1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397

Analysis

max time kernel
149s
max time network
150s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Size

1.0MB
MD5

2600ef5b77e5353057f5b5f2bf283a24
SHA1

ea7441aa62b9ed9bbf77850793f6575d64fadc24
SHA256

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397
SHA512

ffe6b615d0f304a1a7cc9e65415a8bb0302c672431ebbe5b2fec44f77baef0158170e7d03e3d0413fe1bbc61e99a7de7adea13dd8466ba152bd55d6c549f8f84

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\V:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\J:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\L:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\I:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\U:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\I:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\Q:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\U:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\K:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\R:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\L:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\P:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\M:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\R:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\V:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\U:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\H:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\U:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\K:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\F:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\W:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\P:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\U:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\V:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\E:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\P:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\X:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\H:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\H:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\G:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\N:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\T:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\J:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\O:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
File opened (read-only)	\??\S:	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

pid	process
3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3860	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3860	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2540	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2540	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2428	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2428	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3032	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3032	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
208	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
208	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1936	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1936	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1096	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1096	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3896	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3896	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1688	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1688	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3940	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3940	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3000	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3000	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
4024	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
4024	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1684	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1684	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3784	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3784	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3924	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3924	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1168	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1168	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2720	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2720	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3968	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3968	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2176	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2176	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1172	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1172	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3944	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3944	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1092	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
1092	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
748	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
748	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
"C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3860

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1936

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1688

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3940

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:192

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3876

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1704

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3924

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1168

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2176

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:192

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3944

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
30⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:748

C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
C:\Users\Admin\AppData\Local\Temp\1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
31⤵
- Drops file in Drivers directory
PID:2540

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:2784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
8e7a8cc4fee2421b26145405db6813ff

SHA1
2a48ff509b6df99f218bd0e1380575821fdda12f

SHA256
3428668beacdd67235ebd26dc4034675804d69f315607626c1176d086772f27d

SHA512
3d1198dd5b40711f658492777cc969c513658bb2aef549985b23a998a688345f6855778dc58e2b6aefe9607f2d9b20aa400b9b6641fd6d5f0a5856c5486408fb

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1fc75b7c383bd06929dd655d077c877b

SHA1
1a1e59eab08ed6a38e0f790f4e983d2391bfdcf3

SHA256
4f33aaf4f73c9abfbf4cb6dfe4cbe5c9d50679420d61e00879690cf006b26ddb

SHA512
80dd80c005797c6f76c73c26c6249ae1e5693e4dc047a1e4ca1fdc1321ae6a2f516546f47021e8fad6454f9cd4e0edec86632ae09014b5b8c6a60f2abd43623f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a821b4918798cf10816b8aac91dd14f9

SHA1
2c426a7b0bad22dc1a86338cc450e23351433501

SHA256
4277ec0adcc987d4e3eb681ddffdbc99a5dd60e700196afb4896397a861ef593

SHA512
7aa03a89ba8fe4b8df05dd7940b89a55cf3816dd7f5e7e8d820efe71d5a1dbb68c6319d027c5da03cb0f9e23b5467ea1f3ad706752004465a31ec2f42e5c4112

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ee738fb8f98d7607048255c8c51645a7

SHA1
65eb10f06c1f4cf70aa711b2b7c2f3381def822b

SHA256
20c53d0bd2cfbb92ffeabcfad7e979a531a0306a9276d0476cdb53593b2eb0df

SHA512
91e4dbd8b8e6a6ec00c461b62dcc6d23c8b736428c8ebf694873e67137fce86c81462ce65e23c38a4f8f6eced5da352fb8bf6a21d7ee250b070c581339e8ff29

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1818a5d04370f2168b4c9fef9923edda

SHA1
a4edeea34f185dcb62910549ece1fed4c9b72d1b

SHA256
a6d7f01ce00c9d2082c19155c297b44ea83fcd122b411e18dabdb3d42414a5d6

SHA512
3221f71354a8ca6a3efc604858da5fc04b93794c3cd0958943528b95acfeaf239d10ac82f1c6a158dbd3382692baad09620c74c811b0cf3ad5021f64b381cd2f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ac9f46244d1a9da24c40d504dc62550d

SHA1
bda3acc7e5d5f3a95581c58bebf46cd0db0d4310

SHA256
ddc2473452b1940cbedef195257ccf6f2c526b0e2edbc420f7d7288a1c4a363b

SHA512
9b0b2597435fe0a859e6847e2c7dbc05bcfdbe2352649e5f277fe52ee9f0bfeb83ea9c4cc38820275555d26b7d60dd69f5295b08797bbe68cf8de0f1ef76faf7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ec9d2ca64854eb599f8b9889c854f462

