43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9

Analysis

max time kernel
149s
max time network
166s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Size

137KB
MD5

b3b5ff59f6ce47ba7a2bc777c455e0b4
SHA1

ae14e201706eb2a1806bdc0370f33bacdbdd30e0
SHA256

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9
SHA512

7b313bddd7da2aa198b275028f799a063aff67ba921dc24021a57c1a5b1a375b87b19b21c7e41b05bad1454ed9b3a685c2d6d7e90fa5bafe104768bb0350d12d

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\I:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\J:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\I:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\Q:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\T:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\G:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\R:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\W:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\R:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\P:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\H:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\T:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\G:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\G:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\G:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\P:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\V:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\P:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\G:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\X:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\X:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\R:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\V:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\X:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\P:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\J:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\Q:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\W:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\S:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\M:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\P:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\F:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\L:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\E:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\U:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\K:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\V:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
File opened (read-only)	\??\N:	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

pid	process
620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3792	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3792	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2860	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2860	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3684	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3684	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1728	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1728	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3884	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3884	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3108	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3108	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
740	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
740	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
672	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
672	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
60	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
60	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2268	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2268	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4028	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4028	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4032	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4032	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3116	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3116	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3964	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3964	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3992	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3992	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2972	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2972	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
744	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
744	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2156	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2156	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2228	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2228	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1976	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1976	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3796	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3796	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3784	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
748	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
748	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4016	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4016	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1164	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
1164	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
"C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:672

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:60

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1824

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:744

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2156

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3796

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:748

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
30⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
C:\Users\Admin\AppData\Local\Temp\43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
31⤵
- Drops file in Drivers directory
PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
39a931a2165fe0b4d109c843d971d66a

SHA1
8249d53a2d5af332f6e712fcd0bbde8846e6514c

SHA256
4484552a5aa8d80187e3890100d726f96c0779106ea5ff3d92900198fb4362d1

SHA512
bdeb82f2827b60762fa2b986a2e1d27322a241a5c5dbb5afc88d0143220b2607b1c6d5f6318de6fc4e4181bf0addfe277cac943351bf3d719a4f340f4a2a0eec

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
dcd56b756428956eb33a5f58e73ca99d

SHA1
06e30e2906fa15528e5ce865a40ac8824e73ac0f

SHA256
709766ab0052d51133854899924f55fba1ae28e45644a790df137b31c76848de

SHA512
041b47eb859933c5e7017a483f4c1f32f3386eab778021d8cc488281f02ea246e393029505ba141c4b310b49dd59d1e002595d24e8b4823f15ff88ceb905efea

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
19866bdc92cd1964b886b2562036c1d0

SHA1
3c8e6d6924625259c7402f830a8564a100dadd33

SHA256
0f199ee3e98372a7b618cc2335f65633671fcd02971f2712f6f0ba47d2870b22

SHA512
82ac33387da70c9291a62cda94dd2868a72f3005573f77c5d98917794ad464896a4d87f753104aa8031e46b8004e66d4a17ded8c7d80bbfb81ae8d67630ac327

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
2b70ae1b7b5a24c839ca76ad252e1708

SHA1
59a2e99b728d7092302d94865d042b43bd537b30

SHA256
980fe44ca9fc23e42470745ac27b9a32877093d7c008925f1b7fcc4bac862cbb

SHA512
6705355de64ceefdc511f8010b648785a36fdeff01e500f46f21ae9c6e32b6ed1d34dd8f0ac3e57f44f75aa44f35f1bdfa6370d5db89f1d08a84318fc39d9c90

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b4d9e9f0a1b3d07734e593354172ab6f

SHA1
4228843c6778923c2a53e1b506892a70efd53e78

SHA256
1a7d71990a04457dab3ffb1b2f44399257a189f5fd48472dbe8543d79501c0a6

SHA512
dfd741f66c05ce20ae42821f187161a89ef018d7ac41d2bf36556cdef9bfb48d6febabd469f9380c17ffdba023e9d3508a76d8d8e0f2f77aaf0b7bdff7ad1a09

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6dd69ec6df0d16594bb234e1b4e3ab4d

SHA1
674ac45bb2846ed14790690130f69c92dbc84951

SHA256
9131637a93e51f488a7df286ca4a22c778e853f093a995a4bf347ca94abc5c35

SHA512
b095a371fec82f5b895df12fb22fbfaf9819c5f16e30739e5f943a23744ccac75d2f1a2bc1bb516b7208a17d786a7b6ea4957753feeee47d516cb38a32033bb5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
54f59a2aaff0f36611427e0a2c1da47b

