fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Size

161KB
MD5

427aa518b17bac4f95e2bee7085fc770
SHA1

34dadc42b1ad8861dd2067e5912953f2eefa6d19
SHA256

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1
SHA512

275a60c6cbeded188b039c6f9928cab43121d5785088a3339fd475269b3bb2a570e052f80ae2473b569f8fba3f8ef71b1b27b69cfaf4e4ca28110120b7cdc286

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exefb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\U:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\W:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\H:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\T:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\E:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\J:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\R:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\P:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\N:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\T:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\O:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\R:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\Q:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\O:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\O:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\E:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\U:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\N:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\J:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\P:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\W:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\H:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\G:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\U:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\M:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\S:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\G:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\I:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\G:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\N:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\U:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\M:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\P:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\F:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\T:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\V:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\L:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\T:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\T:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\X:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
File opened (read-only)	\??\K:	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

pid	process
2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1336	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1336	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3752	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3752	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2128	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2128	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2500	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2500	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
4028	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
4028	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3148	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3148	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2196	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2196	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3340	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3340	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
4024	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
4024	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3396	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3396	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2080	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2080	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1568	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1568	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3936	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3936	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3848	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3848	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1820	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1820	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
908	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2216	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2216	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
852	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
852	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
980	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
980	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3316	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3316	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1292	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
1292	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3964	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3964	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
"C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2128

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3396

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2080

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3936

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:908

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:852

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1120

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3732

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3316

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
30⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
C:\Users\Admin\AppData\Local\Temp\fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
31⤵
- Drops file in Drivers directory
PID:1924

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:2172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d3db37fe3b08b85adeacb2252083c3e9

SHA1
c2378b8c3f17298814856b23ade80678dc08f180

SHA256
2c2cd19a0fb7a46eb9277a03df0c13b6fb75afd2ad0d099b61c6faed7134e0b3

SHA512
19635ff695742277aceaf1f440ef252e11bb69d65831612ff2abd12963d67fcb3d3e1252fc48ea08ba48ad3b170add48cfb0d8253d770343a5131b2cd6fcff64

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
6a8faf542b1d2f3861e7cace573def15

SHA1
b2d68925bf0c607bcbac26ab3ee55bc2f53ce6e4

SHA256
b54ab33708d050329efa18cfd330cc18f38024f34ce5d644baa06f40fdf44b81

SHA512
7ffab07a9f1e29c0c5897da4a4d11bb2ce8298c0111cf199127a1b58b4a78897cf84596bfa717451699de6e640394e0bf0128ead0fc898e208862279177e7ab5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
7c8943b8a2e4beb3a77b162f8de255b7

SHA1
75473caf5776edfb2b984d043cfddf3ce785a218

SHA256
468f4d99bda2df4e7656acb942c934d8d21be0ad6fb3810f1c537a7a369cce1c

SHA512
decc11e626a42a2452c0a18072ad106cb65aa8ba110676e00af9492185bc05af94eace2fb5856098718ef6742b350b75334cfee7187577e3fa5ce8ac86611f59

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
cf09cee0a7cf145d284c2aa8579afbb3

SHA1
0e3d422eaf3ed00706dd9e8410e5ec0d72a5fc14

SHA256
78e8fc130daef12e1ded6c7ad78f8f385e0cb898fc1021f3121277231439efd2

SHA512
d25c28913cda57443e04bf5ad06fa324f4634647c98b2b05fe9871c7b37a1f3eee5f6a659e40754bf3d08fe59dc9d1b8070299812f7a446036dd1056cf164f33

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e358878e3748db1949f2f685fcfff3c3

SHA1
7ee70892941456fe7ca0598971168bd8d1a2d09c

SHA256
436c768a1b4a416b095145420acb4d7aa2b6400e58ab9394a6783e20094369c4

SHA512
66a3c522bdf52605481dcacc099691cbee122db89d7b999c1d3bb539a7a3531a2671098e9631ae531e038e34bae94aeb4ca5420f5cedaa6086e9ee7b466a6232

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
5b4d4b349b9214042440de9b05180129

SHA1
10d95d4c2c9be6f27072cd904627f6cc0dbcb1e7

SHA256
ab08cd93925be795a3a48790b2a6fef10016911e7a6e187e0702586309ebd85a

SHA512
9789173a95e00bef3309cfaea9d5b7959597c144e6288da15e835531bd504a45b6803b1102081f9da28397b545c7a88da0bd7369960f81769cbe71b5f3bafbde

