18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20210408
submitted
18-05-2021 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Size

147KB
MD5

55dede435e9554e774c6261a28a6bb7a
SHA1

3c33d40755f495fa32c912f4b27098120632618c
SHA256

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950
SHA512

c07ce045112569fbab87a93e39e1614fd21913387cdb022d5fed5da069d3a6cc4e694af084a41538fb6638544c2d391092a0f7c265c5215e13a610483d94041f

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\L:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\N:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\U:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\Q:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\J:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\V:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\L:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\V:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\R:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\I:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\G:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\L:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\U:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\I:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\S:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\E:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\K:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\V:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\F:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\P:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\M:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\W:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\Q:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\J:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\X:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\N:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\L:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\T:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\V:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\O:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
File opened (read-only)	\??\H:	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

pid	process
1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1268	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1268	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3928	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3928	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1872	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1872	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1372	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1372	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2708	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2708	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3828	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3828	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2452	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2452	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1508	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1508	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1600	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1600	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1244	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1244	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
4036	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
4036	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2912	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2912	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2132	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2132	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2104	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2104	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3948	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3948	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3144	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3144	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
412	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
412	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1516	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
1516	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2136	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2136	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3208	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3208	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3496	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3496	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3764	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3764	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3176	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3176	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
852	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
852	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
"C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:188

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3828

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2104

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:412

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3208

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3764

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:188

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3176

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
C:\Users\Admin\AppData\Local\Temp\18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
30⤵
- Drops file in Drivers directory
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1447f6cdf0e9784cd288294d922d14b5

SHA1
abe0ef8dfb1dc1d29066bbd57601c2ef7d7db790

SHA256
26111b9d2e75c8326f9f6d084efcabd7f1bc465b420e5feb1e2a22c314115630

SHA512
2c3945518bba8cc2306c7b8d98044b230a75a2b71e31debc7c4ea78ffa948a52ca5969428324a5fc2ca9e7ecd74761f115a2189d969d37578897422ac9b74528

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1506e975ae0a67dba74b9fcfbd2f5a00

SHA1
8a18315325221e6b29b46bdead5844206ce7ecd3

SHA256
b7930f196fda653b98d521d100ac16c53f693eda0bb7e65d1cff164b802dc499

SHA512
739db3f7ca423042d387e90c2085a54c9142f548b366918ebbe226b93da548f2939793117ae01009cacf610e835e42927d012e3dadfc480f6205d4e6b8c6466a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d71707a5fa4e652895197a517172ff48

SHA1
a745eaf8b74637d5c233d1e281ef8323b128fe7f

SHA256
d9cc8d3d973fa006b0a982f034af4e107e46f1f5842324619696b0cb81a277e0

SHA512
bc9f2eadde4d074f98116ed89a66d53fce4b451b65cb8324493d760d418d2127bb9b3cfbe206fdf79c0655db517e286e4a4f746d75a1862f30aeb270ec64700f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
5b0b4ddf773862590ef1e9245283c7ed

SHA1
25d257fb9be06abb6e98adf32b54a840c8f3b54a

SHA256
3da2840cd591d8ebf6583a3dda63675a296e8860c835d136a687de8b5a8246a5

SHA512
050e18674c7de7e2f6df7a451db10a5954c912c5f3220023f7d1f7c5e9e6676673b76b1d011b96e01610529e80a0d55c068abac514919eef7493d83a03309ea2

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
b14bf869cfb404a128052cd1a33af5d0

SHA1
92397473a6fd3e0831967184b31b9e6e896c1a31

SHA256
085bf3ed129b71342c065751b74999c59173fc7e4b3d7600bd49031c31379776

SHA512
ab4fe9f20e1c602561e0fdb6a24423ee1910cefb5447a2a0db2c9a80f1c0ce994a7070cabde40544f85a32fb9981994698839fb77544b80b9367dbc8d0074a02

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
82357c00470762f18fe8c4133b654b49

SHA1
7c3f3b25a7cbfcbc65368b359f7509359808989d

SHA256
4d15e2a0187a8e282f1a76eb4f1c3676acaf54c72a7fe7b56db3ff50a74a5a05

SHA512
6a27b44e7350e4d5f9fb680bdacd5ff4b0d3cc9f4ba91b863f52400748b98c629fabd78640bcebef91247e471744a5f921ab3a8920cb2d491c003d16908b8178

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c9cfa811912beb133acdae878f284a11