SHA1
2f8e3dc3eecd3c0685efd104fc3b1ac46b2d540e

SHA256
7123f3498fdb56a130eefdf3308c9b4e1dfcdf1b3ddbdea585b6a75f9a56dd06

SHA512
7f868ab46285be89d95928b9339d88c5414bbec3ae0554b4bee99f1749a94448bdfa7784ec6e7232d68783983149ac35f481d17cdac52926e5fc99df21733e80

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
8aead310b8407ea5c5fde4a79697393d

SHA1
8f5ad1a6f0d399f311b9ad449822c983b4f8843e

SHA256
0e5818e77e0e3a597fb7e7facb146f1040d7d263bc37fa49ff47ac7b06d317b9

SHA512
24b212163735c458133813bc64ea8d6b1582f2b54dd5191b211090f2e75ea7481eefdbbee6e047462e71a0a8bb0cef8c3a66fc95d55fc34121356d372e1a4360

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
093820a0f61181c652969fc9c77fb674

SHA1
adb7c009c8c37cace929a18af03d1258d04e8f7c

SHA256
5e14db1b15a43057b4094f9e0ec6fc6cb69d86bdf978bd252deaa4d2cf912725

SHA512
827a2584005397511ba313a788e7b9e5a01eb9f49ae295ce0819713c6c6998f63f340d2b8647ccec810b631b60d91a206a507e0834faef7dd48e5cab2fa8e36a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
032e83ec1abacfdeb45cd5b5ff96b039

SHA1
15297e1fb930c425f9f31ea472afe51c53ed6683

SHA256
b8d62a2c472cf54b025bf3e5961609c3b69c3b413a6583f73425676eb8d577f9

SHA512
3cc274d1dea5d4284744b84cb548cac2dd3eb238fe01afc6de98227e62fcf3cb9eff91fb532999ac39b9eec13ba62324b5d51fd98be0cc9e583fd0fb119665e4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
4008a817f15bcf1e9ef796643416d3f0

SHA1
60b155489b178354bd39ec85a9b07abd4857c192

SHA256
09c7b504cfb362096b2236a89596efd647f506a7f238de68b698c9f286a134d6

SHA512
66bb4b41bea43a03313393c7f4f5124486ea615cb59852e7898abe5a69134591b32adb9d7299775b28cd0fb56f2f86629bc1746c4850d2c60acfd7e928cbe0c7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a2f99e9da9826aa53f09e3c23c907e29

SHA1
bad5488685b476e0238d721bb3e4aa39036fb7a4

SHA256
f646ca9328bbe7af673d5149748cbf5f6a8d4aa86af53efa986e1e37d8878eb5

SHA512
5796b28e1850831d575d01ac27119f936ff436d89b3f94b198af69c1b5da1d77e5eda06e7afbea0695902e20ab7163782c721b5932e778022ce78882d2565937

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
32eea5cde429d68802ce1244d97da6b1

SHA1
4cf3dcebee23d4db1186d35d1a12ea034487abb0

SHA256
414e38693604b5be51b85c65319f399884b8b45de464e520f3dbd2f07f1bc748

SHA512
eabfc0fea738a7f57b4de206684239c4771ad75dd0576e34db6a6ceb315b06363c0fb26de0716ed7bbfa8eac0225f4c9b7a52252ce65d02a1426576422b1b94d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fdc77261733186fa5aa075d982d4d961

SHA1
9b6517499243dce3be1fd19a1206b368fcfa5a74

SHA256
a611e85ec61c14a19f4337b8b83f55731a59db3925c8ffdf831561e10a3a1547

SHA512
ea9d1dde9e8a196e320a46f1125c6313df7d414f59d708a2e6766a01dec229db50fa3d142b72613fc32373976c0314240ba5c7b212d75e8d6773f2d5922f014a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fb45830c47773024651cb4c8472d9caa

SHA1
390dfb83b51ab8c3073c5af586872e8ef67161ca

SHA256
880a937a52d97f41b91860f22a98735eecb89f212877dcf76c4019a4fedd99ed

SHA512
af55c414c373802817231b600170651b217f1c450b8f3d9499967529902ae7277f0c2ac50f6e3003a4f514f991f1e4d8f63db44ff5b139648092b5ec3af8a844

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5173332738a24a3235b36b5d1786f7db

SHA1
af52b4a60589dca5f59aa80d46a94c98737f851a

SHA256
71c7710019af2bb2583843b51b0b925f01e2b5ba98621f273797e78225274936

SHA512
dfde56d139ef774ba2a97b3b11ab91a8bcb98191f8a86e21ed18a8824b0b6fed316b7e006e53ef01a5742e385ee3b5ac36f818b3c19e5f2818ebb73ea9ddf567

