8a2c4370c97ef6cf8bd5943053b8840ec892c8c8b7de6c4fc2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d88a776d5fe0d2a91002925b45da9fb7

SHA1
fa043502dc7b72651fe2f0dcf21cc1350ef9d36b

SHA256
9bd983dc9bf9e57df5f6e2c06ac1fae4cfa752955a9cb641bc38ddcbd1076ebe

SHA512
b8332945442592db0a829a695fde6ac5a974411bd1d7628c735da7ad785456577ef38ce644a1553be9827017fecb7c44c88ad3248c2dde249afb3b49a757e419

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
934a4b7bb263729a67fa2ad21af670d2

SHA1
acc213d207606e9ea7fc8d399f97c338b66d07b1

SHA256
499e786045c8c924084df8c28bc627f543ab4ff688741dda8d609542e13a3940

SHA512
defd9d8e10f0d31fd5b5f831b59d8f8f19ad3c5f4047e49aae5158b2ff68a46ad42a0c0bdf5e927b14f46922aa2783d7f77ab758f4879fc13341caab56d3cdc0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
aaa83f684ffc344f5ae87fe76ab4365d

SHA1
c1fc002264a03a18b7481ffb4740824532ae2d57

SHA256
ec6d44bbbadea71d80f4a1e00f866af1df0a531e247b70356ed8001f6fc10dbf

SHA512
cbd29ba261bb9c4914cbc9fbc5fcdbc4edf309925f99813fa2e04824d9ba37f9687cb2eb0bf16a40020689acf932457c51859f746b5691f11a12367ceae6f12d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ee7b6b5449f0b88b58fe68d4e45590a8

SHA1
e41f5b9ef28677adfce864579a6dfac5f9ccc76b

SHA256
2dbb626b8d18e75cc001328775301be72d5647559ac27c99e76515783ea90948

SHA512
f6f7fe367a99eb1fc8aa445e5418a26ac6f5e866f7fa0049c143dbc699d51e06c6abe79814811243ba4942769d6cdd9b119fd269b34cf39d778a1e948d8598ef

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
91e0b674ecdd7880a557e45131c3f702

SHA1
cd393ab3a1e565e5e9514154a1abfe07ee1879df

SHA256
9eb2bfe9d94a176acb8e7389ade6d0d0a60d2c386500517b37cd2e1fc0b3d524

SHA512
53f4fab4256badf73a6fa3e56fc9e4842ad07655c2724357d987aed49dda39b4181e0db69cb3f23664a518c12b91ac5506e693ec10f14208b972125749761402

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b2a7b3920833f36026734fc1e8d45d75

SHA1
aad1dd4ea0d8ddfc60c54dc27286773bcdbfc20e

SHA256
57061c24b114c42ae905fbc1a941745563644007f0dd0421d603d89bfc00f285

SHA512
1e94046b8d5dca38af03d3e25fc14679f7f01283254d8bcae1ea57af15e2ae5246c1769032bb0449495963baf4764a4e72e302afe331ce5e5a1068a0400e5e49

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2e8d8801922cd2f9f5415f519bd54b0d

SHA1
a76da34e3258c6534f4bb0294d78b49b9b33c089

SHA256
a4657db87c45787bcf9010ca72c1f9c7b428b1be38c372af67a57c3bdbc373e8

SHA512
d983d4ae9718e993b8eb354e5be64c30c8a3751bf482f0190cca1c9a9e882c9ab7d178c97de959aab4771fa315113c6481089e9fcf8f29d010f979e637b047df

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9f8a2fbe7e16f390f312a29cfd3dc3af

SHA1
f8a3493255643e5c36b01065ec979085a669f7c0

SHA256
fd8f0a2a4eb3ecfa879746a26b1e7762c1ee7a321a0427b4ebfd287ab0321233

SHA512
0ec4db342cf8fc790cabc35c9fd201c4eae3b298ed898f9e9bfea992ac1dbba957a522550d0e3297302cfd72807a60be10731cb5888a14073e7d8fb7c3533931

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1251c213b8e5d60d76911f189db32115

SHA1
b8110c0a6b0f95c2a9749e5e88bd77dca0d1db2c

SHA256
b55af34fb8bc6ca324a2e8dac8a923f9d84841ef5ba38a32a7bded1e3d6dc99d

SHA512
e600b98f13a1a0b7eb876cf6e16e89906902706bb3a0bdbb631193ba19fc2e0c6435c1bb34bc420ebd0952b337ecd4c21a92f392ec96a752017ace1740c302ea

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7b0b12055aaec9fe8224c13c968d95a3

SHA1
c3b7f901fc3458b6feb3c936e4bd17519dfd4eb2

SHA256
2d70352fed417727fe8113ed62788b96b479b61b06c0dea39fdda352d27bcc38

SHA512
4b2a6b5592441b9690186cfa78d57c6e8f21e4416a53dcdcd9b67335e65b4506d1e5581456a8260ffa16c75776bb0417fd63499bbd3221604b2cb777c36bd6e6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0d40142859a0b142395c75bd07c7e1c5

SHA1
cf503a7e1ee10cd6e1791bf13484331171452c5e

SHA256
1c3ae9c44a5e00727bd7d051642c67122394243b375aa2e93ab2303ea3b2bb84

SHA512
bb4e88bf676c9af7334097d330f25c550bdcf71fb77f4fcd27589db654dfff6351851aa50008ae63b71a3730aba8687be972c3b17210bd5cf5544df5e1be8075

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c6fae2081e8002976eb1186662362237

SHA1
714b6391d7ec8a02483bcb98b584a0adf067a7c4

SHA256
d34f6901f3b37e87f962ea844be67e9c1e1c1bec8cf4af404e3915ee6bc61cbf

SHA512
f2521f94e3fc67d27d1db236f84af0e04bbcc6d778eb6ffd2042f67547690d0391ad4f41ba9b73ca86283af177a3bdaf49db7d4edb56c6f82b172406883fee20

