a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790

Analysis

max time kernel
150s
max time network
158s
platform
windows10_x64
resource
win10v20210408
submitted
17-05-2021 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Size

148KB
MD5

820d557d20ed47d3f1bb6946110526a2
SHA1

004b6e3986ccb67599295c203abf529cc0c4456e
SHA256

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790
SHA512

9ae0a43ed10b9adfd16305a86e6128df9f35eda64258f11351127aa720a6baba7f555b71885cc9698e1db0179f824928b673cc0cace490c1133900cbfc5eb526

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exea623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Drops file in Drivers directory 58 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\T:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\F:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\T:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\K:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\K:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\H:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\W:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\T:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\W:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\W:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\R:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\R:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\Q:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\N:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\X:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\O:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\H:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\P:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\E:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\G:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\J:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\Q:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\S:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\V:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\F:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\M:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\F:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\I:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\L:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
File opened (read-only)	\??\W:	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2604	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2604	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3300	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3300	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1156	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1156	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
4084	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
4084	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3048	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3048	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2752	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2752	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1548	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1548	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
900	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
900	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2272	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2272	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3136	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3136	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3376	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3376	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
4052	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
4052	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
668	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
668	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2584	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2584	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
192	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
192	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3768	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3768	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1820	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1820	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3380	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3380	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2012	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2012	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3964	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3964	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
492	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
492	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
204	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
204	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3196	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3196	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1744	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
1744	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
"C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3300

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1156

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2272

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3376

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:192

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3768

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3380

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:492

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:204

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1116

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
30⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
C:\Users\Admin\AppData\Local\Temp\a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
31⤵
PID:1488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
9848c4c7758e69d63a5690bfbf5ffb96

SHA1
5d907ff14bd8c3701cd2f9e0affde5879b980448

SHA256
319399655029f060184fd682b4c2591467f10e259e34cf6652c6ff94fca96f0d

SHA512
5d5cc4148ac5c9a352a7c1916ca5c98caaab6753ffbafaa1c77d4fdd7db00c75f3321c8414f34189440718e193d89eaad94e31f8fc8f6a53fb5d81edc5f2af1b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d773432b4608ad8b8acb5589dc0fd6b3

SHA1
4e26f2b451bf18328a5e7b76c00b4c2d7ef7f023

SHA256
eb6829502bfdd8d12306a90ec620e64814f273555f40b5983df9d9bbbca0f2f1

SHA512
f8c4b5a77337f8054547c24a59ddfa583b2a2392cdea2f60a36ed635dfc15d3f4147bb8ce243d2dee38fc3af4200447da59e1b0b51af091623ae3807a1cd6f13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
45d04ccb83437abb29cc0aff8b553bbc

SHA1
5a352b386ce8ffb2191c331b620fc16aca09cb23

SHA256
131f97f8b89e0fd8db645a4b4b0edce7096cc68b911597b6ed7b238240425411

SHA512
0004917ba67972a9dd7a302594b16b5b4599386d78b71b6d3f64bc0fa8086997e5cab2c8e8aa36dad7d7a206d3d68273a8577c5ba03c1d57fa15b77fdf2452a8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
aa5b72369abecbdeaee94dd3fcbfc3e8

SHA1
31b36c54d4754c0422750bf292dbfff1467058bd

SHA256
845bac149e4be9fb579bf5676c19f163f5578dfebcc66f8aa67792b9da830330

SHA512
a8c088592003d18ccc2542da9d8f67e6f86c29adffa70e005b3735441f20b9b2dce789203e5bcdb673b8a2b27712dec115e70db6f6fdd0359f889c3b63ad49ac

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
46d807e653a9cf0d41aedcc1d9e7ec74

SHA1
cc2977cb8b7a9d5857e9833322deefc8c2a9fa06

SHA256
98a47ef782777800ceb9edeabea5dc7aab6fe3ee369d84b79a55a59a5ebdbcab

SHA512
54a5afaf4a1400f0dfa5693fb0578fdf27760fb143f620854492eb00cac0c27ac7bcf5df583450612296e4acdd00fa13c7ab3b4226e58e459562856c02f7ebc8

