a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
17-05-2021 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Size

148KB
MD5

820d557d20ed47d3f1bb6946110526a2
SHA1

004b6e3986ccb67599295c203abf529cc0c4456e
SHA256

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790
SHA512

9ae0a43ed10b9adfd16305a86e6128df9f35eda64258f11351127aa720a6baba7f555b71885cc9698e1db0179f824928b673cc0cace490c1133900cbfc5eb526

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Modifies system executable filetype association 2 TTPs 21 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	acprotect

Drops file in Drivers directory 44 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\ftp33.dll	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Loads dropped DLL 1 IoCs

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

pid process

484 a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\K:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\Q:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\X:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\H:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\X:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\W:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\H:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\K:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\P:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\R:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\K:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\P:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\U:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\F:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\R:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\U:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\W:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\F:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\Q:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\R:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\H:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\R:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\U:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\T:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\K:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\U:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\Q:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\X:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Drops file in System32 directory 1 IoCs

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description ioc process

File created C:\Windows\SysWOW64\ftp33.dll a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ftp33.dll	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Modifies registry class 21 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

pid	process
484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1884	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1424	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1660	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
928	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1440	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1280	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1852	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1096	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1784	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
568	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1180	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
860	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1028	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1216	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1568	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1240	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

pid process

484 a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
"C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1180

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:860

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1028

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1216

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1240

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
22⤵
- Drops file in Drivers directory
PID:1932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c524e0a1b07b60762f4132a8f3dcbd36

SHA1
2f8d4080535946a48379df75fe71379408e3b80c

SHA256
4e21d31d12f6dfee069ebc952a07d2b8184d0ea257d0253e7fb665718437b1c4

SHA512
8f82b2fb9b12b1a496eace85762bbe6cad36991aff03d6cda86cc3631564dba4b246b8e8bc75786ca2b1237986fe6b165d44e9de7d97173c1145b744e7ce3f75

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d4f0a137eec41269d45a5d4b6ebfb0db

SHA1
28f6fcfbcfee6a436dbcb7e1c45e4d0bf16e288a

SHA256
e45706f55f3ff08ad7a7bc470ecc0bac86cf8ca129cee01def91af0b66535797

SHA512
1025a7cf8f2f310d3d3a3d568d5246ff92a12d850a0d46b9353afb00153458918c17c80af39ea27faf0a5852485ac5f2d4f32bacba32893ba40ea844678345fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0a8b3d3092bfd2367db3d3542404280a

SHA1
a1411de5a7bf18e320446d5ecbf87c54f15d5b7a

SHA256
face0d0ff6c842dedc447f17195d6644d070ee82a319810ebf1da4dac8d7af94

SHA512
d6c6053d62277e8245c98378283bd87b6c6395c7970d21cf954a2739e75eff9836bbbeb6a2f712eb02f52e35af23b3b94e27a4f048b2fa88ec251d4e06f61e46

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4468aa071f1b00746e7eb55732578d23

SHA1
a1e6d084746d34ad30ca6c194bf2eb5dc5a1c2df

SHA256
315f72d93135200f7336c6d66343f335b8f3cfe322d2013b0b8fa30bec50b538

SHA512
041744685ed29ed86fe78258ce72477768150d1277ea2306b66d6bf71f2b5bf77f333eb3153db225f92ad505f6eef40ac6b6c5fd732d28b7b0db6c79054b123f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
5a55a3d0c063bace068a5d0d4b3ea03e

SHA1
aee6b529f2d9ca510769df321a04233b02b6f4de

SHA256
92613286a41f65118be21459e42c2799ab140491d49da6d8b2bd1a799d7dccee

SHA512
421f212bff5345557942f9d1bb00984225d5d6025fcdb20ae584b5e53bafbc1ccebf6b01284d77d5d68249529ced6b417479905ae835504623e149af73e9e263

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d13a94cd2465b61e81a1e2d2bf422793