SHA1
47dcd08feca39a23afd83e5446f180c84f59d83d

SHA256
f485426dd0d9416942ebd3af95a7c4bf81577b46f98c798296e4aed9233372fc

SHA512
d803d683c35bcbcb120cbc1ff9204093f9688aee5c7e3013663f4dd124aa88a5d2253f90f40e6d436ce93529c4471f32c6420c02917822e4012b169ea7079832

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
21c1b62d5d6e46e5d4b3bcb23e53c4bf

SHA1
4d29fa80661027bf5a7f2f7500acd7ac795763dd

SHA256
5f260870ce49cd4d4424085e9cdba47d32aae9f29f6c557b01ed7b762b7992bd

SHA512
826cece7acd705db02eab1974fb5e3747021c0eac6de4e8881557a1b87d227d3be070a696bfe4d1e7fbebd6dbbbb67aa15955d9698db58c086c9dfca605baec4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0417ce80726fc8847930517845baa82c

SHA1
1bc8f4301c854ae9ecb3a22dcabb23cc3e0ac310

SHA256
a649020571ca4b88b1706a16bb59bee811e36bcbb50a3aeca9a7d462952abdc1

SHA512
14e915f8cb9db8af6eb88633e19e3b132d9077b278d11dc862b9848be6688c5f1b5595ef0651fb7c343bf8cf1c2ff41766f49745788419f9fd78ec2c0adaef64

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d14c99f5a9b90ab89eb14a23c4832c0a

SHA1
d16d5854a87e29f3759192bdb7158886fb2990a4

SHA256
b3d0b191f5df64a81ab0cb350dc810d6ac9ba98d11773c37f5591be51e41f152

SHA512
9491ff8729b9a2fb2ead92849822f5f2130d226894b82706e2c3f32f9c8f8e85f7c2a99a601b43238e96bbf52c12a207fcd8998aef44f4657c97aaaadd53ef3f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c175fe37f4d934c7e9c996e0110807e5

SHA1
a017417b4d4650d8882439a56c2d2d4468f6f61d

SHA256
deb8ace3b79f8d664aa3a9622fde577420718b2e99fbf0cd81444a7f01281765

SHA512
2bfbfb534ebf90ccda0f2c3dcb65fd1a377e09c3138dd7861b6e17515077a6a83904e8de8cde0de193c48d5abd2ebbf21701cd32587a293197293c494217792c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e93dbebb268d068c283edc6c914b0ab7

SHA1
12b50c9bb5d16bf5a4e78d24c0575def5cf2173d

SHA256
1af141b05a5310155675ae4922530d74fd4144911d8fb877e6e40a459367d8c7

SHA512
7778ca5b1426e7debd45a5adfb34bdbf38f3eb5638ae5acd7b852d96b74fe038b5461ccd5e6e0bbe517270e78bb412d052a6a9fa248361ceafa2054277e7de73

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0fc5b3c45eff4e5d17d09d00422a09b6

SHA1
bd9f7e9aa83dbdb73d62f16fb7cc57288b659e9d

SHA256
99678e80209799628b55505664e5bb91d9e8e6c7a43b4880e99ccdc6f3c85e29

SHA512
fa93ba50eb83c5126cbc9506cf8a7b790c205a0c8e23dc06c6b5dfaed5479ea9433f65bd5830a3097dae6ca28025e07c7cadda3f56f17c5e818e89b8899aa2e5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
da1a7ea1a57a32c3e2e40625b3b72af9

SHA1
ad971ce6033f3283e5c9358a8f741da4c8cf79e5

SHA256
8eefa12b001415e724921af9b0accabc559b605c2738252f3deced80a7377930

SHA512
90aa8ba8f56ebd00c1b12305bc4fde7bce21496b65332cd93303e9369ffa16b594f1ccd89ef0c2760a3c86e6564cab712d5c622a3c2fac4e22b5ec64c0e6cd2a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
52885a6f75f30289eece6c66fe3bdabf

SHA1
125d17ddadf63f24ebf230514c78eb6b766ec702

SHA256
c010dbf23685668ecf4c4c9962cea1337966e996a13be1024641467bbb521f3f

SHA512
85fafc521feb4fdff6b9782d2028db7229969d4420e050993342d6215d790ab4740dc31fc8bceda232f49d5320bd4b7cb3be54510d24591e340f5e7ed0b2a77e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
174c68228dceb899ae0890c6666de633

SHA1
315ac3459603b54cdc2024fd0043e2325693fbfc

SHA256
babe2be117c0902796ffe20352d0767ca7999a4813f6f303ddfbc560d5cc6207

SHA512
2d9c3e6aae977359275d8f8aaa70b04c7cb586da8b745d2f7ec3560caeff1ed9a869ee69f097992c1b046923d756b72252da21e790d4afae8325c886b691d490