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3727affdc3f17c5ef8928fcc45fc974a

SHA1
0e8e4b5ec03646eacdf235a34e35ff9e0d02acfc

SHA256
459fd0ea977d6d956a968a1b54de29f2967d3ee5554b3f6986537df1d541c2cf

SHA512
a44aac2dbe848e03715543623abc5e3b6cb4060e0d63044de7c8f15a2428cbd83b84a49311540e7452f424c514690c86afebf97b16cfad4fdacb909897eaac0d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
9882c44e57a6e849c86cf33ece89c43d

SHA1
47fed025794e28d379d601786e9cca4f22b18e71

SHA256
f2f8865d01cd5ec640fb5bbd5c479a2d211c5e2309e9598ac58fcd04b48d4c81

SHA512
e401a44ce5c4c9e3b06722ec2f6d23676bd1e46cc07d9d58a50a0ab95613d0d4b931ba3fb259f7e49caf19a38f4f0b24111fb0e8d382936d04583a3c217c1644

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fd500d0a6083c93d77d23217c077df6c

SHA1
510539cbee02df458aab1866bd39b1b705a939d0

SHA256
4722071076a35116ac5175d0afd537bef45f761a9dd0dd5f70378f92e1d407f9

SHA512
43c24260ce490222ad95b42a46c801e5b9b198441a640f91632c9d5984e18d10f59a3da4c35a81b9c5254b27987070301a2162f3a545c71f7e46fd08dd4c1eee

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
58b264900373bc306222ba8e9e33936b

SHA1
af295c208eed37b4589c0bef3c0dd5f5b16125ae

SHA256
f64f3fa192f03494666091fbe5da9238c2bac1b86a793fbd9b7635cbce8912de

SHA512
744f7bec5783a807dfd69492215d03d3d9e154ca5f17e25b1ea67220406be362efb099aa1e2fb1e3f8cdaa6499a45e850363b81cfc3353e8af65a2f96a137f6b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
70c7f7cc0037d6665c6286be59f905da

SHA1
8422097ac588556b2e7f2f2fe5e7bb8d0cb8811d

SHA256
28e93261448e51e36e04bbf11c989a963ed32f9f3bfb55b9e8045a87b53738b7

SHA512
7bd0795aba3511f759b364b95da677ea352fd92abe164f7f541671039397340ca0e5ebc5bd35635e630d2215ff857e03d08d6dc6683a33f7fc5dfac043d4298a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
62bd825309382482a127b49590e98105

SHA1
50e0e901e7aa993f1c85f95891c0d81fb39bf172

SHA256
b1722bc9c98d58cd3964ac31b5b44a6a399e2446f35257e42ab7e5badde37c9b

SHA512
ed59edccb7e341f5ea3b430947f2faf957a79509d16f524c67f5e8e6e263227b15546a2bcdd1d14e8d20cceb4871bc53a5481d2ea93bd79d585e5d351a131493

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
492835edca13944ad2df03323e2c14ef

SHA1
0c329b12688ff6234bc06ad2521fb03ddacf410b

SHA256
d81ea9d812133b9e5769aab0facd8a212c6ffaed4f44692f9311c43dec8cae1d

SHA512
0b5aabd909c5b4100aac1067405503db75ae557c8d2c5adf5c5438c5f69989f1b57edf7072ca3d800889db936568014e0f5a859f055f25c5e748cd8f052147cb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ea74bc8393f103591e4f7f8ac0a68690

SHA1
8f8e9b988392f90e1688d8f105a9d553eb8fac35

SHA256
fb59c0525340b2e8f1cf54bb42ca1b547da4f71922bb28407cf949bd4be972a4

SHA512
110681ac307c225a7d2c02b0d7ce7de9da358b23f3a9c20ce311bb2d26878b461e32339623ad11fb69883698f3b2aa3ac2119eb5cd59b28f9531363d6909e342

