0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10v20210408
submitted
17-05-2021 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Size

1.0MB
MD5

76dbec3bf735c602e87127f1a005a37e
SHA1

998b836fa148f6a3ba05064b90ea240f205e5a47
SHA256

0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360
SHA512

ca8595fdb0b63a8eed1266e38f81f7935901ef3ddf83bc7c27eb1d478cc916d8abac7e738dbe37398a191f375a6d51fc5466e080c63eae43b9746cd6f4751651

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\G:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\Q:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\P:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\O:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\J:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\T:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\W:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\T:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\M:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\O:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\U:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\X:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\U:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\N:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\G:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\F:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\I:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\L:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\L:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\K:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\R:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\G:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\P:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\P:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\X:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\O:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\S:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\R:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\N:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\I:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\N:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\I:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\P:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\S:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\V:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\N:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\S:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\R:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\X:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\X:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\H:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\I:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\W:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\J:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\N:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\K:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\N:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\E:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\E:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\M:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\J:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\E:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\S:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\Q:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\T:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\X:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\V:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\I:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\M:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\H:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\H:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\S:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\K:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
File opened (read-only)	\??\M:	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

pid	process
4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3700	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3700	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
492	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
492	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
856	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
856	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
964	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
964	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
1384	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
1384	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
1776	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
1776	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2304	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2304	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2744	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2744	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3180	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3180	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4292	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4292	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4360	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4360	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4432	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4432	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4620	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4620	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
212	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
212	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2300	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2300	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3168	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3168	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4576	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4576	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
5044	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
5044	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3676	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3676	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
740	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
740	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2312	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2312	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3476	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3476	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4256	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4256	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4728	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4728	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
"C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3796

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:492

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1384

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2304

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4292

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4432

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4576

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3676

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:740

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2224

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3476

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4728

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
C:\Users\Admin\AppData\Local\Temp\0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
30⤵
- Drops file in Drivers directory
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3ec8aaa5f631378629b1654dbf1fbb81

SHA1
4e8b24ea2f4b98ef61eb4434f07545fa1d9ac910

SHA256
379f3ef4767e54088e7b18969e97d48ba9a022d86457395a67c14cc39cdad2e5

SHA512
8e84f9d4c60d078b0fd6b85eb1893ffa03530a3500d9af52597cf54284370cc7750b25db30271d76b24d23660dbec38c886e31387db76e82e8ab17e62615fc6a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7860ad72a3734d1b2994fb22d9e9d66a

SHA1
5234b86dbae01176c9a150408d2ca4d7fd867b70

SHA256
084fb0e18ca03aec0d59e6cc8648366a298cfa626b734efce61ce4e3dcc6b682

SHA512
4f7fb8916c8bce1014d3d3138924d6b19e5a300944266e009bb49fa866d4ab0b9ae2934f26ef93adfd4cc4cc6ec6780f30b34e42d34ea68f66e229897200ec60

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4295fd22d42f86a260b8a036836a43d9

SHA1
2ae7c1d6b2d7c61d5c31c71b9db3a183e014f887

SHA256
d1277b42aa002105ccd411d67eca66f2d5e500a5c1fa4980d7f27742d3c38e98

SHA512
bfdb6832099f68ae76b64ce1bb3886edbfea35eebde0a905cbd6b8a7579f34fd58f8436e1415ef4393af9363838b723761818963c444749a70f426352120403a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9deb9a59b8b90cdba11588eb471f0923

SHA1
02989f9eab0404f67f7a478de7d1b472300e714a

SHA256
033bf8b8d88133e9977e6414561f2ecbdc6e9bc73f5d937b9dc42e2f70c4b026

SHA512
88c8674987cbfa77958e62385d159383e61c72db6ab39b0fc897189ce34ceb7e662ae6d07e5f3113ca3b6d7adad2d56c74e969e529821e7657cbfc756f26064d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ca6d2ae0c4bcf192652a5ba3b014ee86

SHA1
05a3461e38f4ce4a145027c0ce00498cef39ecb3

SHA256
3758b59ff4e3aa42ed67417de59a0f314a9c0bc0f613c33064f8f9515c52b104

SHA512
490e079f5c19e36eb9d1c65351a9f78e1f8f1bde273da589fe494a03ac45c2adbf895e24938b5484b7c33e82b96dd60768204b0cf4d671a4087883895eb14695

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7d3d35f6740136a4563238a589aef27a