SHA1
784b1e32304a51cf2f0b71d95112ae2a5adde54a

SHA256
a0a45246a8fcc120cefe50dc48f296054868b20747672cbe894d2490a1dde7b1

SHA512
641e8a96dd08fb48e49d6bc7c87e77f02650829d88753c6625ab79a54ba065d5debd16b513618741335296249a88777e498ad82c84c5c08dea8c279907902bde

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c369b8df8ede848dc16528df7a689b61

SHA1
4c668825d77d23bc94fa5013611df546c776e2ba

SHA256
872d86e1fdb1d7aad0a63373627d2a06408358f2922558ac2d16a678ee054ae6

SHA512
e13982b081ee2e5eb9585788cfd7502e05be5c4b158e0e62a14684f0082af839950ae8aadad10702caaa26e3d43f73454ab8d4c467a4cfc063fa1f2e7fc5c908

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6efe81138b1f2cdcbbd177bccd3e3d6c

SHA1
7ca944019fc3e0559b43df80e716fe6322ff2ddf

SHA256
fe899aecfdce7e10d0fb18e58b012e1e39fc2b9d96833df3e0c6e9c27575b087

SHA512
644d9ba616ef7d5cb316629c13775d6eb55e9eeea66de2f564916f90305d7ed54a6090ec96f74e736793e303e9e5184d137bb477a9f6ac5e10ed22bdb7068786

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
04ca033ab6f8b46288a7ba654018f877

SHA1
3c701e7b29d010760c9b0b8916519370c4a16e53

SHA256
93d6ab9800ad1ec41310fd1089afddde36b0441fae78eec43f149f69487f4943

SHA512
e5d4e5936070d4e9fe8566efe2dfc655a24b611bd4841257ae9377bbe7e1c30538b1afcb9378494c97c35e5d9b744cd65afb27bbff8bded3aaebf59d462e61d9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
26b867ff1d22de97c8fb099282dc0080

SHA1
4c370036d7d6a291c5ac11b0c004bf0eb52c263a

SHA256
de5f9ae8f8f25296380f455ad4df2a05b4deffca94d91898393e781e733e9936

SHA512
649f29bc80ac176bca5ab29e98ef5ecf1d776e43b124782ad19e2845c3c3084de3493cd649d66227492d578d5159b118c3fd52235446d3508ceececb5725eb72

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2b3f3f6db9b8a2f4addfb94e5526dc6d

SHA1
a8427764656709e16be09975782f46752bfb9f85

SHA256
799937cfd26078ab0a894d24d83321997075b553719d0dc14c6ce9aa3930f715

SHA512
992cd1bc181585747667022d287afaac0d1f6cda72c14530ecf41e3608270b124a1bcbbbe5deb9e56890d6247c58160769fcbaa0e2d1dffaed12bba98991ba1e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9fc759ef5f71e714b568a325f87c323e

SHA1
b8ab0f66772b0e2dc378f368df1db1e65823a532

SHA256
e4794565fc852de3ec392df8ed037dac094d0575a621f7816cc8c27820fde51b

SHA512
13b6c0aadcaff44bc5d1d24c5409481a8d335fdbb65cb0f4a94cb24f935d078e6c4d2a0a4cb6e3c78b685870e0103422dac91e9e5ab3a1e5a3d5bc90cd564787

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c0c4b25be7f9f3df7fa2e5a1b5e6675a

SHA1
7fb6be0115664f32f04e8f12f1fcc4832b5af756

SHA256
b1a21c98e59ee266ae80bee3d7e40f579fdba8889fadc2be39b58e85aa097459

SHA512
0c1d500eed3558652084b738402ac799e378ff4ebd1fdff3ba6d029424c30ba96e72ffc4cb3f07b4a7450940058d8af64ef6f519cb22fa4e21a9ce0ac6293fa1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3e7f4bed3a87586dbb7ec62080e6a8f8