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
087e716bd3b5421794c26cc30b9a7c41

SHA1
552595c7b441110a8d7ace3f0624e44e0491bff7

SHA256
55ccc0aa0d5dca7224815bc802ee40d3b7b20374cf32e9deadf7e3244f950a36

SHA512
6743a9bba855f6f35fc5df5d381c294274218ab5a725dbbc7255992b2cf68d54b13d90cbc22b7dd30254ce1394f16d07aba0a06caf77442016f1055f165b293c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8b95b5f656ab90e80d1ffa81e83d6164

SHA1
7909decb9edbd980dca383a1cc6e0d5f74de2537

SHA256
165e78ee994bef9ff8d9f9d06948495594c9d1bcbe69452c07ddb4fade224968

SHA512
699b5f4746eafd4d568f6db2c9ce93a2ab192051338f80d96d6022e8e54550da3413e7a1a5a0126cbbccb649c079cf32d32772a46c73cdc73869cce27a1c0607

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f02d18529901ac4467dde628101ff64d

SHA1
7f04c9595fed7c5c77fba0acef133f48ef50ddf7

SHA256
e1d959234f33a8e8f4683b3ae908f480350f7ff8a00f84543177639128d65a54

SHA512
152fb03b8cae5acd00d528f2a8d04edf9a041662df15b6b2fc9618f8faa7ecab3cc726e7a48e3175e2364fe1514e86999c9f5045891ea460571a1fc850a67d6e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
48fcd4e7b32ab01ac63cabc2e1f479df

SHA1
16065444adac117e6bf47443c76d3a863b34aff4

SHA256
03927db5ca99eb77cd1870f32dcf480cdb0d64c520b23e082d636da804004950

SHA512
de14c596bc484b94b67a3cdd90f1301c65a9680ff294e536d955f785f19b13db28b535765f74eedcf4a0c9b639b8ff3efa5c1c06d3720d5e7518b02f087f4556

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
65b298c50222585b4efc115c4ffc9cf6

SHA1
5250e09a98c7ff52551d9cdf646f1ab4bc607413

SHA256
4651b3c95d41548b5d6513d15ce3c94bd53436d8bc456adc4553579a5e04e5ff

SHA512
d2d54691ce673411c233de3747eed1ce7e4e64e6c18f38b57fad40518e560a9f1c7dea86a096d8ebb51e114ef16eb591f4c2df8d172b40485c6ae19ff39affb5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d694c5ac1a63b43fffd769c7e06608fe

SHA1
826a0a93d2dc43a2825624fa7c7ec3c13314eea6

SHA256
b65ee8ac3eee05812348e52f30d8907eb6e8081d27ce777dad8e0c8dba469182

SHA512
d42f8fd376ce370bba8018bc402ce0f2f344615610ede97899eaa04ced33e57cfd6616834843ed289c9e4a91104cf1ed4565074b2e4b0f5255218b8f06095da6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
20887cbd21f60fb7a6043f32f884b361

SHA1
6d9b4fdaa6a482e9338860b633179542e8da22b0

SHA256
c63e8624855a299ee0477960c2a7c421783bbbf3b1b6e159034243585c1c61dc

SHA512
71eee3eeb027e8c6ac2e457702626f3bc0fd7f01afb120b4b280bafde0d26182d4b607a16f851cc9d2446e722037ff7a5f6260a4a87b73d8a75fe5311dc87457

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
573cf1e98f52a52434bf8b748c149485

SHA1
1094b0ed0253d291cfb210ce76204d46f00a4639

SHA256
b52726d1dfb3ac931c9c82e661b5a5132ca9a0fe1dc25d844dcd073fb4f5204c

SHA512
0eb46b2629bd2434d2047adfc8cfe7fedc1d85699ed988dd0bc00fe30cb23ef0afd4824502c1b8b2de456dda10ad21c14a85763ce38316f805caf6f6cd8d5d81