SHA1
53bbdfa861270a91f57f51e4a981791e29193434

SHA256
42e6df3b359a5039bcdc7ea91b601db832dfcef871473baf060c9ee35d81fbe9

SHA512
5e85096e4d0fadc77694cd8a49974ea21e29082cb2edc4f94382cd26d0760441fb6b9cb2fdde9b51e2e42570b13c0dbae314e240c53b0073801a7e0b82a16dc2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2d6d8b7a1e9345da9ecd897857ba90f4

SHA1
3b4675d10732f54d5ab37ed59bd3152405c769ac

SHA256
39e8a501c039336b22bfe9f6432167f33c5279aaa080c503ce082929475e983e

SHA512
11ba48c006f149601a7843950a6ec1c195002f88900c8741f599da3c216460b4e714dcf92ecf4c5b6a48051ddbc3de32c2500e61cd74de8983cc71c020792016

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5ef7ec6323d16457c7a20672fd87599d

SHA1
8579d5b62b3e617fab381a483256d3440e6fcd2b

SHA256
afbdf6aa7e7dff9aaa14b50e66fbab505d39755ceb1427d7f3b08fca2c7088b8

SHA512
f6ea1280df7fbafb4bb831c446ddc61f14916708332fc003c25e36e2cd7ee7b0f593694bb282eb597b62a9c15f16d8de4756bc4a5acf5eaf8d3bddd5722e9d65

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
509e0eeed8fe94a42dbb1aec0b052ada

SHA1
c7e2764ba24e8e9a88d82e3fb745561141e52bed

SHA256
547d19afdfb54e03559fdd4c87ed49312990d521c55c0e07ac0e3fd86251552e

SHA512
cb7d2639b28e39293c6e02a1a245f8e8b68c5d4d39ef87736f98c4aa194a13b8c3379df860737cc6d0b26da1031d7be2b9af60a502f0c935061786169eff4ee8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
462009694f6868db4d0e577c336a98de

SHA1
c84013b7fbf317e8909d017b0797b1da6938ab12

SHA256
f95c165aae40876ae3438149563ecb39f5286feffaa0284d173cd55d6fe11a38

SHA512
af3c9027afdb8b1f525cf87d8aa3b6a6749d820ca56938cb6de04607b8f6f3d11a324d8c0d91be0cd27313defbf0a94fe613370297ffe8f30804d1a7df760fd9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6ce945b5c7e3b5f5cd29ec28c358a8dc

SHA1
96b350fb5d25a6ba2288f42c9f3df9c2a3752c4b

SHA256
deb85490af7ede1048b70ad3612f8004791b10b5b805e23fd39ad9b5f39f1422

SHA512
79c772282a65ab9b575ba2bd53b9e2397b69b2a2c0e8365a9ac99dd48b4032e5abbcdd9b6a211f438d5048d0baa2a20a96e9abb512705801be67da3ed82ca89f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
47c3ed3430daab2276352d6556b21b7a

SHA1
7d7e2720ce4992f5d99fbed13858c83b372edd64

SHA256
5489b78ca85ff84df9a802e00165d20f444754594e979bd8b4e9b1dae37d53ab

SHA512
c66519634f27698edb49893f6102ccd6153d8db699b8a96e2d20945c5fa9aae3d476207090f326f826b0080eb063116b445ee450d0b6d93beed96dd2b9e895c8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c032b49daa9ce10f63ef1b6dbfed38cb

SHA1
0a0b29ccb5c9eeebe89489a37cde2b2ee08c834c

SHA256
397b278cc58c009e179b7d7420c96d748e876ed1f0ade428405ab79ed301187d

SHA512
a2f196fb6da21637e946da3ec43d71dc8fba9ff37a77540d08e2468626231a76ac649fb7778cd59ce74d87e9310c3a9295ee44d5ae6d2764eb492371abaff15c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
39370451bab41cc347bb9740477c6346

SHA1
0b86de2e60b1dbebf9a4c1f599aa1d28a4f120b8

SHA256
f8a4093a146d9efb2246ba6eecf81944c12a04dab733953c9fa22456dd9b621e

SHA512
74b0fd970fa1e1c2dd63359e4dde05257f0a193a3d09b3bd5da3060211a3e1ed02239ab10232c3162c64d60ed7effc7f7fb4480cfa08a85df77ca66e20bae85e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3dfbfbbf4d964d31815c13cde6cf578a