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b0efe5e717dbc35eec74bd270816883b

SHA1
c7a7332b65fe67f68705022344e4d3d6b191927b

SHA256
1efbaf60a2e46cb3411e4cef38aaf6a50aaad060cc1ecc79f539906a68ee32b5

SHA512
f022367f4cd05d8a3b554dfa8da94b67e7b110a4e406e779f2f2fe320dc3c12528b27d859d449d46630954c98c6a7193dbe1555b9938368daa03dd17717e6536

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0b4e9675d50ef9478cef922f497e7e64

SHA1
9c37a8f19c03643a410f9c0a33e97b199118004a

SHA256
660317682a6e428175fc9356995b8ad60f39efe92e642bc2fcbfb693deb4eccf

SHA512
53642ed076c2eaf9a4a48be5c8ce6dd3a765f5f588da64384f40fb59520aae97960946950c2e9ea410a6050cb3e54218f9c0ec4b77d1cb50132ced65e3a9fc12

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ff43a14de2b2d779a051c3d5c63c49dd

SHA1
acc5ce031ee8c54233590a5bacc163230d493689

SHA256
dab3de77404340e6b6d0e22c6ecb60c1af68216e151bd9205b08a1fb0a515335

SHA512
1010eabec30b440a91fbb03a1e0a93b225b4165a4771469ae10a93f251bca83454149e4ae3e07bc275829778017793157c8a3006b0a5a6880616543c91f8783f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fe48007caaf5837460eb22f806cda94d

SHA1
4721f550ebafbe3e22a285bd9e451c2157862896

SHA256
921b180d4e902e771547528b34e5fa46630b97ffb228de05ab6dd02edf7e115f

SHA512
131a51b6e22f80f3bb627ead4b5a43b96079616ce48bb1cb99a0062004bda00c911488cf72a9a2f2d8f1fe14bd59d76409a4cd2d255c011237ef6e840c1e2052

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4afec9c67dce00803f2b239a1f4436ab

SHA1
05cfccfb57fd120d18e7b587392faad0072182b3

SHA256
31b81ee42f35da1c2df4e2be3937478ef655edbaef7b540e16328f8128214381

SHA512
920a5993234d41471114ef982198ef6250243246ac38e3264c03575dbb977366e51b223d31415ad56040f8f12613d4a5ad3516b500debf41b7ca03a3baf91d88

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
202c4dc67f486ac5b9d865e4dee07d96

SHA1
6116025a05e34f7c13b7caccb6a1e9f0a98b6304

SHA256
d49270162034733811ff659917848d818504b78a199708191386e622631ce745

SHA512
d0876b3f68ca653bf36169e99b74e205e90940962990f88aa89e22c5ea8f04d1bcf3b07d28b75828fa49487bd2f223c2acd5b4a6fc140347c5b1c768dfd09e55

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8a9c46e55be1d71b92d0a61fbaa84fc2

SHA1
b9d7f25ef69865c41916b5044b9e728eed307504

SHA256
3d1b08462fdfaf1f87958c78f3660925347585e2be2398a3d8d5d86caad07d53

SHA512
7ceff804b7b659530f898a66b5e9b1522dcf2975cbb59ecf070d9b82ebe1118ee02ff20a97f6e64f5c151bee3049328a4ad49a4c00e4c1ed78bb1d412ea1247d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4ccec24470187c02535c15e7d5d0b34c

SHA1
5bba29335ff4f18a85666896278d796debfd489e

SHA256
7896a1b0fb48d52a5b0d5ac1321201c0e3ac3c01fc101ecd0750db5e0cbd2c96

SHA512
6db09a41cb7f1823d2eeb89cf864f90ee3bb50cb76c25597359b94a8b9b690d132c4e95c4a0686aec10c0e9f0b07c0f0b041f1fc62cc5234caa216bab1ce740c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fbf67754022309e1bdc389f83e3531b7

SHA1
46e791d8642b6f081c2b08f338a7904059850648

SHA256
332cb5e7f9547a86dfae29e43d5227103598297f26880471f7d12e17080b7f71

SHA512
4d567954638864ed30031efcdc82c1632f8bb8fafcbc2e1b5f6b28c15d2373ab4207b59654a7c54f39b4225435cdf378ceca5a209d5ac4d12375c652831d98c8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3bcd935b9202a24c3ca2151e11a6a799