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ca3c6421fc1cf52fa172273c0159fa91

SHA1
1835e03679786b2782df2081115bcc62fc7bbc45

SHA256
ebc16a6df7dc5bcafd7665acf201e527460b2481181336a7ca3dccdb7d3b0680

SHA512
afb388e26761f007e44802b68209cf690a3645c39d72dba51e40edf3585c6178fd9d8dd994d8fe100751b9fbc9842e001c89b439b6340894e8499c25e77c73fe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
957a3c6e21c0f9a106713d154dcf82ac

SHA1
7ea46af919383ff3c686841c0bde4a2adb5675fc

SHA256
776ab8b8e7a58cecc43024489fd0766a32f4d7cadf41dfdac2ca17ceb0bcb691

SHA512
ea099e2d2ac197317c7288f347b3706b9d34d79468a5061740e6b014005b417ea63587168ba33d2cd643d02f803423ddc83202b1ec606da0b271372f69a47db9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9b4510aef3dea088f975cc9c096bb09b

SHA1
0825e542b8803ae59a00b1c8aa83a70ff4d830e3

SHA256
acd5d419f5c09fbd47e6af5dbbcf7ac94813e417775ed5c963a0dda2777e5e6b

SHA512
66b1e4ccd1abbe1a8bb780d926051798bd5086795585fc1432a1bc8c4670e90352c327c310b44d56410ecac342288eb3a0d20b7fc88d670f09a0611f6a9cab05

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e2b707d40444ec9a8dbad61aa1fa1e8c

SHA1
f79d6b6490dd00bede561166531d21f08c1e0476

SHA256
11c2e57b7f4c0e5e7fb2692f8bd8761cb5b7c3be4be79bd877d74174c9991b3d

SHA512
eb2e3a302038b40af68ce9b1cbe2c92bd8dc8af69f96736fd88c2e155c2eca51984084a4f186e4bfa5165fa3da9ad4e691b36eaff306664d173c5d32e05ccf25

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
856b405fbd5a11c698b6fca6a6581475

SHA1
cb0a0d28c99fad39fcd8f2adcd0539acac05977e

SHA256
89323746ea70879bf8712d7391eee11bff310b42631308eb7ce5e827e381550c

SHA512
0c829707d5561769afae8c4ab42cc5ae6e95a8fc00c312392c664c0438282b30483e9855f1368a478e493d4c3fe3948be25a5e7ddad08016b99466be222b6ab3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b19a8d0ba4e18dcbf0501c38ab7255b1

SHA1
25d6197bca2742521d80d4eb5aace60179ecf7ca

SHA256
7b15c82ea8b3c089ae5c6cd0b88eed3676b09e8d25e6559aa69de2064232d2d9

SHA512
679cfa1987d7285cf6402c38862c7c94a46cf0884b1cf057da0de5ad8d0411ab0f488367e852ae9d21ebec7523b69c5356dc1e86b11e8e1c70471bc84bb32eb3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9b2c771ab979edfa381eee63def913fd

SHA1
08efeafd9c416706d7ea5d9a997fca929b155c40

SHA256
5ee076159fd5aa58ffe32aab71b66906d274911bd0bafb919cb34e464a10c899

SHA512
6dbd2f34faeffa39439144a613093fdd652e41b2a0542b21502950c0dbbbd005ca839d09ea7e9fa2b441b7fd8e75db2972ec58460e956f7a93f86446bb0f75d1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
517211784cacaecbe5e505941cbad31b

SHA1
889e4d52ab91fec9c06aa88364c10e7044baa68b

SHA256
605b23a924f2f3f9c2c35f35dff393af150d4d863f79675ab99d32976993607c

SHA512
c438b4f5db32f7038246d938f0bfd278d62bab9086f0bd03605a8697ed84712b6e85831a36c564a47cc64554be62a2a955ed833dd56bf113f4a6d32f1510aa1f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e8b364b3acdf259e92c9c7912b1c5a9c

