1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964

Analysis

max time kernel
153s
max time network
157s
platform
windows10_x64
resource
win10v20210408
submitted
17-05-2021 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Size

517KB
MD5

30f6be4f83317da5c73cccfd277e7dfa
SHA1

f42abf23107f541e5b3ab8414d16c1a42051fa77
SHA256

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964
SHA512

755f113061dd4d7fae0e0ac05a779e622073edb316ebc960bb590e48de23debaee566b19ad658104c23fa7b9af1df57c26556c5c3ccde8357e288220174a6300

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Modifies system executable filetype association 2 TTPs 28 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Drops file in Drivers directory 58 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\X:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\T:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\E:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\H:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\F:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\U:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\W:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\V:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\J:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\F:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\U:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\W:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\E:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\K:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\T:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\X:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\G:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\U:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\E:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\W:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\R:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\V:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\F:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\N:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\F:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\P:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\X:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\O:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\K:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\S:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\X:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\L:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\I:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\M:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\K:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\E:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
File opened (read-only)	\??\Q:	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Modifies registry class 28 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2104	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2104	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
412	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
412	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
672	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
672	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2160	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2160	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2276	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2276	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2184	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2184	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1016	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1016	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3084	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3084	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2260	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2260	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3936	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3936	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
4056	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
4056	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3940	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3940	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3596	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3596	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3764	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3764	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3856	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3856	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1088	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1088	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1256	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3848	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3848	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2584	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2584	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1656	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
1656	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2468	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2468	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
416	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
416	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2252	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2252	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2956	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2956	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
"C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2260

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3764

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1256

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3848

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2584

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:416

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2252

C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
C:\Users\Admin\AppData\Local\Temp\1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
30⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:3840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
460878594ee15d47ba3859a68ed39b65

SHA1
4c55cbc532f972c7b4c5fe3282394e0b94da3ef5

SHA256
0e14b2a00f93cb1e60987fd271b6706579f092ef55eb447f41781dfb61bac390

SHA512
ae00905dc9560650723fb5dd2b01008ec2359d910a62fbc01dc01e86c1bd2df4b46f744013f1903558b0682b9d80be9b5aa65e45bf34f60bdb81b62a8c590adc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d2336f9f13c032d3d43d9a1f22d37f32

SHA1
c22b54b2b75ddc09ff5f709f3a258510764f73c2

SHA256
deb284faceb606567ad985ea97b187191400941caec7b067efdb7a58781b73e4

SHA512
6781c502ceb3103f4930eac6defd8a5e6b89fae60181c0798480652f41482d6a93a535618534d491946da42ae9e719883f16a3cf51b48dacc3ee17b321bbdc53

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c81ab86443508ecd4d21fb1d7a71ac35

SHA1
51f7f2bd7380b7779aabb48a7e8fecf45439ea92

SHA256
18d8db3a791124b1f9952319cf310842c7282d40516215e59f5e5d0ed9f5bef6

SHA512
e185ed5166a1e9117149e43e2393a361dd59431835da99a8957471e517e197e75ffa72023790ad01f0b446fe57c44e84c00f1e7fe571615806ff0e57b075ff59

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
79e495ef044e34f2f32309bc6368c0bf

SHA1
107ff8618fd12a5e094a1ef8403d3c2437beab94

SHA256
962e3759356c92540daba39ae433d68de15143eca7be0e02606ad3364416479a

SHA512
004a77cc3cf6e7bea9e53906e6c4d23c718e349f67acfc4597c71e0aafcde3c32dadc4d529d955a9c391c5bd4b9f9c93a775eaa23e03abe472ce0003fafb65a7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d20aca17497f44fb014d2f41479e2db9

SHA1
6214b9c83211a93a1844492f2f903980f7c11659

SHA256
831edc34a7e52d45f9f02b56e072952e6202e0aef13fb1eb3e9dadb36cabfc4a

SHA512
407e790f2bd9d79cb8593605bb6a56e072096e15544a90390d171f95c2223b9fe650c34baf4bcceb4fba3500233331afd4af093caee21e669af17984b2e5fdcc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
29ddab0e761970b1da4039ad78373dea

SHA1
19a283605673109fbe58253b869e3e75d590f386

SHA256
68536dac1638de1a0131ea7fa8f33b9e4f75f240e11efdb3d873b9afaab5fe28

SHA512
0f0e90afd6e0be4f4ab2b3239b34b8f66a7c0ded7f290e243f32430b036fa5844834e884dbe459f352a5ba198bd5c1ac4bd5c4a3422d0f9792f74610005f92a2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f6d9c7401a72dc74483a343f3db84bf5