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
e3a3aaccf5984c055eaeac6f0476cefd

SHA1
a95e4a7ee90e2c6540dbf6f92183094fd28f18b8

SHA256
9b13e9e4df1cffcffa60941358f9d0484ee0547e1949c5e678da17fed5251a21

SHA512
aae7a7c3e0c31c445232e2290871726808d969f7ca3c0bf390b730f514dba5ccfddc46662a47b9d4acbbd2cdf1f0380389a7ebdc163e96b7a97f1f55d6f6043a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
3cfaa614b40579fdfdd38c42670f6b0f

SHA1
e016cb49013856a7c44a7a44dbf830a13274a027

SHA256
cec853aaf7ee29f82c4dcbb743c452d6493557c1ded6309f16e69e510461d236

SHA512
61896fc98e608cb9c6f65525229ffeb6a1040b22041edf5e6a576e8cedbe85a5b1fd7f6d0c63f2c31838819dcdb7dc4259c9715fee96425df0b528900079394f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c7e4a1846edf0d0e17ee96247162e46b

SHA1
c0ba6738f44a8ab619c5702c7b1a4c780878a44c

SHA256
58122e27d7062c46cd99db13404073822f1eeedfbe3cc102072e8cbbcc68e07e

SHA512
41d4b6f742f4b1151674513d77f2fc1f62d790336e66e390133e411952cc758cdffcdcc5ae5d7d317973e0274a71962974b07a98cdf8e7adac5e3bad1a7c32b1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
48a6a46c58319bccb948cb3b506cec48

SHA1
e647aa464d5be36c3b9753460ad462e08078498d

SHA256
9f6a231dbf3b09a64119ca9e5078d39831bb2fab2d9c8b71e781c38ae0534e41

SHA512
13b32169b5fb2d21b87a63264a453f16f03176a44c437fa38357842ef0cea977c3e83dffbe4f3d5b1c4a9b92da81992338b7affac8834b43a0ca47e93dc446fb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f3b9352a452ebc4c82e0fcf737293a14

SHA1
6fc9fedd0bd403618fe4053153016a444ba2d548

SHA256
8d1acbc012dc61b7bfe0a31daf6e5b94d4edf527c168de49f0ca113853799b6b

SHA512
79c0d4e9a6e14bcfb82656b82dcdaf6d70015513341be47eaf15a8a2d742efbe9125b9a0682798381e4b9dd8edca458c54b58428290fdb1070dc9562f8b3973e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e6f43c9c31429163dfb8658ddc38d164

SHA1
4a88626ee28c877821ed15b2f5bbdeec92c680eb

SHA256
d0e3a15b4324187fb74bd3729fbb20a0d4f54f252c763593ab0837622a4d9592

SHA512
78da16630d0c0d8eb8f8ccf12a791ed66b28eaee3935da4b38aede17de136327ff45d57f39eefbb3e77ecf9a4f0680a36d62795adb1705b6e3e867ae1bd76f8d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
982b8692ac7d1d16b034c3f6708dd729

SHA1
6bb0db4cdc2d6d063bfc05a3c87c7b7175d51782

SHA256
63ccbefbd02705116938854214aca057430f2d3b1a9859f21a18fe1a2c84031c

SHA512
5c41a6074b2df774266ffe7cd389f86b31a0e8721294400c47b4aa7f263f152363e79963dfa46cc65b4602bdc5d48d889471d4c7b699a5cfc6588642b5364736

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8e4c76147d3dc41ae16c1977e7cd73ff

SHA1
d89db62a5200d90837b4d2a0e9b1f86c3c537eae

SHA256
4e873ade13cffbad0e920449febefde19f437aac7850491ea5cf3446f0611ed4

SHA512
8160d3c9201e91d7636406d5075e10a16d7e577be966507ea6edc3c69b9e74b713bdfa632cb646d9e126fb6309a7c69009744611190a5b1bec9a118ae44f7000

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5c0177aad3c54c988056512318fc6bc3

SHA1
0034f0701061cdb6ed0633a4f297b4818661bd21

SHA256
e36a975b82b1bc11765dedcb08f10363b79310b058ec4e239f4d1ff1e9f2d113

SHA512
495acf0eefc66d84151c9ce70c68328a4e089ec667e600760cc3109e9230411b2108fb5e8872c5e3bbe211fe6778d1304fed645d70128ec35557d2cf00088cc5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
fd2a2a679cd2e3aa294bc00d2e488ae0