SHA1
7e514729ee8a72c24e605c79c502e61ff84c5b4f

SHA256
3e821dd62074531bfe5e93b271eb0ee9d26d5509a26f656788235c32a61b335d

SHA512
f0af88e1b88ac661a5dc19671d12f101454670e10e1d3fd00e71dc2dd7ff8c16bd1d4e9c78c27c3336dc641cb2e1b735a41e2673a7e9d10a9a87b9168937d73c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
df4010d925dbbbe2389d88c809a9ec06

SHA1
37ff00e7794644eb85b4b3f129c4069ef3425c07

SHA256
0ad8e867f9bc6cf984427687d6cec013da42aadb064a9abc7ab1bf0aae328447

SHA512
dc86413455883c0a4c3bcde68c03bd8883f8a8832b6ed5f6f1748f73573d66928805baf9da844d53657bf8326c0a41d77d66b36505b8a8f771317773e7ef8392

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6f0feb712c42c6eb74076f2b24947c4f

SHA1
2b6d776951a08595087e883b0ff6ab7c3c73f429

SHA256
a26daca5ae5e5991fd10d3af40f7682291ee900734d94c0ca7094705ab60912f

SHA512
f6b3b9a380a744e3390532f8e156a941b9b074df16ac8f67fb7241429281a9f7b0ce2597b9c57e2cbedb04cd06e97968dcf28afec3ba07821651fe6a3c355576

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
60466e9243b008758af5fc81abefb1e0

SHA1
8ef2fb37f279c016644c8c94ba036567fc94b696

SHA256
7cba2cc6d9e1fccb0aaac4a1405cd7296323138721f0b81ca9ea3f109b4643d4

SHA512
953cb9e730eddedf28289f96477103bbd55d090f76526987d8edad17ad280b67c3380df3b6b9a60cdfec5ebb46d260ec164ccf1ba449ca1610d672b291f68278

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e1d03e2355114ac861bee6eb6a4a1053

SHA1
33620e04da991b2051b661ddaa014da735413479

SHA256
ab3ca9f7c1bfac2e4d97e11cf408263f9918174fa4a8362bd2915fb5aaf19152

SHA512
4f31b3b2a491ff3cf91c7ee4f1dfdf9e812f59da3c175c5342cea21be6156fafc41953323712ce01742609f33843ab6d0c199f44e0b26cfc7ec699cd37b61e79

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
94bca6b9c3444c3729d42652c48e8c53

SHA1
43962c638678589d29da1f2bd58fda0434cb1d95

SHA256
86ac44eae1e4388ca00c55597f5f69c2bf704a7f8e5365026b39a70038078f0d

SHA512
92bc22f5a68cd4c45e2fc864469ed66c847b83bf640509250fe51c04cfa1ac6e4f88d719569eb3ebce00cce45b74ce0155cd31ed6ad3cb85962d7695285322ac

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
aa6b63cff04d2d9fbaaad70040783d98

SHA1
4c2b46b64e9b5a189a97e6541ae250872421fb75

SHA256
a96b0ec4aa69febbdc707281f9b7586b06afb90307c01feb03af10257a8fcfa6

SHA512
d45de24e48fc9ef8aefa5936c0266fa66ee55ef68297d1d6d14b1c85875e37f00cec36e31f1ba3e5fcf058dfebb9502e8cc8f9164da4b268ec556b395ead4ff1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ee413ce704053ffdcd6475c6628baac1

SHA1
fc7cc89635b0a1d0eabcab4e0ab815133f5cf2bd

SHA256
ace9f2cb8451a60bc6c387c671d634e0ea6a97b0ffed54a7c4e65be871119096

SHA512
9a58c51e3042132946c02b01cd55bfaee7ab2b0a99e039700e3dd296a08776bfbf54b63c6da9a99adf8ba237f8db5ae506986875224c1db13eb250f37cf7d9ea

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5fcb52c9aa3be0bfbebec2357beb3b2e

SHA1
158637464d4da816218f9129a532c7ff6a4414a7

SHA256
672695f7533091dd81009903142e2f2cd14d379e7fee73964d10cec1f47a77e9

SHA512
f5b2e9f12f17921c5638c1cbceb2b031902cdd4bd2ea6d130b68cc9ae75e0139853e7eb5998c6dd2d9859d721de2f9222d1550b89b23aeca7bdcdb60276b4ed4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
819539b725ba76b57b76bb8a26a95523

SHA1
b90325ca2d06ffe6239f12b424319dd0122b9a38

SHA256
06d0923abb1bf380e4a0b35071317c2a3b7c2a73361b3784cb8edbb3a740d013

SHA512
6bbf6e1b7b479951983584858e82d3582de98977b4e39d3465194e87cc21abd7628600f323f0c8997df9a574a673cd2be9e9acc41fe05d1b3a18f5becafd9389

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
686ae643838c17352d211807a0a50838