SHA1
618da82b90bcf4b7a3e8b981de06ffd7cd8dcd5b

SHA256
ff77cbbeac8efba4530753a172854d4132862c9e1f5cea945e1219a24ed60238

SHA512
51f4bc35f34a3fb55d1d09181ea5fadbc4159b22649bc4ec62a0500641f653caa4f0e645c12b39a8ad3f75a6d6dce0a93876d0389c59b9f68f20f763c46d1e3a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
813118405f6eabc433c243aa82259a01

SHA1
17e8a3898e0789aaea90ea5d74141170a942508f

SHA256
b6fed1b3f75784077df4acc39fa713e4ec81ed463ef448bcb560e9e8308883b7

SHA512
bb1418e0fc5bdf27fbccae945160fd43db70d896fd6fd36ae46181631f5e2ebe5d63c7bcdf6288d30e1d3aa3ae6f983bcc3a0df4e5cfb83b8d6cf5cda30388d1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
48218d9bbde81060c1cb1d227102d49f

SHA1
92e08a4222f636368fdc419e0351b066386d7adf

SHA256
e590669c46546125cd917330fa15a0d5376db142c9c30a0ce195e48cf1a492d1

SHA512
0155a69ed1d49efeb1d8e3a65f34516d6b7e6d7c98f4bdfa46f69414fb43b4f72c28ac58323ff85ffd61b416c0e5404b8f48339d2db41430eecb024efbe2eb2f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
34a2346927a145dce9b0a30ea65a04b9

SHA1
acab9365c629308d285da2665acb4bc7b2d266e5

SHA256
95c254bb6ee378a162df3076bb88353e9b794274253a6dc3c39d97be84acfbd6

SHA512
6976715c502bd2988551f1136e70643728146d2314d5f2565fb8935f709f580289415e80818476ca4eadde0b44cec66a8b7249353ec37e518e1d38cc69d38ff7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a1560d2b3ae3e33b26ddb8d8f969dc8e

SHA1
7f4f75f414b06f898d2793a9fae567d020345aa7

SHA256
c897e1148cc7fb1add259d1c889ab3f5163a2da4e529ed267098369ba8791cc5

SHA512
442744df266bd4840ca23b062683ba84d31eb91c6a524b1e92499ed8f4883c33e7b75a0dbb61e4331f65200b7f6522befd573673d5422721e28ee8f8735afff1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6c93a3c15c12a734ba28614ed7ba3159

SHA1
bac61e058b7023670bf1a1cd48492767cdc24813

SHA256
67b647e64373b6b69d20ca9f6f9f1ef2d3330f25a901c8a29230c5e599832240

SHA512
61fc77a5f2a1e60b0155d5d0015f2d53fb30ebba7afc3710bf992d80d40d77168ef37f5daab2b961dc3bede849cee6ec2e36b682d853b6d1fd69b2fcc26a012e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a6b98b717acd3747fa418db2634f8b7a

SHA1
280b46aed086e9c723fb4e09aef891cd10e39323

SHA256
9694758ed512e5ace42079fa0bab6586a5e4b2b579b686c96a68b24fda9b26c3

SHA512
04e09ad2d124a8271d85492fc99620496608f962551dd19207f5969c6db8c6ec575eaa13c73039ed891298470190b07d167a2b07575c7c7211d76bf8eaeea199

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c5f8dfa473ee433c0f1ae51fc0d36259

SHA1
a88f1b954e88e6712478d9b64c6d2ec2a44d10c5

SHA256
d87e796b7e6582231fd65ff64596f788dd76619dda8ae5f625153abe590b37ca

SHA512
0a43887e132d07ccc0520b8817e35f7d5f1af6e963a31787b9aa55cd73803d1288d06a3d6d14053bbc58984c8e5f54e8d649fbcaaa8312d89f58dee58fad8a89

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3a95d6b6375abda912c62d139208118d

SHA1
df45c30b1b82901e7293152365eec5cb0bc6d95b

SHA256
a913fef470b8e16751df1c4e26c627fd4e26edc88e4e17a0d10fb9c87987b496

SHA512
9f202951daf48d2162991947f75e5be0150051b0b59405e034121225cc75ef5d57b413bf9f37a876ae73dffb4969c9c28dbb56c72120bfa9eee088b0812fd8f8

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/60-148-0x0000000000000000-mapping.dmp