SHA1
3ad8ddb85e877e735f95c9fd0326491c31262751

SHA256
2c0a6b984357ce838135b1dbd9c6b17bb92eeb86097cc518cc99fda1deb13abd

SHA512
9d79430ff93320053b165e4c37834b487b680fef4916ff8412e92a14f0641a90954a7a68873d83f95e207745d5f43d5425f898823315afa9583e287cbcad8de6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bdcc3820d1f383e75deb413f68f78017

SHA1
9685393dfb9b52a2a8d773c2feaf2c3fba88d723

SHA256
6fe43f718ba5f117127eadaa4a62ece79774d54e1a0631a185880b68160e74e3

SHA512
bd4bd0cdf6c29a54acca8a296a34ff6515783dfefc5146a412e31acdf813335bdfa33fa9ea51633b8203864723a2ce456d24f9fb08ff0dca6aee23680319a79a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
cb3e44eb7f8b7661d799bfc1cb47c5f3

SHA1
4cc6cdc4a018a4c44f2c7b9a2b96added0c8a81c

SHA256
12640c103a3baef7638acdfa4e8a459fb4609489397f848de100581eea58809a

SHA512
41f0adfd48d880bb59454e808a4730385a0ce1bc40595fad7bcc64ec1858767223ee379d07c96e456bdeb174c0f3796c5c93e8f13103ef022473277ef2d9b312

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
db66d9c671fefd9e673dd0426cef5c84

SHA1
a47bd88463dedc9f6cbbf0dc157ca1951cd52821

SHA256
6fe22c23734d9906b2280a58b3caad4f45d5950195cec19e98d01449eb9fc9b2

SHA512
286f1c0e2554eea11413b091f393f7aebe0c4658c89e5bc08484f19a18f5de019b06cc1bf48024bea03fe92ae0c71ed904dd4cba66e867c6f088efed022ad4bd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
bdc59ad42f6a8a321e6920cbfc1d87f2

SHA1
bae4bb008ed4cf63275096247bcb6097e22311e4

SHA256
c4d7f6499065bbe4b4c604768bf77e3002aeb24170d0dffb183251284dffaf24

SHA512
44453d5a06c5a2679af190e102e226ecff3267ef6ccb99c113b4baa6c595764e4a200ce180d68dddac2009b6a300c5657493f4c69749ba5fd5fe3b4ddfdb0935

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
34937a576f76c6fdf016d101a007d2f3

SHA1
5ab1e049f9052ae10e688a77d25cd363a8b38f48

SHA256
84389b10a549942505ee65c1f8cf85df69a5e65eef682b81e1039fa44e7411f5

SHA512
44886f4913c81752a102536fbd98b2ad563b5c00925c8fa1b282f0f0d574a9ad073ae8e95c5f71c4751649c9f0968e54bfa178fae2e8d75013ab5ae4d884bc0a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
44ce2f66b2aafa41a37b33c1b1eda3c2

SHA1
2e8154a754b99709f281a10c114a027477cc56df

SHA256
9c95c41bfa7c697ca55720e013626efc1ff568633d357f00aa068cc094bb2ad9

SHA512
8a39d903d0377f52029f41330c79d3641c4ada17ba415404b73a728b2c052fc5a577a4b2345499b163ed3257567ea9e7111a2dd1fbd06f4e63f987a396de52c1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2588d8d441c8b7535b76e6aecee0e362

SHA1
a4f90673783d6c90e35ec5288fbcd61c19ee58d6

SHA256
d235e8279b002a4402333a041fbc759e2db81d285111ad17dde5e55c000621f4

SHA512
fe55db73d4285634b5d38466835fa56a04dbc955791bf043fc0123add134530a2fa99cfc01ce680ab05a719fc6aa035411c8c8895152c832c9a624dc9a9ca184

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c226157dbda735194265d5d1bce3d16e

SHA1
6100d12a2c8c1e05482f58796efb22897bde4839

SHA256
6df13451247ad25ada2460958923d478180da701c0309037151db2a185778ff0

SHA512
5e2f40062fa02ad2d3017c4fe108fb13a5979327b1419c13be2c632fe91ccb65670e34b6d860fe16e887ac33df0120c041575238f899481295dac303594d6ef9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
64f1eeb61ddc4c0d68e8d9a4e849a3d3