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8a50b61d65b50f243e73341cffa942d5

SHA1
4346c5715b06b7c7b7cc4c72c12fec54fee52a1b

SHA256
344fbafa8aa7e5e1966036e2761e5a9f4516d640e779e00cb393b31a8a29c54c

SHA512
3be69c090b419aef4c5dc061505da4bd8274e86cbc4d774c7101acb130a5f82b71a8670977abc5500812a84d07c26d07c7116fc5cddb29c777cf82f7d697f298

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a18a1ff6e6cd31471933860ec21057a6

SHA1
bbaae1e8fb9fb0a9c827355f80ca2b760764dc96

SHA256
ec6a013d02650643bf014bbc204386ad69dd1be455cf95c8f3b17bf1b13497b8

SHA512
08ff30d3fb12804fbb2af116dbcbe5eec3ebaee719dc99785eb32bda36961dfd8751ffdaed4c414169e78e13c0b3a3dafe1042591b539ad4c2462460e828976c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ea099b3a351b61bcd74f6536d91851fe

SHA1
09454703c786e0d110158ef22bbeff4bf6332a15

SHA256
f5cac968d76a7fbcb11d7bf91d95814f673d4f521784b2945f84aa2d3f40ba1a

SHA512
e2fb1072af24d906073048aa7e1685ec765a0063d55c5778d83415e10302004b4c75c0d47f6be01d22d2deb91a037a0508d8e6fb4242547e84c73f0ecaa69649

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dd82eb9d49b9a6079ba216e3749dbd5a

SHA1
5b9ab572b324fee154fcd24f0c4127440446d255

SHA256
036c46eca057f31d26366f7fa6336fcc1b33c6a200092014e2682f09a95f2e06

SHA512
b7df6d3bcddbdeb07299cef31415b077b7ccc2748199085e64e7b1ef919ca2cbfd913ed849a41e92dc61bad316b7269f45ab30e134ae565243a91415c4a00ee6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5fb8305ef1fdedfcf82a699d25a169d8

SHA1
8073a777a7fada26052e09395f9431058c335eab

SHA256
6b142f4d8647e66959ed707cef25001ce40a1ca25679a6b58b9edc19a282e1e8

SHA512
a3b256004177a4d7ebac28e9614105db876b64ce2123a617e604fe926733693dfb00e056a1f4465fd03926a74b29ed67fb147b7adf61644eca3a9d512cbfec5f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
83ad52fe2619a3b9a6e2cdfb7276cec8

SHA1
19933065b12bfb6dcc163a93d27125a3b87ed1ac

SHA256
e7aa863cb6377abdb1deec124633cfd1614d5bab86c5004a22ca60220f81957b

SHA512
a5a307e618972a03425f79270b83aac6abb2c0ce071bddd15c7713c9ccef714f108ea198607c930edc665749c03b962026bfb3041b766d29b4c115822121839e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
733a063296cfcb724a33bad159c0cbd5

SHA1
5bb99e81f7b8b9f849cd82c6029293b3f12293a4

SHA256
509db2a489e486991c787de306ef02106b2bdf6f20446c018588eed30005c773

SHA512
7f5abed4b4d8de23eb58eeef311fd575bbcf18c2e71001f8cee983db7ba5a327c4ff0582cd3cac848b3887e409ceee94543bf2a22693ad14839a6d669300e431

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ef73718a1d876df7a8515909808f9792

SHA1
7add9507c27ca6421179d15282dd5fc0e591a101

SHA256
115237eaa4ab24b31d41a161632f4a2358d762cb1a81257bcf8be4ab91403e9f

SHA512
fc7db550ddf863c69d8533c317b0d6f627af36f606534ecc359d82d268c7887df23f801084d73f47a33747446abc6e5cc31c6e3e26208c1c7c4a7842a5efca03

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
769bccfdd707e68643da8cd8d81edf21

SHA1
9af21f1f7602784443f1010a3f19180d812820df

SHA256
f23e43a33137c158d68d86cdbcedc126fe18909cdf609f0e4a7712004a766839

SHA512
72deee95651c4b51ea2a189a73277352c1301b9be6a2185dbc7595a2f2b7b7983adc42c67e66679221a15c784f8ac18afdcdf459c71f368804f12e7fbe2022d0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
98ace5d082c8528af9bdf76f07906b73