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
53f9b35c60f0b1b9f96f011227d6e170

SHA1
fa3866abf994d27d2406edd5c783ade4995e1562

SHA256
690f5a80c17155c7c1a09d1d1a49238a8fcb86c0aaf9f82ee3a54f3e506523c5

SHA512
281cc9ede2559704a47409e864bd1f23c59836b7e62c9848f0e5c0c1fdf3b2fc8ab9ac201109624fccb6e32010dc68149a2114066edb471c4385567d06dc5429

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/200-128-0x0000000000000000-mapping.dmp

Download
memory/200-207-0x0000000000000000-mapping.dmp

Download
memory/404-136-0x0000000000000000-mapping.dmp

Download
memory/1132-172-0x0000000000000000-mapping.dmp

Download
memory/1356-116-0x0000000000000000-mapping.dmp

Download
memory/1448-208-0x0000000000000000-mapping.dmp

Download
memory/1696-114-0x0000000000000000-mapping.dmp

Download
memory/1696-204-0x0000000000000000-mapping.dmp

Download
memory/1780-202-0x0000000000000000-mapping.dmp

Download
memory/1820-144-0x0000000000000000-mapping.dmp

Download
memory/1844-184-0x0000000000000000-mapping.dmp

Download
memory/1848-124-0x0000000000000000-mapping.dmp

Download
memory/1852-203-0x0000000000000000-mapping.dmp

Download
memory/1892-196-0x0000000000000000-mapping.dmp

Download
memory/2104-176-0x0000000000000000-mapping.dmp

Download
memory/2184-132-0x0000000000000000-mapping.dmp

Download
memory/2272-156-0x0000000000000000-mapping.dmp

Download
memory/2496-115-0x0000000000000000-mapping.dmp

Download
memory/2544-188-0x0000000000000000-mapping.dmp

Download
memory/2552-205-0x0000000000000000-mapping.dmp

Download
memory/2808-164-0x0000000000000000-mapping.dmp

Download
memory/2832-152-0x0000000000000000-mapping.dmp

Download
memory/2980-206-0x0000000000000000-mapping.dmp

Download
memory/3192-140-0x0000000000000000-mapping.dmp

Download
memory/3572-120-0x0000000000000000-mapping.dmp

Download
memory/3968-148-0x0000000000000000-mapping.dmp

Download
memory/3968-180-0x0000000000000000-mapping.dmp

Download
memory/3980-200-0x0000000000000000-mapping.dmp

Download
memory/3980-160-0x0000000000000000-mapping.dmp

Download
memory/4000-192-0x0000000000000000-mapping.dmp

Download
memory/4036-168-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3256 wrote to memory of 1696	3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3256 wrote to memory of 1696	3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3256 wrote to memory of 1696	3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3256 wrote to memory of 2496	3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 3256 wrote to memory of 2496	3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 3256 wrote to memory of 2496	3256	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	reg.exe
PID 1696 wrote to memory of 1356	1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1696 wrote to memory of 1356	1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1696 wrote to memory of 1356	1696	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1356 wrote to memory of 3572	1356	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1356 wrote to memory of 3572	1356	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1356 wrote to memory of 3572	1356	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3572 wrote to memory of 1848	3572	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3572 wrote to memory of 1848	3572	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3572 wrote to memory of 1848	3572	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1848 wrote to memory of 200	1848	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1848 wrote to memory of 200	1848	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1848 wrote to memory of 200	1848	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 200 wrote to memory of 2184	200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 200 wrote to memory of 2184	200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 200 wrote to memory of 2184	200	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2184 wrote to memory of 404	2184	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2184 wrote to memory of 404	2184	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2184 wrote to memory of 404	2184	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 404 wrote to memory of 3192	404	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 404 wrote to memory of 3192	404	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 404 wrote to memory of 3192	404	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3192 wrote to memory of 1820	3192	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3192 wrote to memory of 1820	3192	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3192 wrote to memory of 1820	3192	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1820 wrote to memory of 3968	1820	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1820 wrote to memory of 3968	1820	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1820 wrote to memory of 3968	1820	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3968 wrote to memory of 2832	3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3968 wrote to memory of 2832	3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3968 wrote to memory of 2832	3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2832 wrote to memory of 2272	2832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2832 wrote to memory of 2272	2832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2832 wrote to memory of 2272	2832	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2272 wrote to memory of 3980	2272	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2272 wrote to memory of 3980	2272	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2272 wrote to memory of 3980	2272	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3980 wrote to memory of 2808	3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3980 wrote to memory of 2808	3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3980 wrote to memory of 2808	3980	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2808 wrote to memory of 4036	2808	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2808 wrote to memory of 4036	2808	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2808 wrote to memory of 4036	2808	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 4036 wrote to memory of 1132	4036	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 4036 wrote to memory of 1132	4036	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 4036 wrote to memory of 1132	4036	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1132 wrote to memory of 2104	1132	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1132 wrote to memory of 2104	1132	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1132 wrote to memory of 2104	1132	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2104 wrote to memory of 3968	2104	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2104 wrote to memory of 3968	2104	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2104 wrote to memory of 3968	2104	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3968 wrote to memory of 1844	3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3968 wrote to memory of 1844	3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 3968 wrote to memory of 1844	3968	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1844 wrote to memory of 2544	1844	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1844 wrote to memory of 2544	1844	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 1844 wrote to memory of 2544	1844	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe
PID 2544 wrote to memory of 4000	2544	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe	e3155d81b8ee26ac0a643ef19d79374c0f138739ed33de2d20803b6c08bc76d3.exe