SHA1
8d52a5b5907d9f8268d8562bb2938c40822de2bc

SHA256
e83bd669172a5b4c63f999e7c9837f0131c709e66f61d106cc0082e5a5a2c508

SHA512
60ec7bf63a611456ebb340277bd9941da191cede961d469673dbaac36acf591810c1e85f8ca5b90ffd67de1870dd26917edda1cb089dfe62c2364452dc484035

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
57c9503061af21e83b4379c954cf090a

SHA1
6a85151f9b1b2dce9f42fd7e259978a4f0570f5f

SHA256
33dfbae9cb7246afa804da88d6daf35622b7ae457379e88aca8841200240eb69

SHA512
4fcb864b858b7581023c6b5bbd01ea7d484e1608013bd146f50dde083d1f26236d660623add634bdb41f6dcc468a2422efa28ce5ab1abf014d959d73e605937b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8069affdc6992b6e9e876421f98ac353

SHA1
03c3788258f09dd08d30c0491c50510d55543621

SHA256
9be4027bb0cdf64c2813a5c1227d7a6e2561d19143b08204f68ed9ce31209311

SHA512
f5a80c31eda01b835e93c93a562fda8ab1cfd8077397f01930670c53b0ecc7167787649d518c030b68a4f24e1fcc50c6d01c1a5b7d940b95c70a684b308cf031

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
af55ef376d8059ee5d1ce4267ce86538

SHA1
f3ff6e8cc728a49200d5718498b0fa103ee64ea6

SHA256
696900df3fc75ee7cfa77f0b2efafdbabc759b8a01809299bcd2ca70f74a4417

SHA512
76a2c245c0408a50c4dbd4c152035f5b569e17949fd40a8c443ac23b682c82dab01fbfc68f14c836c912feff390497c47b391fc61d6b3570aa2898618bda16b1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e7de3336446d0b17ac0ff8554e6e4177

SHA1
624aa5e928277e127f3e59eaf0280d75fafa5750

SHA256
40e3b35f0c0387c1b8ea6dc5ce01cf6a537c3f4a034540422a5b8cc90c04e991

SHA512
ebc40ba0309fbe560aa74075553656a7e6157f157ad5503b448a6933d8f06bfcce70043299b2befbd9e8fab17df9a324898e5e0ef43724d771e93686771cec20

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
610e83b7896bdf9277444874c3191ca3

SHA1
32a8aab92701e6ad2c7b4c96b7dd48e111434acb

SHA256
768dff38238eaa72500dead030fa7cbcb4adaa1054c5ab9de536a83e63228d14

SHA512
e7ed2742390c8538a09be689a1e176a98f18084c433bc89483e1a7051a8609bf225138aa26d0cb9e3e97277e18f21d2d06921fb3b0d3596a616026c20a6067dd

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/192-176-0x0000000000000000-mapping.dmp