SHA1
e1285489034af55f0d9df8da09a56dc8b7323b0a

SHA256
a37534d243ecbe9eacbc6fe3fe841d190763349131236d2b79420044bf7b59be

SHA512
ff5c7f9a62e8e8ace7f0a7ee09e1fae31494a300718b2c9e4039ccfc479b5d91c71c351d11903fa05d7e37f1ee914e30ad6cc486ce6eeab2b60ff43b0d0775e6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f8be77713a8743de59090532d5645503

SHA1
34b565d8c4d3eacd7983424b5510b69abaa6a4f2

SHA256
7d38a6602a5543c0fa548619a6ec80759f0a1c1a8f21e306a4ef572993decea9

SHA512
c3cec1d2aaae73eb99392cf6a5f650251807049190643664501448436426650578b82b34ed83c43b5f9e7ce0a6f518737d23ac0ac10c854ce47fbb80e188752d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
21dbd9200b7e42c220a6e5b46f297d23

SHA1
f55838c71ae8924f367f36af9839caaff49a354f

SHA256
7a722f55951cd67cf795c69f7cae0bfbe72d34326e96172e71a303667057e9df

SHA512
345acdc1ddf81f6f88fb650a89184d48cac7671cc342ced18375e76bdddc27efee1ecfe48f279f95db13b2043806912f1c2068db8ca90e012be2b5b06a45e781

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7051212c7137e6605965b9012c6efdc8

SHA1
3303a683b3129a5cb89e3056617334a5216469fd

SHA256
12a67bee1a972140ee53d9e5bd8e4fdbd4b07eeca5782110446706d603ae7434

SHA512
a8f90a44fb55b5e67ee7a80d1b88fd70d9edeea3a19647a22d498605691e312571719eccfd6f40dbf5509233f356156e28a044e341c6bcbda1acc73674e6624b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e53f4cc147093404f1ecd6641690525b

SHA1
c08e150e819c6d075c8e7311cba9c755beab681a

SHA256
0f60ca610f7d5d4c2be162de2ff93fb953d31d565f489922b8b66dca65579073

SHA512
4e63b7a4052c542a3084460372589ef5b31546d77d60873e1372b8c76ac67fee5d7171415076aa7fbd89b9c57111a6c60dfd6d3338717b8616b0de67b4dcc465

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dba8f770f0038a3bece39d07e446c2de

SHA1
ab02a5cb12e741364d24cc48e073cacfbde84dcf

SHA256
427b1f0a480c0eba50b8d969215b9a8454240993844fee9292d05bb1af2fdced

SHA512
e175bca74e199936fdc2ccd7d51d5827b44f603980d5c633f775011504382ad6612333ffaba27b4f1732d080a2af9351948f7e5dcb8a480743daa2b62a9cf4fa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a21c1bcd458b9759d719e53d159de639

SHA1
584042d18c4a95ea2b82a36cd6610ce9d1cb3d1d

SHA256
47a03a859474d30920ec735adab2f5fb56c56c42a7c2f1b903eb0c9da86daa8c

SHA512
f19aa78b524017d99e0f6d2c692d0f4bad89e91268fc28508a14759f22817180e3132415b95deed35b33aedd4f01373b20c4d56546e37283cde0a803ad268845

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7c3f455a783c0cca3f0ea3bc5547ab53

SHA1
5c01bf537977af0893c2d9ac49c3b306a13a2ee3

SHA256
8c599cb89d89cf36e87e82ca6f10a550dbb563c0f9f2c83b2a87d94dddb9051a

SHA512
ff3ebadf79e0de96148862f4d0172f639e40ce54ff30cbb64fb4d09ae9f68570c7c9cd56b6e6ff0998ef6225b8ccb3676337600991d493ceac7c9a467d40faed

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
756e607c27f0366188d88f9d7db4318a