SHA1
48e5e27e95b2116921fb9433190ce79088e8525d

SHA256
b8103aaf0bfaf63f6fb7628cfd7a6c007b7687fb90fb9f7e373dcb932a92e66d

SHA512
06b19f3d3843e1179b1558f1b58df15807ea6af88b9f2261ab95bd9a37914ba7d4a0aa02fc75efe057ef3a967c7759907fd2c989d75e7ac1753f09b9a4cb8f5a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
eeb187ec36ad4153550102742592c946

SHA1
2d2b023079dfe5b25ee4272451653a84029d47d5

SHA256
185b2f45e928899bfb65f517126c22cb713da15ed5134609f79c30a985af1300

SHA512
94d3e157341495ea8b361c7bbc4ddaa7d2e8f00d25cfc52f2281f0035bdb1c5d0e5f0899f7da6c6a59435f15ab9d2bcbb3ba3f56c1fb1be59718e785972d2090

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
20f5cf3308b4aa0d175731887d5b5edf

SHA1
730d35cfb5d736ef97329ea3eea61ad4c5fc7674

SHA256
95613a26f6af4a77742f60c550617d4618e816bf4247a7fce5ae0642a0f2f0ad

SHA512
d6becc8df7051a91d29a2a00f12ba1812a16d18f4ea6964a3803b575f8c084b71c788933f07018328c53358f701ce41e3e4c4fcf185f3631648381d383d91c62

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
0dddd4774393dce65f63bf3ee1ac5666

SHA1
41e6934ba214653939dc9008d25d1271bb1fe158

SHA256
22deb6d68f54c5e88e98323563782f7c6a9d560dfc7666d4e0bf389dc6f89615

SHA512
06c5694b6bea3367272d5962f697944bc1cc31fbe2a5b259e54df0b5e0fea44785185cbb21dc4134ef90e5bace0ee24c3a9bc2a934209ec4d807b1871c1bafee

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8e5e028d10ec436e10f6c05ae9ebe8b4

SHA1
ddf988213c0a8ff3d2fce57ff8b75c7b7e1cd6dd

SHA256
44e7560847c8d36af23174c844e0fbba8e4de98542513edb5ccd93c839fead36

SHA512
7bfacd73326254f20f64efc0711b0ec347fd76ec594441ea219fb1733e4299f8e7a5b1981dc32b19c79f7b40b5c9172da4987e80865d657266396cdf56a79258

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b23d726d2546a07b4ed8b2f1ac4f230b

SHA1
c4ac68f53200be9c4a256587731d9831667a5aa6

SHA256
fd90b33fa6bbec141c8606f23f3502fb075188f43241da7369d53b8e90bcf98d

SHA512
295eacd288dfa66a0e51f2103cebfa1f61e687bb1d42f6a2161954e040163bc6929bba2daba85e387de4dfcc97a72aba3ee13b74092e2e5340d38d11e577b9fe

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
cc837cec1250fd454ba040ea2a20acfb

SHA1
5fe4e59bb592e5d19da229e145c45eb371ca8e7d

SHA256
19d8839f94d3a4866a1d8b2218d7dc623e76d4c689264537671c07514dbc3090

SHA512
182cb16b3fe95ee3314a3ba1c94f7158c5c208aa18319c1c58f2b26b73640845377570efe95ac0bf117dbb4e154c528b4e3ef5b3331deefb09ddb78e6e7100f8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
75d22190a628f53822f9ca8dc096d620

SHA1
7d7390501dd22b7b63c6532062ab453002de21c8

SHA256
c55f7e47b0c304aea4af7c0d6b124291228321ac4b5a5deec88402c57ce1e8be

SHA512
4fc869850b083954e0e7f1284727d62d24a0c817d1c27f41d4055d45ca55cdf3b5c8359ccd64a3556ef633b2bec5f1767e169d4e916ad7975eaad5a2c6365562

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/192-203-0x0000000000000000-mapping.dmp