Download
memory/204-204-0x0000000000000000-mapping.dmp

Download
memory/492-198-0x0000000000000000-mapping.dmp

Download
memory/668-165-0x0000000000000000-mapping.dmp

Download
memory/900-146-0x0000000000000000-mapping.dmp

Download
memory/1116-206-0x0000000000000000-mapping.dmp

Download
memory/1156-120-0x0000000000000000-mapping.dmp

Download
memory/1488-208-0x0000000000000000-mapping.dmp

Download
memory/1548-143-0x0000000000000000-mapping.dmp

Download
memory/1744-207-0x0000000000000000-mapping.dmp

Download
memory/1820-183-0x0000000000000000-mapping.dmp

Download
memory/2012-190-0x0000000000000000-mapping.dmp

Download
memory/2116-172-0x0000000000000000-mapping.dmp

Download
memory/2272-150-0x0000000000000000-mapping.dmp

Download
memory/2584-168-0x0000000000000000-mapping.dmp

Download
memory/2604-115-0x0000000000000000-mapping.dmp

Download
memory/2752-135-0x0000000000000000-mapping.dmp

Download
memory/2984-139-0x0000000000000000-mapping.dmp

Download
memory/3048-132-0x0000000000000000-mapping.dmp

Download
memory/3136-154-0x0000000000000000-mapping.dmp

Download
memory/3196-205-0x0000000000000000-mapping.dmp

Download
memory/3300-116-0x0000000000000000-mapping.dmp

Download
memory/3376-157-0x0000000000000000-mapping.dmp

Download
memory/3380-187-0x0000000000000000-mapping.dmp

Download
memory/3768-179-0x0000000000000000-mapping.dmp

Download
memory/3964-194-0x0000000000000000-mapping.dmp

Download
memory/3984-202-0x0000000000000000-mapping.dmp

Download
memory/3984-128-0x0000000000000000-mapping.dmp

Download
memory/4052-161-0x0000000000000000-mapping.dmp

Download
memory/4084-124-0x0000000000000000-mapping.dmp

Download
memory/4088-114-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 640 wrote to memory of 4088	640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 640 wrote to memory of 4088	640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 640 wrote to memory of 4088	640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	reg.exe
PID 640 wrote to memory of 2604	640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 640 wrote to memory of 2604	640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 640 wrote to memory of 2604	640	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2604 wrote to memory of 3300	2604	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2604 wrote to memory of 3300	2604	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2604 wrote to memory of 3300	2604	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3300 wrote to memory of 1156	3300	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3300 wrote to memory of 1156	3300	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3300 wrote to memory of 1156	3300	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1156 wrote to memory of 4084	1156	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1156 wrote to memory of 4084	1156	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1156 wrote to memory of 4084	1156	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 4084 wrote to memory of 3984	4084	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 4084 wrote to memory of 3984	4084	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 4084 wrote to memory of 3984	4084	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3984 wrote to memory of 3048	3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3984 wrote to memory of 3048	3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3984 wrote to memory of 3048	3984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3048 wrote to memory of 2752	3048	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3048 wrote to memory of 2752	3048	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3048 wrote to memory of 2752	3048	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2752 wrote to memory of 2984	2752	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2752 wrote to memory of 2984	2752	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2752 wrote to memory of 2984	2752	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2984 wrote to memory of 1548	2984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2984 wrote to memory of 1548	2984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2984 wrote to memory of 1548	2984	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1548 wrote to memory of 900	1548	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1548 wrote to memory of 900	1548	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1548 wrote to memory of 900	1548	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 900 wrote to memory of 2272	900	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 900 wrote to memory of 2272	900	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 900 wrote to memory of 2272	900	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2272 wrote to memory of 3136	2272	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2272 wrote to memory of 3136	2272	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2272 wrote to memory of 3136	2272	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3136 wrote to memory of 3376	3136	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3136 wrote to memory of 3376	3136	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3136 wrote to memory of 3376	3136	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3376 wrote to memory of 4052	3376	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3376 wrote to memory of 4052	3376	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3376 wrote to memory of 4052	3376	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 4052 wrote to memory of 668	4052	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 4052 wrote to memory of 668	4052	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 4052 wrote to memory of 668	4052	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 668 wrote to memory of 2584	668	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 668 wrote to memory of 2584	668	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 668 wrote to memory of 2584	668	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2584 wrote to memory of 2116	2584	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2584 wrote to memory of 2116	2584	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2584 wrote to memory of 2116	2584	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2116 wrote to memory of 192	2116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2116 wrote to memory of 192	2116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 2116 wrote to memory of 192	2116	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 192 wrote to memory of 3768	192	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 192 wrote to memory of 3768	192	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 192 wrote to memory of 3768	192	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3768 wrote to memory of 1820	3768	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3768 wrote to memory of 1820	3768	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 3768 wrote to memory of 1820	3768	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe
PID 1820 wrote to memory of 3380	1820	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe	a623934db051250b8b54419b5d546f575a39c31c635cfc3d5c208bb290a1f790.exe