SHA1
362787f9e227a7c11f497606b4e1642ff38be900

SHA256
5a4fc655d4bc60dd77ff03c1a2e63420018e676bfa34824cd6572e142377c91c

SHA512
83d80e4cee5c998939084219146445e4fbc18e860b77d57553fe26258ca66a215d22d68759f3909fd4523b0c498396c3cd0e43c06de2edad825eae2982eb0f74

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
16e4941fbaa84f8a465a97b75593efa3

SHA1
792f7047c9dfa3d76cf26d7ed8e80e5cb97e4333

SHA256
2a4fdfabdbe0551b32613086dc1595ab6cd1a1a241220dede0985f2d6deca64f

SHA512
04edaeef195b0f0144713edd17b5fbb4ae337a05fac1d14b88913bcd8d7620445fd069f673e004ab523af2a3c09e1e195b7b1e281e4e13d8351492375589fa12

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bf07789020b5c0fbf927ca4a7d0b51f6

SHA1
36f534af7ffe19800c4a4c63b4fd1a3ab68c40bb

SHA256
2dc7ce1f666d4ace06ed70ad12fa7c26b8ea8cd83389cdd331a09481cd33734c

SHA512
2c547ea8a2ddb1c6feee1816da67ad163cf81209e363c382c3089ea28975aeb2203c8154fe885ae452f299e117372e619f2ec71ede0108bdb2b0d0dc8f9ff375

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
40c185cfc9e6e2fa0d4ccab3cc5cf732

SHA1
fafb9df5717ef246e1f6d022891df567d16bc48f

SHA256
48b91bb70d7acb608475f1761b54eafbe8b24fc08a562923841a7e7700578760

SHA512
6f48ceb0dc6d3459687b020a6d811758b358ef7d2e9839daa3eceb6dbe1bafe0a00dd7cc2b49804116a4aede901111b6e36b2ffab644195caec26827f1d2bedd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2a231c8fd68f6bd8e004173d4aebdc87

SHA1
83a65c85e2d876d73fc1e0c47b0f766781a1c847

SHA256
3a367e0faab5ba93fffb55409392d5e42f44c124c7a498974fed55dc983ce773

SHA512
a9d6b5b604ca459b834f9fad8da3ce87066e0afa29f056cf51a1e3ddbfc4a1a3d4198d1e2df1ffe63c292ded5d4f1c84caaaedfd0fcbb94c615a5ee7171470b2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
152a18d89688a372d01f8e9e1a5360e1

SHA1
d003b8e01789c3fefa07ef56d2dd64b6577ebed2

SHA256
5d04f590a5df394cc93c3960926e8af4bb5059710d81d74018544b22de31008e

SHA512
23dbb1c7939df81ae812b9a3c5fb406c31b4a6f8af18e429ea73d62e724aed8526e891b38c1147ecacb1e9584435881e80e798b3bd828c7bca4d542f2250321e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e2fa9d549401b9c9f91bc26deb0add6a

SHA1
4900329627b9edc4da1d4913dc9b7367901fcd2e

SHA256
41706846dc8d493536748c6e6c550ce0fe9a049105c260dc5b5e52e30265b1d1

SHA512
566087b1411236b9350fd712261070658c90d6ff15608573620653e71bb1fafa8346f87290c45fac330e3eccd4679ac5ac845ada9782136895fd08ca47ff63a6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0e0a801b4438570bad89bf2ce4dc3fab

SHA1
e1f7a2cc0494b7682116ee4cc6c558759906929f

SHA256
64e7888828c99fe9e386dea709437c5fb46b8e3944349491140d3ec8635b13c3

SHA512
254c65e61951f25d0c01d1ba68abd1153b0c51f8a1f8d9cf0873287b9c435d9ce3b357daece4bb40c39260a7a37a690ebf1fb0568ce37ecfacfe64d174757d72

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e5f17f46faff728a3c09e3aaa0160b79

SHA1
0ab562cb3ab5d5ca1d00119121842aadfa3c99b7

SHA256
208e99cb6e71f95c4bd41fb0d9490b8be4f696f904c255ebe54c23dbe08bf645

SHA512
1d180edcfb7b7d0a9fe70226848b2932ec1f8db7629f54aa366a8c81431e6ff949dfcd0dece80bd9a13e92101d38c85af4b57db80ccea2eaa57ce9817b0e9cc0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7e315f8db72acd03e337f33e15c4fcfd

SHA1
170fad16fa313c294c0136044663520d904c6c92

SHA256
8924c914c2190b994293c09c9666793a18cbd78688ce2f9f54fbfab84a14dcd5

SHA512
1d4998d2a38a906e33ee3f7a93746979f41cc04175c0568737754e58824c5d325808f32f52f127a18a6527a0575a395bf544c826743b9112d211acae2b5c0135

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e74ed5ce8e51f55a01f92a52dc469825