SHA1
6f8be1ba5b9051918dec3be1e6e40b77fb8a6cae

SHA256
d163185ebb90633104fc1d92d24f65e1b4cdc2e625b75e1431a5e20db0cc84c9

SHA512
0beba2e770ba714a0af5c2831273c38acfecd98d83dd5739443899c0c77bd28d976493c2ac51152728fba263c6332b03587cbe28b8f0c28049ed12a0ce56bab0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f8c0a32ed0a22d8d98fa076ad38fb69c

SHA1
08d47b8f015824ee3e75e5159b1d3b09106d6a55

SHA256
01d60d76c56bcc6ff4f45345abb9e33d9e734127a064b4568434435aa9a6e7a9

SHA512
b4f8c722485ad80e237e6720285cd75c07d5c8a29cde5a18c14807d89c4daf206b6dd6a07dcb65faf162e15707c339343a06154bdb0c2eaf25e8685f262588c1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b73debe4234f18bd6849e4ef1870ddc3

SHA1
710a8963a26b8ad305f345bbe2979ef053f354cf

SHA256
5bdfcaada288b1780794fbad44c495b8a4eb3cb290b32995dd887b9f2b3326a3

SHA512
91b71df75a1cf863899281be53ebc030accb6c5050e1cb6f7be422c40ee9d664134da5f82a9560722f4a8161adb9dd0e0fcdb30ac62333e55232fda1eb149230

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
841c5e80989a8116d830015099a733c1

SHA1
427aeff56ba8930c8a033a642a6b519d3d2271c4

SHA256
02202ab0be3f311c2121776224b5090df2e5dc814b05be7e14f583afe257846b

SHA512
ec812f1ee802b03a53d5cfc1e173d4d4d6f4e9cd49d595ff6238f2cba736dc24c30666c4e6ff5e838f375c68e280f77c32af30a75bf2f9626800db0537fa97f1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6cd745b4ecf99f00db8500fe9bee2c85

SHA1
d62e52452381bb9c761cab8b72e8ec80eab13ad9

SHA256
6edfaf6e286266504a0d06d2b44578151ccc34cd58155ca2aafead73d6985199

SHA512
1a2c301dd45f5ec1cbdccf748588c7fd13534a52bd0b0b71fbc2567e0e9ddd01c42e2ea5d2d2bb7696884f51470fa2ce96875c29610eca17c30e66d866a2dee7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
020fe0a3bd5110c60f0e58d3b88097b0

SHA1
1f80697816792ec01783ad357ad8294edd96c33d

SHA256
4d4b6f4e569c015a95bf3f1879fed68a510f5c4e75f06e4df64c59c8f6364494

SHA512
8593b0c7e65074bdccacb0eae3b01d0d4c05abbd4bfbc34e892ee3bbaf7281d37a70a42309c8e7f6f412dd7cfbd49659ddf25ca573d84000ffa38ca113930343

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
69503dbed53bc5b20521ad1b88d2edb6

SHA1
4d42e27ed74edcaf2c2358d42988a4aedd3bbec4

SHA256
2dd598beba411b0b81f29ba6f090c57573a73abb25edca3f6d1860588bb27311

SHA512
41fc0f55b6bf442973331186ecd6e1439e8a017341fb60474d296d14607ea807dd1df77e03ab48d3f785607090841ffc5e38fd5427b8dbb024710f6b65eb5fba

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Windows\SysWOW64\ftp33.dll
MD5
52cfd3a478476c335fffc7f32dee8f5d

SHA1
4783f6790ae635e51f2ba96df87c3ddbf323525f

SHA256
708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c

SHA512
966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

Download Submit
memory/484-61-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/568-128-0x0000000000000000-mapping.dmp