SHA1
dbcfbda06bfda63d34fb1040ed8af542b8407dfa

SHA256
d7fb62579c34c246e4bac875fbe54084eee891cde9e4f78e3234cc922bddd565

SHA512
2f6400d1cc12f5858e282f7622914ab263317a8f955a16ff7595e554a2c20c9ba0a8898fc15c25597c2b430fc6d895c880baab302f7a8ed97199303feab7cd77

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dd9b5ee2fcf3855cd6ad8b3e3b68f507

SHA1
1f846b78003a94ee625fa34a746a8e7b4a030342

SHA256
ac38400597490077a84144bf9503f10098e022e8515cef0f58886c81f5611142

SHA512
134ed3a7a342f3e6320cff3036327f3f7c32de0b27a8bf5a68ad4f713b1c57802213e2f9df3ff08609b18ac9f80c806330369edb8a06bd4fc69f7424f646b8e1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
59545f93ad28f9f0105a62bace1f5a51

SHA1
140195376e91ad80b30dcbdcd38c5870214c6454

SHA256
35b8414c4a9ec29c61f666add47bb8be2820d9dd035009f2beb80118c6a87213

SHA512
84d496273a4d71f34dd8e162afd76342df0aebe6a2aa4781090b5ba87a45566da72f5369f61c0dcd06557c3bbc4459e4180a41b02712b5a784ff8a988a05b2bd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ac437423e6805b7599ba1896bf84970f

SHA1
5b50b182e2be17772499234d28b6673c51b555f3

SHA256
681f4ee493dce9d5c394427b78307d5d45b5f1371d2a9abc967abc060d1ab6be

SHA512
a63a0be99e27a70e240abf56906816dae1213f0bfa64cb8c5ca13e78ee8b4f3f9613c57b772cb1723d20d4c31db60a5b2122faaecd2ff058260591bbd086c54d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2a239bb0496a4d5216ccecbeb83bf320

SHA1
6a21b6101d0ae5f2f46129611340b48aeade000d

SHA256
c57eb8fe8f76d08746af338d6a022e5cdf2d335288abc8670e70a03d3fc0a06c

SHA512
2a898961e73948230409509e28e7ee569284dee0b7c5796a19195f36b468a0192e6be1c817c37db06c2436ab2b833e74ef044911137e9bfc412179257d07cbb3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
36cbf9a04523c818c98696e2c388d612

SHA1
a9cedb45ce08d1c0d6cb99d0e7ee285f350ef6b4

SHA256
b6d0f615462c4974ab21623b862139570e1a8ed1c81f776039d1f5859c44be49

SHA512
f22f340f6a0139a12fa995d6e4277abb2a63ff99b86dd1502b8e0011904750175ee6b0c33038519de3895bdaf2aa5fa10afc1e121afb136827cbe16f4a5db567

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
69f4479702fc0fce51677d46a8fbe3fe

SHA1
e59ee1aaca0b2d2a4ab39680d44456c26225021b

SHA256
4e08580b9c5e700eff5b643e7daeffecde1fd9c1f2ea7823d0bb36eabec73d48

SHA512
1d0347389ea44907d9ce9c7e6b72eeff729fc246e706cc78b5dd509ea237602ccb9261006e73c50a8a264366912e8b834e54dfd4ceee9b5db0349c17ad453631

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4fbca4fc6191752c6fe3795d54b9056f

SHA1
001ce5c52b3896c95862423529975c5400473d2c

SHA256
43818fc3a94f888638c5dfb7eddb72006ea66e51ee7b24b99deff2e1f5b22c44

SHA512
4db07dcaabe920789a0c17d76cfd04febfff7814a21d16d39102753a10ff89053fd60ea925336063730bd72219746f386313be7166709b2984de9935d3086dbe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6b3dde0d3938629fb0f56b71e82c09d0

SHA1
1d577196ea0b07523c3daf1edb36f3d05ea61043

SHA256
bc7179d0a7c7f10d0613ca73b2672fcb918dc9b3c7d662fadb6f760f2984809f

SHA512
964391ceaa646297a54dfd89e6d8697aa0ac4aa440f1345bca07150888acd7c53bf6fd70fdb2bfe4ee42957b6f881575e429caeb17422d3a2c0c15ef1bb0df2b

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/188-142-0x0000000000000000-mapping.dmp