SHA1
24d86d195db9db2c05cc885f77e9e7659b671b15

SHA256
4f1a0fa547ad4c3a7c548cd2f89931b5c1a0823afcb8519534037fd6ffc36e17

SHA512
917170c3a01dc88db2c6cfa7c953317fc0c779b051b2cbc9673f1063e446a99b6ace746b9551e64cb5416301e2909ed27d3af4d70de759550da212f3410b0e3f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e416738ee3274d9c6dff22f81f7f7b86

SHA1
3dc5dfe340a9319b91233074997bb51f83cfc6c0

SHA256
8785dd8beac5b26f2991fbf31b5ca820453ee982a20c9c460cf25171f5578221

SHA512
e70b8cffd41478f0e4d4f8f68b15e06acd735fe7ced49cbf7ce77b81c23b3ab124f6ee337495bbacfda113cc331ca9e22231ed4ac8a38a3f23996cbff1332632

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4cda7b1f081e0ea19a3223756cceaa26

SHA1
23d383c734f60f2a3c27f6225652fccc35c81f8c

SHA256
967503779cc2e56008af44306aa4df786f6baf5f742c6b8543048693076eb071

SHA512
1ec41977020bb8fa385f956b4b02e22013d3856874cfe8d71ad31d3428d21401a943cf57362f2a2fa8767875ff477f9d64fe9b70854fd960228b862c58fd48ee

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fa791c01ff379318fde4f75165a1e6d9

SHA1
1c78da9cb56425b3057416feec6bf1c728f30d15

SHA256
45cd2522a65075a602c37c6b9c315bfb14c5eb4c00f9ef7d73f50d43cfaeaf9b

SHA512
cb193d41d065bfa1c05d545d53b5a6b04cc8b232940af5e3f775f33552df4c6b78af9429fa9139764c5f6743b1f07db0eba74bd3e00b9a9df820ea926bbf422a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
51dd7d8360a4af807aa15c2f4bf26660

SHA1
5a67f98f1aa664c3b81c1771cb544234a77d4802

SHA256
76dcd527ab01c7e75ee9a2c26010082388fade70fe7ffd8e51bea8ac0fc17d98

SHA512
f9e293a1b94e92a9a5ab811f337de887d1666e419868661fc0fd6bb36d72c487a0edc650d6b334e5ad730530ba8f9990b6db638bde1028f4a6e245c69a63f9a2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a8cb051ce6f87ea12739752f7b6d3775

SHA1
fffe35527fc08ad77e1d71a58025dafcbf0c0096

SHA256
40d24b538be44e9ed7cc19490161e8f664f211d992eead51dd304b81e2a17808

SHA512
c4b927e29b50d0d95deabe1c0fef7238fc82ca993e18fc09de97bd4f906f06fdc614d0190bdca5264157c665e868242f55455242f9491ed75a153640c5732577

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c714ad162cb0105fab6b3e9ebc40e452

SHA1
b66b5055d8980d7da562ada938a6e5aab574c8b8

SHA256
55b738da6e4a776964331d70fb49ef40ef6c38ccdddb52fcb81a305a6d474bcb

SHA512
e1e4b81a2119a227cfb14ee944e913d1679477b1ddb587bf467b3699277b07bfc98da25a4fa6595f9dbaaf75018b48826109609168fc1151e4d0c358c9e472f7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a37b2548df2b3ffea3ff85723c867d4b

SHA1
242bb5e900f1016ba615b90bb2361d969ffd5e3b

SHA256
2c948084b3eec9b27f589b81ccff773275154f16ab403c72c01d2b1f2569a802

SHA512
06b0c6657c49195e34ac65ebdcdae3e7c6c08b9e9b064e04da0e4e99a0e14715108295fc7cf62967d12fc6761b65f941aeb2c8484bc26c535b696e613f5c4763

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
14035c9307b92a7762bc7eea2417b155

SHA1
5349cfbcf7f08db078da5a97d71e12abb3372783

SHA256
5ea19167b9aeaaa18c1830bba9a827ed0f4866240fb9fe619e6917b9593ab1ef

SHA512
3426a68667f477f12998a2a16fc8f66dd9f3cb8374974629ad5843b7191e1ac679abf6c208843b2f9f2e6455aff048c4096984b17b3504ba426886feda62ed3f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6c77876402bdfa190d9c13f8fe30edae

SHA1
21d77e2bd1e4e83377dbc001a25c02597b4fd20d

SHA256
50855d040fa39b3b1380633307a5ca1d65b16b74673dcd0799593663b5b985a8

SHA512
3266d734603fd09e49f196d39a3494d3e8b11184d3ed2a1e92eafdf6f0623a2cefc8b2c68d56ef04152801e2cf0b5cccbc6c115b0a0b177f04f47c725f0e19c5

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/412-116-0x0000000000000000-mapping.dmp