SHA1
012f80b048c0253ca158b34755a970999e16484c

SHA256
0936a6cfe30946e054abf48cf6c0ffe06a6b9d652e0282a763df07790c0ea144

SHA512
0473f83a4ec0eed1dad00c88365068656be1d33a82fc81f4face5e4bcc8cc230bc3e7d6b0dfc85eb088a1e88179896bfcfdbb686affae00dda6152a75e285e72

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f06238e72b8a70ce4ecd51a5b5f45959

SHA1
90662ca29960b08fc343109b660f133a301ffbf7

SHA256
cabe555e94b83cdd4791a7236611a906a6572b21e2711b4ae2e032b0daa1c2c0

SHA512
b581040364a9bcd20d34181267413f77854424418ba293d5169439e5ea98ccbb9984191c09833380f352c7850698c7ef143389b9056ca799cd108fef753480fd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
19e325989df567cf575c85049c618b98

SHA1
0f5aa8a9d502a39a82b2995bb323b4b333ecba16

SHA256
7459f929932ecf7a5a55994966d75f0bd9686182524203fa9ef85a702b527677

SHA512
3e607848e9bf64394e2f0c65969b06da966fd5935857dd08d8fbeb7ae074bba4735bff4163517af4c8e9bbfd6e840f28870b59d5c9c1d3033b7679f6520f02d1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f45b2c6268daa0e9fa7135b573343bc4

SHA1
cb9e5871e1fc70f6edf3f90913a5cb2c22816999

SHA256
8f3523d51be338813245bc46cd9c3287b4029bac685d6df45091af420d3076e1

SHA512
8d5500ad5e369ac774b6eade151fff2b5480bc677549d619ca657bf5cf53dfaccbf114747601821f674be5bdfc50bf1fe7ba9c63f0a3a4028db5b0844372a2bd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c5a96fee0b0165f24d16fefbb4ff0a17

SHA1
832023604ab1ecca2ac1aed9bad14bd612d71aed

SHA256
bab56bbfb5bb0a6b3bc82b74c006b0a90bd75e947708fa473b35b1493ad80897

SHA512
ca15a94a67f3d8f848669fe71a9ce9b04c411329b59bb318bbf9813b720fd575312e758448508843488ab56ab142ff958957515b55e2bbec53844b925f98dc6e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
11268f89284185042d75469cb004dc2c

SHA1
91d77d0bfc867fab52d3411230f3f8a6fc4ecc7e

SHA256
78e4909bc2338759d8c254b86b58f581ee04ba435f97f53f07cb0df666dc3002

SHA512
837a350e19f36cdb924ce91ee9f2adac03c6839da6fcf472ce3117e0e5c8fda6e68e2450360072fb1c3b5cc658db941b118da9dc6c55bd2c5dbe00daab2e5c2f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
51170785d452782d28c32eeaf185b8c2

SHA1
d9bc4e1a123000b34c2a5e5ab96f7e98f8c6991b

SHA256
6ee6147a9d4b4a85234709c79efa9695b23a66bd8a0a5995a8949b721919f1c0

SHA512
f5394a49733967b830ba38328d3333f959760bee6014452983abc129785a40d38109fc523d34885b1ad677d5bce1378d4f617caa350691d23ad651fc19dc079d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e69a6fd742c416852a6bde7db2d35ec9

SHA1
857a1809c0e7b882b116b404ec0c423ae7c931d6

SHA256
9738d4664a50cce8ab4debd6f18fba00a1790e9cce8c86c9dac9aff8141f82fb

SHA512
422d0b9493fd691cdc1a5d29a6c95ed012707114276f0fd9ebaa6f70b93703ca83e596c225a100100ae46680620cdf92daa5f5e6ec61799c10ad9c250ca51aed

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4e9b1c35bfc8ebfc9a0d09f5a5575c13

SHA1
38a37fb6958b4ab50a91df4e59a719ca0c83cf94

SHA256
d92edf23a1a1727c3a18502eb40757c6167aeb69facfda8038d00956ed6aba55

SHA512
8e94cb03b1169833d4c99b6f0bc6f95c7eb77536f0619d24475d62de3f658b8089df686d32cd6622019b21a5788a1524b609b9ef70b3af76e1007a188ac9e32e

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/212-175-0x0000000000000000-mapping.dmp