Download
memory/672-144-0x0000000000000000-mapping.dmp

Download
memory/740-140-0x0000000000000000-mapping.dmp

Download
memory/740-208-0x0000000000000000-mapping.dmp

Download
memory/744-188-0x0000000000000000-mapping.dmp

Download
memory/748-205-0x0000000000000000-mapping.dmp

Download
memory/1164-207-0x0000000000000000-mapping.dmp

Download
memory/1728-128-0x0000000000000000-mapping.dmp

Download
memory/1764-114-0x0000000000000000-mapping.dmp

Download
memory/1824-203-0x0000000000000000-mapping.dmp

Download
memory/1824-160-0x0000000000000000-mapping.dmp

Download
memory/1976-199-0x0000000000000000-mapping.dmp

Download
memory/2156-191-0x0000000000000000-mapping.dmp

Download
memory/2228-195-0x0000000000000000-mapping.dmp

Download
memory/2268-152-0x0000000000000000-mapping.dmp

Download
memory/2860-116-0x0000000000000000-mapping.dmp

Download
memory/2972-184-0x0000000000000000-mapping.dmp

Download
memory/3108-136-0x0000000000000000-mapping.dmp

Download
memory/3116-172-0x0000000000000000-mapping.dmp

Download
memory/3684-120-0x0000000000000000-mapping.dmp

Download
memory/3784-204-0x0000000000000000-mapping.dmp

Download
memory/3792-115-0x0000000000000000-mapping.dmp

Download
memory/3796-202-0x0000000000000000-mapping.dmp

Download
memory/3884-132-0x0000000000000000-mapping.dmp

Download
memory/3964-176-0x0000000000000000-mapping.dmp

Download
memory/3992-180-0x0000000000000000-mapping.dmp

Download
memory/4016-206-0x0000000000000000-mapping.dmp

Download
memory/4028-156-0x0000000000000000-mapping.dmp

Download
memory/4032-168-0x0000000000000000-mapping.dmp

Download
memory/4072-164-0x0000000000000000-mapping.dmp

Download
memory/4072-124-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 620 wrote to memory of 1764	620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 620 wrote to memory of 1764	620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 620 wrote to memory of 1764	620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	reg.exe
PID 620 wrote to memory of 3792	620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 620 wrote to memory of 3792	620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 620 wrote to memory of 3792	620	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3792 wrote to memory of 2860	3792	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3792 wrote to memory of 2860	3792	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3792 wrote to memory of 2860	3792	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2860 wrote to memory of 3684	2860	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2860 wrote to memory of 3684	2860	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2860 wrote to memory of 3684	2860	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3684 wrote to memory of 4072	3684	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3684 wrote to memory of 4072	3684	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3684 wrote to memory of 4072	3684	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4072 wrote to memory of 1728	4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4072 wrote to memory of 1728	4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4072 wrote to memory of 1728	4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1728 wrote to memory of 3884	1728	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1728 wrote to memory of 3884	1728	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1728 wrote to memory of 3884	1728	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3884 wrote to memory of 3108	3884	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3884 wrote to memory of 3108	3884	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3884 wrote to memory of 3108	3884	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3108 wrote to memory of 740	3108	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3108 wrote to memory of 740	3108	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3108 wrote to memory of 740	3108	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 740 wrote to memory of 672	740	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 740 wrote to memory of 672	740	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 740 wrote to memory of 672	740	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 672 wrote to memory of 60	672	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 672 wrote to memory of 60	672	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 672 wrote to memory of 60	672	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 60 wrote to memory of 2268	60	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 60 wrote to memory of 2268	60	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 60 wrote to memory of 2268	60	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2268 wrote to memory of 4028	2268	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2268 wrote to memory of 4028	2268	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2268 wrote to memory of 4028	2268	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4028 wrote to memory of 1824	4028	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4028 wrote to memory of 1824	4028	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4028 wrote to memory of 1824	4028	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1824 wrote to memory of 4072	1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1824 wrote to memory of 4072	1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 1824 wrote to memory of 4072	1824	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4072 wrote to memory of 4032	4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4072 wrote to memory of 4032	4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4072 wrote to memory of 4032	4072	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4032 wrote to memory of 3116	4032	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4032 wrote to memory of 3116	4032	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 4032 wrote to memory of 3116	4032	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3116 wrote to memory of 3964	3116	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3116 wrote to memory of 3964	3116	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3116 wrote to memory of 3964	3116	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3964 wrote to memory of 3992	3964	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3964 wrote to memory of 3992	3964	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3964 wrote to memory of 3992	3964	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3992 wrote to memory of 2972	3992	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3992 wrote to memory of 2972	3992	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 3992 wrote to memory of 2972	3992	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2972 wrote to memory of 744	2972	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2972 wrote to memory of 744	2972	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 2972 wrote to memory of 744	2972	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe
PID 744 wrote to memory of 2156	744	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe	43b0b96c67726e59eec45dfea80165dbb7dbf177489435c3e6011d34fa7e9fd9.exe