SHA1
b68a3ae61a2edd0efbbf6e52be2fc08579fae5b0

SHA256
618a8eed7b9acb44e291648d727a797713bb5ae09eed787b3d187678fda7b0b2

SHA512
1d30c02599a9bdc1f6e1b2dd7dd2af3148b47f6c6bcfa26401abc23af79b57d0b783208ed1a437dd72bdfcd4a9b1f5708fef9f1b73888fe7346f22f0a9d33548

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
98804b04362262aa2f17c77c27496e40

SHA1
bc434db486f09aa91d718433809b4c180870591e

SHA256
3725d48ac3d60b4fb0b586d4189c7dec1e2107b0be869214410e45e298dc621b

SHA512
ba1a9fd34fa108fef6b62ee187ad2837da6c71ee429792bde159d6715141bbdc37e897701333f17fd8224cdcba69f8f9f46ed0c634c19154a650dea3917f14ef

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
62d8833f4997359772b5f706b19de92e

SHA1
e1dfb57d5bd8d051bd278b4ce3cea80a4dcd7dcf

SHA256
275af1b2e25176149a978134ac19a9177a6957ea25a53f930b2957b11324a110

SHA512
46309876cad5f14a02782c3d68e59e336c7f7a0f39e26b4b0de29d0612bd43fcd4a51ce8b4fb50cf348fa62c2a2127a9ce195be0c20e71fae1b177566c6db2f6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
9a0e6120d925e874708ffbe72c335d08

SHA1
045ba361190076c53d417ce5ae5cf55f8f1f0d02

SHA256
2aa15d15c26f6baf8d41db589180791a3f4e9f248fce522ad7431875a16274a2

SHA512
09ac31c4198eb7ce82d43f03a4f1949cec1c5186a7060849fb4b4c2ba7204bb1e907999a1686b316cdbfc2480cf722e926e899d4a2bddf892325d15a527c94e4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
7b24e9cf97dfc12193ce14aa96c8defe

SHA1
c8baacf324a3f41269d3bffab412e2bd72b16b51

SHA256
ad6191b876bdb9dcc489329ff3a4399c4be9bd49af351b9878b3b9c1e3ab83a2

SHA512
8cc69fe31713c4deebbd8e21729a33c548ed4cd08848b52f768885c32ab4d341acf1ded93cf48ed1b393b9211c0f1b9488a39019895b853e339df41f9b81e84e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6976dc2b27610f83dd8dcde76431ef8d

SHA1
0414a783a58bbaedae65c29f6e8400c5e25f3a9b

SHA256
78fafd4ad43fc42a6aeb818ca1c5bee55fddb047835b322985c02dec1780f091

SHA512
81d8b0b7c919363a5c8550f5ef0c0e77621e00ecc069e73881f83ef10fd3dee7374584d445185da70f67ffd99bfe667d48b6b8f511fd20fb76f45e9a4befa289

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
32128b9472e6a8eae711946071b9595b

SHA1
dd39308a27c4210fa7671db7d19633c5cd65d35e

SHA256
896927538804ad23faaf36ab271fbd8e45571472cfc3f9c634aadd6b8ea1efae

SHA512
a02e8aa5751c51cdbcf535161ca53b18521a3ba9f1e39a837e0dca364193242992806e25143aa1755c2fafddeffec656953f1428171d97371f128f5797a9cdd7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8a3c3e209abda345728b77f5ecc1b297

SHA1
112011592d9fe2361c44eaa72531b204ba1c89e3

SHA256
6df9c336105544ee7f5b3786e3208c78e58bda2ce86081cac4d653832e8c65df

SHA512
b6e79897f972bc89fd51385432737a6e60b8579ede83e546b147804fb06a27bf499b99e385fb3e41a6e6a29a7708dc4d87fc2b8cd9acb018b197361fcfd452e2

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/592-160-0x0000000000000000-mapping.dmp