Download
memory/492-127-0x0000000000000000-mapping.dmp

Download
memory/740-199-0x0000000000000000-mapping.dmp

Download
memory/856-131-0x0000000000000000-mapping.dmp

Download
memory/964-135-0x0000000000000000-mapping.dmp

Download
memory/1068-207-0x0000000000000000-mapping.dmp

Download
memory/1384-139-0x0000000000000000-mapping.dmp

Download
memory/1776-143-0x0000000000000000-mapping.dmp

Download
memory/2224-202-0x0000000000000000-mapping.dmp

Download
memory/2300-179-0x0000000000000000-mapping.dmp

Download
memory/2304-147-0x0000000000000000-mapping.dmp

Download
memory/2312-201-0x0000000000000000-mapping.dmp

Download
memory/2744-151-0x0000000000000000-mapping.dmp

Download
memory/3168-183-0x0000000000000000-mapping.dmp

Download
memory/3180-155-0x0000000000000000-mapping.dmp

Download
memory/3360-114-0x0000000000000000-mapping.dmp

Download
memory/3476-203-0x0000000000000000-mapping.dmp

Download
memory/3676-195-0x0000000000000000-mapping.dmp

Download
memory/3700-115-0x0000000000000000-mapping.dmp

Download
memory/3796-119-0x0000000000000000-mapping.dmp

Download
memory/4224-123-0x0000000000000000-mapping.dmp

Download
memory/4224-206-0x0000000000000000-mapping.dmp

Download
memory/4256-204-0x0000000000000000-mapping.dmp

Download
memory/4292-159-0x0000000000000000-mapping.dmp

Download
memory/4360-163-0x0000000000000000-mapping.dmp

Download
memory/4432-167-0x0000000000000000-mapping.dmp

Download
memory/4576-187-0x0000000000000000-mapping.dmp

Download
memory/4620-171-0x0000000000000000-mapping.dmp

Download
memory/4728-205-0x0000000000000000-mapping.dmp

Download
memory/5044-191-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 4656 wrote to memory of 3360	4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	reg.exe
PID 4656 wrote to memory of 3360	4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	reg.exe
PID 4656 wrote to memory of 3360	4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	reg.exe
PID 4656 wrote to memory of 3700	4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4656 wrote to memory of 3700	4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4656 wrote to memory of 3700	4656	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3700 wrote to memory of 3796	3700	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3700 wrote to memory of 3796	3700	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3700 wrote to memory of 3796	3700	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3796 wrote to memory of 4224	3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3796 wrote to memory of 4224	3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3796 wrote to memory of 4224	3796	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4224 wrote to memory of 492	4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4224 wrote to memory of 492	4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4224 wrote to memory of 492	4224	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 492 wrote to memory of 856	492	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 492 wrote to memory of 856	492	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 492 wrote to memory of 856	492	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 856 wrote to memory of 964	856	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 856 wrote to memory of 964	856	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 856 wrote to memory of 964	856	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 964 wrote to memory of 1384	964	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 964 wrote to memory of 1384	964	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 964 wrote to memory of 1384	964	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 1384 wrote to memory of 1776	1384	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 1384 wrote to memory of 1776	1384	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 1384 wrote to memory of 1776	1384	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 1776 wrote to memory of 2304	1776	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 1776 wrote to memory of 2304	1776	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 1776 wrote to memory of 2304	1776	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2304 wrote to memory of 2744	2304	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2304 wrote to memory of 2744	2304	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2304 wrote to memory of 2744	2304	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2744 wrote to memory of 3180	2744	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2744 wrote to memory of 3180	2744	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2744 wrote to memory of 3180	2744	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3180 wrote to memory of 4292	3180	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3180 wrote to memory of 4292	3180	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3180 wrote to memory of 4292	3180	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4292 wrote to memory of 4360	4292	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4292 wrote to memory of 4360	4292	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4292 wrote to memory of 4360	4292	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4360 wrote to memory of 4432	4360	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4360 wrote to memory of 4432	4360	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4360 wrote to memory of 4432	4360	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4432 wrote to memory of 4620	4432	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4432 wrote to memory of 4620	4432	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4432 wrote to memory of 4620	4432	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4620 wrote to memory of 212	4620	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4620 wrote to memory of 212	4620	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4620 wrote to memory of 212	4620	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 212 wrote to memory of 2300	212	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 212 wrote to memory of 2300	212	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 212 wrote to memory of 2300	212	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2300 wrote to memory of 3168	2300	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2300 wrote to memory of 3168	2300	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 2300 wrote to memory of 3168	2300	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3168 wrote to memory of 4576	3168	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3168 wrote to memory of 4576	3168	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 3168 wrote to memory of 4576	3168	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4576 wrote to memory of 5044	4576	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4576 wrote to memory of 5044	4576	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 4576 wrote to memory of 5044	4576	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe
PID 5044 wrote to memory of 3676	5044	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe	0a9043edfde59926fb8e4dbf2db0e01d367040b0f54da1395ef6a2112c902360.exe