Download
memory/192-160-0x0000000000000000-mapping.dmp

Download
memory/208-132-0x0000000000000000-mapping.dmp

Download
memory/748-207-0x0000000000000000-mapping.dmp

Download
memory/1092-206-0x0000000000000000-mapping.dmp

Download
memory/1096-140-0x0000000000000000-mapping.dmp

Download
memory/1168-192-0x0000000000000000-mapping.dmp

Download
memory/1172-204-0x0000000000000000-mapping.dmp

Download
memory/1684-180-0x0000000000000000-mapping.dmp

Download
memory/1688-148-0x0000000000000000-mapping.dmp

Download
memory/1704-176-0x0000000000000000-mapping.dmp

Download
memory/1936-136-0x0000000000000000-mapping.dmp

Download
memory/2176-202-0x0000000000000000-mapping.dmp

Download
memory/2428-124-0x0000000000000000-mapping.dmp

Download
memory/2540-120-0x0000000000000000-mapping.dmp

Download
memory/2540-208-0x0000000000000000-mapping.dmp

Download
memory/2704-114-0x0000000000000000-mapping.dmp

Download
memory/2720-196-0x0000000000000000-mapping.dmp

Download
memory/2784-115-0x0000000000000000-mapping.dmp

Download
memory/3000-156-0x0000000000000000-mapping.dmp

Download
memory/3032-128-0x0000000000000000-mapping.dmp

Download
memory/3464-168-0x0000000000000000-mapping.dmp

Download
memory/3784-184-0x0000000000000000-mapping.dmp

Download
memory/3860-116-0x0000000000000000-mapping.dmp

Download
memory/3876-164-0x0000000000000000-mapping.dmp

Download
memory/3896-144-0x0000000000000000-mapping.dmp

Download
memory/3924-188-0x0000000000000000-mapping.dmp

Download
memory/3940-152-0x0000000000000000-mapping.dmp

Download
memory/3944-205-0x0000000000000000-mapping.dmp

Download
memory/3968-200-0x0000000000000000-mapping.dmp

Download
memory/4024-172-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 3876 wrote to memory of 2704	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3876 wrote to memory of 2704	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3876 wrote to memory of 2704	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3876 wrote to memory of 2784	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 3876 wrote to memory of 2784	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 3876 wrote to memory of 2784	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	reg.exe
PID 2704 wrote to memory of 3860	2704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2704 wrote to memory of 3860	2704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2704 wrote to memory of 3860	2704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3860 wrote to memory of 2540	3860	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3860 wrote to memory of 2540	3860	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3860 wrote to memory of 2540	3860	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2540 wrote to memory of 2428	2540	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2540 wrote to memory of 2428	2540	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2540 wrote to memory of 2428	2540	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2428 wrote to memory of 3032	2428	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2428 wrote to memory of 3032	2428	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 2428 wrote to memory of 3032	2428	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3032 wrote to memory of 208	3032	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3032 wrote to memory of 208	3032	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3032 wrote to memory of 208	3032	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 208 wrote to memory of 1936	208	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 208 wrote to memory of 1936	208	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 208 wrote to memory of 1936	208	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1936 wrote to memory of 1096	1936	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1936 wrote to memory of 1096	1936	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1936 wrote to memory of 1096	1936	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1096 wrote to memory of 3896	1096	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1096 wrote to memory of 3896	1096	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1096 wrote to memory of 3896	1096	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3896 wrote to memory of 1688	3896	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3896 wrote to memory of 1688	3896	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3896 wrote to memory of 1688	3896	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1688 wrote to memory of 3940	1688	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1688 wrote to memory of 3940	1688	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1688 wrote to memory of 3940	1688	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3940 wrote to memory of 3000	3940	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3940 wrote to memory of 3000	3940	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3940 wrote to memory of 3000	3940	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3000 wrote to memory of 192	3000	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3000 wrote to memory of 192	3000	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3000 wrote to memory of 192	3000	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 192 wrote to memory of 3876	192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 192 wrote to memory of 3876	192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 192 wrote to memory of 3876	192	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3876 wrote to memory of 3464	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3876 wrote to memory of 3464	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3876 wrote to memory of 3464	3876	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3464 wrote to memory of 4024	3464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3464 wrote to memory of 4024	3464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3464 wrote to memory of 4024	3464	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 4024 wrote to memory of 1704	4024	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 4024 wrote to memory of 1704	4024	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 4024 wrote to memory of 1704	4024	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1704 wrote to memory of 1684	1704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1704 wrote to memory of 1684	1704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1704 wrote to memory of 1684	1704	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1684 wrote to memory of 3784	1684	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1684 wrote to memory of 3784	1684	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 1684 wrote to memory of 3784	1684	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3784 wrote to memory of 3924	3784	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3784 wrote to memory of 3924	3784	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3784 wrote to memory of 3924	3784	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe
PID 3924 wrote to memory of 1168	3924	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe	1de3a19dc4976286dc53c196dd2e40419f693f8baea9c7a9541743f4efae3397.exe