Download
memory/852-200-0x0000000000000000-mapping.dmp

Download
memory/908-192-0x0000000000000000-mapping.dmp

Download
memory/980-202-0x0000000000000000-mapping.dmp

Download
memory/1120-203-0x0000000000000000-mapping.dmp

Download
memory/1292-206-0x0000000000000000-mapping.dmp

Download
memory/1336-114-0x0000000000000000-mapping.dmp

Download
memory/1568-164-0x0000000000000000-mapping.dmp

Download
memory/1820-188-0x0000000000000000-mapping.dmp

Download
memory/1924-208-0x0000000000000000-mapping.dmp

Download
memory/2080-156-0x0000000000000000-mapping.dmp

Download
memory/2128-120-0x0000000000000000-mapping.dmp

Download
memory/2172-115-0x0000000000000000-mapping.dmp

Download
memory/2196-136-0x0000000000000000-mapping.dmp

Download
memory/2216-196-0x0000000000000000-mapping.dmp

Download
memory/2500-124-0x0000000000000000-mapping.dmp

Download
memory/2636-152-0x0000000000000000-mapping.dmp

Download
memory/2732-172-0x0000000000000000-mapping.dmp

Download
memory/3120-184-0x0000000000000000-mapping.dmp

Download
memory/3148-132-0x0000000000000000-mapping.dmp

Download
memory/3316-205-0x0000000000000000-mapping.dmp

Download
memory/3340-140-0x0000000000000000-mapping.dmp

Download
memory/3396-148-0x0000000000000000-mapping.dmp

Download
memory/3732-204-0x0000000000000000-mapping.dmp

Download
memory/3752-116-0x0000000000000000-mapping.dmp

Download
memory/3848-180-0x0000000000000000-mapping.dmp

Download
memory/3936-176-0x0000000000000000-mapping.dmp

Download
memory/3952-168-0x0000000000000000-mapping.dmp

Download
memory/3964-207-0x0000000000000000-mapping.dmp

Download
memory/4024-144-0x0000000000000000-mapping.dmp

Download
memory/4028-128-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2228 wrote to memory of 1336	2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2228 wrote to memory of 1336	2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2228 wrote to memory of 1336	2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2228 wrote to memory of 2172	2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 2228 wrote to memory of 2172	2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 2228 wrote to memory of 2172	2228	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	reg.exe
PID 1336 wrote to memory of 3752	1336	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1336 wrote to memory of 3752	1336	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1336 wrote to memory of 3752	1336	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3752 wrote to memory of 2128	3752	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3752 wrote to memory of 2128	3752	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3752 wrote to memory of 2128	3752	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2128 wrote to memory of 2500	2128	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2128 wrote to memory of 2500	2128	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2128 wrote to memory of 2500	2128	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2500 wrote to memory of 4028	2500	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2500 wrote to memory of 4028	2500	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2500 wrote to memory of 4028	2500	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 4028 wrote to memory of 3148	4028	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 4028 wrote to memory of 3148	4028	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 4028 wrote to memory of 3148	4028	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3148 wrote to memory of 2196	3148	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3148 wrote to memory of 2196	3148	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3148 wrote to memory of 2196	3148	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2196 wrote to memory of 3340	2196	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2196 wrote to memory of 3340	2196	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2196 wrote to memory of 3340	2196	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3340 wrote to memory of 4024	3340	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3340 wrote to memory of 4024	3340	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3340 wrote to memory of 4024	3340	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 4024 wrote to memory of 3396	4024	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 4024 wrote to memory of 3396	4024	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 4024 wrote to memory of 3396	4024	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3396 wrote to memory of 2636	3396	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3396 wrote to memory of 2636	3396	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3396 wrote to memory of 2636	3396	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2636 wrote to memory of 2080	2636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2636 wrote to memory of 2080	2636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2636 wrote to memory of 2080	2636	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2080 wrote to memory of 592	2080	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2080 wrote to memory of 592	2080	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2080 wrote to memory of 592	2080	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 592 wrote to memory of 1568	592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 592 wrote to memory of 1568	592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 592 wrote to memory of 1568	592	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1568 wrote to memory of 3952	1568	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1568 wrote to memory of 3952	1568	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1568 wrote to memory of 3952	1568	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3952 wrote to memory of 2732	3952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3952 wrote to memory of 2732	3952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3952 wrote to memory of 2732	3952	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2732 wrote to memory of 3936	2732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2732 wrote to memory of 3936	2732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 2732 wrote to memory of 3936	2732	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3936 wrote to memory of 3848	3936	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3936 wrote to memory of 3848	3936	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3936 wrote to memory of 3848	3936	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3848 wrote to memory of 3120	3848	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3848 wrote to memory of 3120	3848	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3848 wrote to memory of 3120	3848	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3120 wrote to memory of 1820	3120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3120 wrote to memory of 1820	3120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 3120 wrote to memory of 1820	3120	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe
PID 1820 wrote to memory of 908	1820	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe	fb25865818032120953e48a676ae5f4d2acf6c2dc8628b73bcc2edd8099d81f1.exe