Download
memory/188-204-0x0000000000000000-mapping.dmp

Download
memory/412-189-0x0000000000000000-mapping.dmp

Download
memory/852-206-0x0000000000000000-mapping.dmp

Download
memory/1188-115-0x0000000000000000-mapping.dmp

Download
memory/1244-162-0x0000000000000000-mapping.dmp

Download
memory/1268-119-0x0000000000000000-mapping.dmp

Download
memory/1316-114-0x0000000000000000-mapping.dmp

Download
memory/1372-134-0x0000000000000000-mapping.dmp

Download
memory/1508-154-0x0000000000000000-mapping.dmp

Download
memory/1516-193-0x0000000000000000-mapping.dmp

Download
memory/1600-158-0x0000000000000000-mapping.dmp

Download
memory/1872-130-0x0000000000000000-mapping.dmp

Download
memory/2104-178-0x0000000000000000-mapping.dmp

Download
memory/2132-174-0x0000000000000000-mapping.dmp

Download
memory/2136-197-0x0000000000000000-mapping.dmp

Download
memory/2188-123-0x0000000000000000-mapping.dmp

Download
memory/2452-150-0x0000000000000000-mapping.dmp

Download
memory/2708-138-0x0000000000000000-mapping.dmp

Download
memory/2912-170-0x0000000000000000-mapping.dmp

Download
memory/3144-185-0x0000000000000000-mapping.dmp

Download
memory/3176-205-0x0000000000000000-mapping.dmp

Download
memory/3208-201-0x0000000000000000-mapping.dmp

Download
memory/3496-202-0x0000000000000000-mapping.dmp

Download
memory/3764-203-0x0000000000000000-mapping.dmp

Download
memory/3828-146-0x0000000000000000-mapping.dmp

Download
memory/3868-207-0x0000000000000000-mapping.dmp

Download
memory/3928-126-0x0000000000000000-mapping.dmp

Download
memory/3948-182-0x0000000000000000-mapping.dmp

Download
memory/4036-166-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1504 wrote to memory of 1316	1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1504 wrote to memory of 1316	1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1504 wrote to memory of 1316	1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	reg.exe
PID 1504 wrote to memory of 1188	1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1504 wrote to memory of 1188	1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1504 wrote to memory of 1188	1504	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1188 wrote to memory of 1268	1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1188 wrote to memory of 1268	1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1188 wrote to memory of 1268	1188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1268 wrote to memory of 2188	1268	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1268 wrote to memory of 2188	1268	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1268 wrote to memory of 2188	1268	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2188 wrote to memory of 3928	2188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2188 wrote to memory of 3928	2188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2188 wrote to memory of 3928	2188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3928 wrote to memory of 1872	3928	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3928 wrote to memory of 1872	3928	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3928 wrote to memory of 1872	3928	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1872 wrote to memory of 1372	1872	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1872 wrote to memory of 1372	1872	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1872 wrote to memory of 1372	1872	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1372 wrote to memory of 2708	1372	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1372 wrote to memory of 2708	1372	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1372 wrote to memory of 2708	1372	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2708 wrote to memory of 188	2708	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2708 wrote to memory of 188	2708	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2708 wrote to memory of 188	2708	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 188 wrote to memory of 3828	188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 188 wrote to memory of 3828	188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 188 wrote to memory of 3828	188	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3828 wrote to memory of 2452	3828	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3828 wrote to memory of 2452	3828	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3828 wrote to memory of 2452	3828	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2452 wrote to memory of 1508	2452	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2452 wrote to memory of 1508	2452	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2452 wrote to memory of 1508	2452	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1508 wrote to memory of 1600	1508	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1508 wrote to memory of 1600	1508	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1508 wrote to memory of 1600	1508	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1600 wrote to memory of 1244	1600	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1600 wrote to memory of 1244	1600	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1600 wrote to memory of 1244	1600	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1244 wrote to memory of 4036	1244	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1244 wrote to memory of 4036	1244	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 1244 wrote to memory of 4036	1244	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 4036 wrote to memory of 2912	4036	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 4036 wrote to memory of 2912	4036	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 4036 wrote to memory of 2912	4036	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2912 wrote to memory of 2132	2912	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2912 wrote to memory of 2132	2912	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2912 wrote to memory of 2132	2912	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2132 wrote to memory of 2104	2132	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2132 wrote to memory of 2104	2132	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2132 wrote to memory of 2104	2132	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2104 wrote to memory of 3948	2104	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2104 wrote to memory of 3948	2104	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 2104 wrote to memory of 3948	2104	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3948 wrote to memory of 3144	3948	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3948 wrote to memory of 3144	3948	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3948 wrote to memory of 3144	3948	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3144 wrote to memory of 412	3144	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3144 wrote to memory of 412	3144	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 3144 wrote to memory of 412	3144	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe
PID 412 wrote to memory of 1516	412	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe	18f2bb07451d77dd2f5db64ffa409c72076ff9b7e153187070fa308bfa548950.exe