Download
memory/416-205-0x0000000000000000-mapping.dmp

Download
memory/672-120-0x0000000000000000-mapping.dmp

Download
memory/1016-140-0x0000000000000000-mapping.dmp

Download
memory/1088-188-0x0000000000000000-mapping.dmp

Download
memory/1256-192-0x0000000000000000-mapping.dmp

Download
memory/1656-203-0x0000000000000000-mapping.dmp

Download
memory/2000-136-0x0000000000000000-mapping.dmp

Download
memory/2064-202-0x0000000000000000-mapping.dmp

Download
memory/2064-156-0x0000000000000000-mapping.dmp

Download
memory/2104-114-0x0000000000000000-mapping.dmp

Download
memory/2160-124-0x0000000000000000-mapping.dmp

Download
memory/2184-132-0x0000000000000000-mapping.dmp

Download
memory/2252-206-0x0000000000000000-mapping.dmp

Download
memory/2260-152-0x0000000000000000-mapping.dmp

Download
memory/2276-128-0x0000000000000000-mapping.dmp

Download
memory/2468-204-0x0000000000000000-mapping.dmp

Download
memory/2584-200-0x0000000000000000-mapping.dmp

Download
memory/2748-144-0x0000000000000000-mapping.dmp

Download
memory/2956-207-0x0000000000000000-mapping.dmp

Download
memory/3084-148-0x0000000000000000-mapping.dmp

Download
memory/3596-172-0x0000000000000000-mapping.dmp

Download
memory/3764-176-0x0000000000000000-mapping.dmp

Download
memory/3816-184-0x0000000000000000-mapping.dmp

Download
memory/3840-115-0x0000000000000000-mapping.dmp

Download
memory/3848-196-0x0000000000000000-mapping.dmp

Download
memory/3856-180-0x0000000000000000-mapping.dmp

Download
memory/3936-160-0x0000000000000000-mapping.dmp

Download
memory/3940-168-0x0000000000000000-mapping.dmp

Download
memory/4056-164-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 736 wrote to memory of 2104	736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 736 wrote to memory of 2104	736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 736 wrote to memory of 2104	736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 736 wrote to memory of 3840	736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 736 wrote to memory of 3840	736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 736 wrote to memory of 3840	736	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	reg.exe
PID 2104 wrote to memory of 412	2104	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2104 wrote to memory of 412	2104	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2104 wrote to memory of 412	2104	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 412 wrote to memory of 672	412	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 412 wrote to memory of 672	412	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 412 wrote to memory of 672	412	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 672 wrote to memory of 2160	672	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 672 wrote to memory of 2160	672	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 672 wrote to memory of 2160	672	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2160 wrote to memory of 2276	2160	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2160 wrote to memory of 2276	2160	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2160 wrote to memory of 2276	2160	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2276 wrote to memory of 2184	2276	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2276 wrote to memory of 2184	2276	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2276 wrote to memory of 2184	2276	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2184 wrote to memory of 2000	2184	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2184 wrote to memory of 2000	2184	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2184 wrote to memory of 2000	2184	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 1016	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 1016	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2000 wrote to memory of 1016	2000	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1016 wrote to memory of 2748	1016	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1016 wrote to memory of 2748	1016	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1016 wrote to memory of 2748	1016	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2748 wrote to memory of 3084	2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2748 wrote to memory of 3084	2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2748 wrote to memory of 3084	2748	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3084 wrote to memory of 2260	3084	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3084 wrote to memory of 2260	3084	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3084 wrote to memory of 2260	3084	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2260 wrote to memory of 2064	2260	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2260 wrote to memory of 2064	2260	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2260 wrote to memory of 2064	2260	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2064 wrote to memory of 3936	2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2064 wrote to memory of 3936	2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 2064 wrote to memory of 3936	2064	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3936 wrote to memory of 4056	3936	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3936 wrote to memory of 4056	3936	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3936 wrote to memory of 4056	3936	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 4056 wrote to memory of 3940	4056	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 4056 wrote to memory of 3940	4056	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 4056 wrote to memory of 3940	4056	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3940 wrote to memory of 3596	3940	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3940 wrote to memory of 3596	3940	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3940 wrote to memory of 3596	3940	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3596 wrote to memory of 3764	3596	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3596 wrote to memory of 3764	3596	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3596 wrote to memory of 3764	3596	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3764 wrote to memory of 3856	3764	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3764 wrote to memory of 3856	3764	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3764 wrote to memory of 3856	3764	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3856 wrote to memory of 3816	3856	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3856 wrote to memory of 3816	3856	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3856 wrote to memory of 3816	3856	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3816 wrote to memory of 1088	3816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3816 wrote to memory of 1088	3816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 3816 wrote to memory of 1088	3816	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe
PID 1088 wrote to memory of 1256	1088	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe	1a4c27e6b95c50e2e16b6a084844e17ab0ae7c8ec8d6894eca73d814af6a8964.exe