Download
memory/672-113-0x0000000000000000-mapping.dmp

Download
memory/860-138-0x0000000000000000-mapping.dmp

Download
memory/920-123-0x0000000000000000-mapping.dmp

Download
memory/928-78-0x0000000000000000-mapping.dmp

Download
memory/1028-143-0x0000000000000000-mapping.dmp

Download
memory/1096-108-0x0000000000000000-mapping.dmp

Download
memory/1180-133-0x0000000000000000-mapping.dmp

Download
memory/1216-148-0x0000000000000000-mapping.dmp

Download
memory/1240-158-0x0000000000000000-mapping.dmp

Download
memory/1280-98-0x0000000000000000-mapping.dmp

Download
memory/1424-68-0x0000000000000000-mapping.dmp

Download
memory/1440-83-0x0000000000000000-mapping.dmp

Download
memory/1568-153-0x0000000000000000-mapping.dmp

Download
memory/1660-73-0x0000000000000000-mapping.dmp

Download
memory/1672-93-0x0000000000000000-mapping.dmp

Download
memory/1784-118-0x0000000000000000-mapping.dmp

Download
memory/1788-60-0x0000000000000000-mapping.dmp

Download
memory/1852-103-0x0000000000000000-mapping.dmp

Download
memory/1884-63-0x0000000000000000-mapping.dmp

Download
memory/1920-88-0x0000000000000000-mapping.dmp

Download
memory/1932-163-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 484 wrote to memory of 1788	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 484 wrote to memory of 1788	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 484 wrote to memory of 1788	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 484 wrote to memory of 1788	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 484 wrote to memory of 1884	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 484 wrote to memory of 1884	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 484 wrote to memory of 1884	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 484 wrote to memory of 1884	484	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1884 wrote to memory of 1424	1884	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1884 wrote to memory of 1424	1884	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1884 wrote to memory of 1424	1884	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1884 wrote to memory of 1424	1884	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1424 wrote to memory of 1660	1424	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1424 wrote to memory of 1660	1424	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1424 wrote to memory of 1660	1424	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1424 wrote to memory of 1660	1424	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1660 wrote to memory of 928	1660	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1660 wrote to memory of 928	1660	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1660 wrote to memory of 928	1660	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1660 wrote to memory of 928	1660	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 928 wrote to memory of 1440	928	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 928 wrote to memory of 1440	928	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 928 wrote to memory of 1440	928	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 928 wrote to memory of 1440	928	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1440 wrote to memory of 1920	1440	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1440 wrote to memory of 1920	1440	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1440 wrote to memory of 1920	1440	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1440 wrote to memory of 1920	1440	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1920 wrote to memory of 1672	1920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1920 wrote to memory of 1672	1920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1920 wrote to memory of 1672	1920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1920 wrote to memory of 1672	1920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1672 wrote to memory of 1280	1672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1672 wrote to memory of 1280	1672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1672 wrote to memory of 1280	1672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1672 wrote to memory of 1280	1672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1280 wrote to memory of 1852	1280	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1280 wrote to memory of 1852	1280	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1280 wrote to memory of 1852	1280	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1280 wrote to memory of 1852	1280	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1852 wrote to memory of 1096	1852	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1852 wrote to memory of 1096	1852	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1852 wrote to memory of 1096	1852	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1852 wrote to memory of 1096	1852	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1096 wrote to memory of 672	1096	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1096 wrote to memory of 672	1096	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1096 wrote to memory of 672	1096	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1096 wrote to memory of 672	1096	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 672 wrote to memory of 1784	672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 672 wrote to memory of 1784	672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 672 wrote to memory of 1784	672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 672 wrote to memory of 1784	672	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1784 wrote to memory of 920	1784	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1784 wrote to memory of 920	1784	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1784 wrote to memory of 920	1784	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1784 wrote to memory of 920	1784	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 920 wrote to memory of 568	920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 920 wrote to memory of 568	920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 920 wrote to memory of 568	920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 920 wrote to memory of 568	920	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 568 wrote to memory of 1180	568	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 568 wrote to memory of 1180	568	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 568 wrote to memory of 1180	568	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 568 wrote to memory of 1180	568	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe