7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09

Analysis

max time kernel
148s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Size

366KB
MD5

7a3c5d6d3e30f57539e3a163ef91e76e
SHA1

ebdcfbfd07279cb3d6195c532eb3914b7e66a68c
SHA256

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09
SHA512

7e6bdaabe983d482c83de9f50772093a085cabbaf5f68e1bb010a11dfd7676d9478132b068f2916e91a177bfa3f6f9412df86a85e45664b929da41d0f394e4f3

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\V:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\S:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\U:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\T:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\U:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\M:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\W:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\K:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\S:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\S:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\K:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\V:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\E:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\M:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\F:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\F:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\V:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\R:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\I:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\F:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\T:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\J:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\U:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\H:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\U:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\O:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\S:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\Q:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\P:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\L:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\W:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
File opened (read-only)	\??\X:	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

pid	process
2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3448	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3448	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3152	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3152	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3220	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3220	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3472	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3472	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
200	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
200	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3464	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3464	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3756	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3756	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3808	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3808	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1316	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1316	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2292	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2292	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
4032	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
4032	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1256	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1256	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
512	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
512	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2276	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2276	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
204	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
204	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3996	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3996	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3332	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3332	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
4016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
4016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3836	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3836	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3844	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3844	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1736	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1736	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3052	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3052	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3728	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3728	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2476	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2476	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3044	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3044	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1444	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
1444	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
"C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2984

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3220

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:200

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:204

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3996

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3332

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4016

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3836

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3844

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1736

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3728

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1444

C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
C:\Users\Admin\AppData\Local\Temp\7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
30⤵
- Drops file in Drivers directory
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
d1758da1c7b078d1c3689252a2cd6135

SHA1
e61b44a123a7260781e8c23d0d0ccb38c492a6bf

SHA256
b57eb1a7ac8c0ab962a42bec760dfc337eb37ab846c68d6cac56d5117ac65aca

SHA512
c6e9a83d3e4d88978094c20728589f8eea8016d0d1e38180df30fc78c45ab674716f3d14eae0124820ffeaa7d48326b09f18bb71b3a1bcc5ff38263402cfc008

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a0bdadfb4168b3e817e7aca8c01154c0

SHA1
3caac2253bf69070e1ae6b3870b4660f3dd90d37

SHA256
1c5d6ede685acde4729e86b14059bf47cf88389cfd02aa10f32ce6dddfb58a74

SHA512
f388d76f3a9443f5180753d264eca87963c48b56d8beab51191566a463d4972fda65bbdad3c31f8c56193e0f8b3451c038f5990972608664e366fe0fe5629c13

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dc2c777197081a1ec6385d9227caf327

SHA1
3ae4367be97e5105d7215ee09993b94a748374d6

SHA256
cc7ac8cb6aa84468e8fcaa1ecd5d508815647a3e54628fb4bac9e1c9052edb95

SHA512
9fee6040b061d0adf6dd89e79684a2ca1463c310b36db95c9d78dc3e3046b5a987cd9da4c545b09f029b0c54a84fcee1b6a5a19e26d0b39569adf8d701fe8e82

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
2a11ac207ef7b7d84d60269e34cf1fdf

SHA1
4d807c1df62dea6d06965d134642073267b8efce

SHA256
5269edba9dc128283e7d6f12325c8b352d30008508139e3e8f570b37084cd2e1

SHA512
a630994e8b7be75aa17155e636ffa7863e88c0902b157c957c22dd56012a05031688b8fc345f69a39601b79ce7bf766bd163e53db13180586419a7fde1fd67f8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c29543c8a0ef96b334cb1607e16a5439

SHA1
cce6baecfdd4030f886669a6bee0e990bb683ffd

SHA256
618fa9183f56b9a501527a83ae83b6014d59ddbfdf78c4a1a9c7e73c192c91a6

SHA512
ee981dd8053e93dda69d9c79e501660c86d309499b2b3061601a49cbb5f120ca2ee229aaa447b2e79816ef96df64dceb9baae761efc399e8fab35ed0bca22058

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
010825f9782facba50a06c5a2225fcb3

SHA1
8a7ff69865f087dc0162c9365a1a275839fa0c4d

SHA256
501701828ac2a636f2aac0665af52cdf22ad4c42d8e26792bf9736e78fad274d

SHA512
c8fa60ada14ac451ecf95017e2b876fa8911861ffa5ebf6df39c54c61cac544ef09a83c17ead76a4e96b8a9fa8b794b3d44da63d16cee5f37be6d5055d82e853

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
00e4372fa6f7e93c177fef7e388f3ff2

SHA1
08fd2e44e9c40cd0f856a15b4826c058508d090b

SHA256
70720651c7275897f64aeaddbaed7afc388078c0109f823b037699880ac10037

SHA512
4d30ac77dd3243de3624a76dbc41ed2a5371f2ebc1c7ccb20591ab4f4550594dcafc7c018ee8346edf5cfff0031f2024a6f0ad8e058460dd0c3af19dbbdb294e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f05e0d6dd239b6263ba1914a991e64fa

SHA1
07940945ee8d4af7b2e795cf15c696e5111fe5a6

SHA256
d2539aec26b8fec456878987f57423103b2f9ababcbf2a80d1ff2f9baf969a54

SHA512
32fefaef45366633c3c8834c11d40b4b16bf288700476768b2703deea9a5587e81cf2ca78858ef89d97b3e5e2e7543bc868a51100b29720683b286e4d64a94c8

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
4ec34625b96be1c1a71c15b62daa3dd6

SHA1
cfc15d2d9f65f6402db96f9a4a92e338e200d972

SHA256
e4e030a3f1b349baf5ea7db1d89a216bb5125d41859c7b8d608fece239c767f2

SHA512
12499fff2c706c71aaa7b49ddecd125d283e47fda7833bbdac04a41ac2c4ecf3d76af056840f1ddbf05597a0a56e02781a67b36b8511a057d13cf93439504db0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3b8537f792898280ef0720cfb8aa9c54

SHA1
c838e33917e44abcc19c296d3fef167f6ebd3b3d

SHA256
c828547c2dd9103279856b55969df2bf46644f3589fd5b3d8e74784400a7260d

SHA512
5ef8fde615f8457b1c5a36f203465ac4382eaf3b8c7cbc539141d20f35700422ef10ffc5d9c7f804ad3992070b9a30448f967c0e34080e9dda3e043e944f9756

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a20b598032ce865f8a22a04fc3e613f5

SHA1
43e28d55e5f4b87a45b1f1529b6fbb1a7676f9c2

SHA256
9159186d89f7c07df4ed51636041bebd0bceaf344876cd436788e1494a14f3fb

SHA512
e45a482f884448bee82fff150ccb7043369d253917c983fba5c101cf6c77bdcdb5b2bbb46a5873d01a261f0d1838f557c2fdea8ac1ae3d7184426290367689fb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
76102e74cf7542f419e1cf8a3fd46923

SHA1
ca15b349f1ef2266d1b5a045e969047838cb2621

SHA256
0666a07963854d43683be468df0a2086cee9a02b646b05b8be779139b7401966

SHA512
ddf73b9b4bf839e3528a4dbda82aa2387f01236977a1772227f455962e3fc7daca6d3288ace4f218e83d911fcc6fd94c3de46ed2f2f4bf9df4999a3d6058ac10

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a66a7a222ffd0dcc4a3487006c559f43

SHA1
42556bc4663a6b129e3faf6d3f36bb8a894430ae

SHA256
9f423185c8bc4a4e4aee4c6f998e48fe42b08c8c4c19940c240dab8aa211a09b

SHA512
269efe6060f76ad88bd1f02317296c59e79090828f3ca5e29834efc6fddfa9bde5a46eec15f0305bc80a86d9823fa3ea889d3d2c140833689c192980dceb2997

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
879b1f8b0432fa72edbc4b00a320998b

SHA1
1ff35c45bfa738c42c42b4a42efed662d41e6eca

SHA256
2fdaa88eff334f9c1bdabffb01260479b88b6e851efc5c0c497a59915c7b3657

SHA512
24b53e4dce47488512dfcb6287b44e252b8f58be728451788725922a6c3636971ba8ba61f19f59aaa5aab444e4a661096732e70b5afab58bfdc8419df341fcf9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d055601d46416deaab0cfd2d9b0b5611

SHA1
041017860c57a5b3c6c53e70a9fca12fd3788a6a

SHA256
100ed53ed913a158002e483c4257af2495b9a696710bba06e3839442b4f5dfc3

SHA512
ee1206a18b292f863b033113bf42afa5c5d4c515531e45c106c67d6108129e6fcf8659068a25d8ea5029e70d60712b684ebae440aaf70f63e459f8e9c50c8529

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5ba07ae8f688740745328f6ebf2f48eb

SHA1
3d5ea2aa2a9d61d0aa82208dfd1be49a63f99dc4

SHA256
4ab1c9dffc09d7c283def479734e47bcb249ecb1de0f2f724e2e5328cd460a0c

SHA512
024b892e103eb7d52c0588ede19858eba3a6759e04e67881743247692739c7074e17c035fbe4fda594c0ec995e4054890fba46791cf9d2f45d0a70226eb4f13e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c8270b5bf31d02ab3094c336ecb3b047

SHA1
c2062856197625a906c23942c724330585b28e71

SHA256
80a098e2ddf6f55c8ac4a5dfe2afa0862c7db584cee176f96b620d33229c18ce

SHA512
73efbf4f96bdc9914785fba60613f21c6b99a59b8f987849c638f8cfecaa966b7bdf1194354af4457f60522c7ab64429cea6306498f52f4e6d2946653ea3818e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dc007c68b1b42602987f71198a78b2e4

SHA1
6fadb7f85437061ae5712ae95206bc79f86042bd

SHA256
0325a4d4a3339e0c7c8c628ca1d78538c36f5fb9c7233a9d39800ce786e5c55d

SHA512
14082177a1ba46345be97a08c3979cd8473e9506900ddb46d904027ed152f9ca53364739564e18d3f7227ad3b35477a94c192ff3ca923dd4027c395f9d6b3e44

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
78d34bfde646d2519520beb715dddcaa

SHA1
a84e19e5e043547e1f75c966464380e2048d5218

SHA256
ae2724de11ac7c810534ea3ded90efc3877cde1d6632a558906db244dd781cf1

SHA512
a5905515dcadf156663f2ab0429501b6bf366aadc8473d8ba415b764b6d8b3009d1bc53dcc28abc0f3f7ab160fe612e751f092efa2ad4747f99c75c73e14208a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
92aa393caf48035481a2412b6b4ee00f

SHA1
ee2a098982ca059c65ead19541023bd85ae30a7c

SHA256
38c31c5e23bec132f0fc8980da1592ec48fa5b46d572ad3e43b590803fe35f32

SHA512
48a797a3375034c5c6e6777353ca125c283db7c8e3e841f01510c5100787c360eb546b28d6ef1532e7bb7d4438704c86c546b79ba82174f38515f9affe64f417

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ad15318e7e91ee5ef50cebc7efd0f2c2

SHA1
295d8a987df3a7b05f332c98f654fb5b6db7d8dd

SHA256
9102e03015c425d3ae517f9c58ffd52ac576fbf5a152503adcbb118681d7f378

SHA512
0b219bed7450f598d175b1f88ceb690bfef4fd6aad9d0f6b83347eae4010eb0dd9678a749a1129fa1dbf0d50280055df001e745bc859df32dd82bf39654cace5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
ea083d530a44ac3613385074d1d7bcbe

SHA1
0aa18a44722b9f75320a78b22094bf2ec2396cf4

SHA256
4c02425496465d250d61809e8bb6a5f7b20d4ffa0d09b2f77b1b06016066ecd9

SHA512
4818cc878569e098cd3051e726897754af87f6fa4927c058a1072e14beaac1d8201158e6563f310f2835ed89d899ee710ab752ff14b8400d01d19f6528f831e7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
c35cf3806694c477a7e83c0fb1a4b9d1

SHA1
efc2352d22dbf2b6041496d7f8f47d855a643c7f

SHA256
6bb6e88fcb4ccf4caa9fc7b71bb143a5789053b84b4f76801106a0e161174d99

SHA512
e1d3dfecce2b80bb633af507c6ddfeaf3f5a4d800cbd63fc6ef00bd0e55d28598c0a018651acc0ae9961ace0b403576806a16ab902505157fe15cf7286d4247a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/200-135-0x0000000000000000-mapping.dmp

Download
memory/204-179-0x0000000000000000-mapping.dmp

Download
memory/512-171-0x0000000000000000-mapping.dmp

Download
memory/1256-167-0x0000000000000000-mapping.dmp

Download
memory/1316-155-0x0000000000000000-mapping.dmp

Download
memory/1444-206-0x0000000000000000-mapping.dmp

Download
memory/1736-201-0x0000000000000000-mapping.dmp

Download
memory/2276-175-0x0000000000000000-mapping.dmp

Download
memory/2292-159-0x0000000000000000-mapping.dmp

Download
memory/2476-204-0x0000000000000000-mapping.dmp

Download
memory/2512-114-0x0000000000000000-mapping.dmp

Download
memory/2984-115-0x0000000000000000-mapping.dmp

Download
memory/3044-205-0x0000000000000000-mapping.dmp

Download
memory/3052-202-0x0000000000000000-mapping.dmp

Download
memory/3152-123-0x0000000000000000-mapping.dmp

Download
memory/3220-127-0x0000000000000000-mapping.dmp

Download
memory/3332-187-0x0000000000000000-mapping.dmp

Download
memory/3448-119-0x0000000000000000-mapping.dmp

Download
memory/3464-139-0x0000000000000000-mapping.dmp

Download
memory/3472-131-0x0000000000000000-mapping.dmp

Download
memory/3728-203-0x0000000000000000-mapping.dmp

Download
memory/3756-143-0x0000000000000000-mapping.dmp

Download
memory/3808-151-0x0000000000000000-mapping.dmp

Download
memory/3836-195-0x0000000000000000-mapping.dmp

Download
memory/3844-199-0x0000000000000000-mapping.dmp

Download
memory/3940-207-0x0000000000000000-mapping.dmp

Download
memory/3984-147-0x0000000000000000-mapping.dmp

Download
memory/3996-183-0x0000000000000000-mapping.dmp

Download
memory/4016-191-0x0000000000000000-mapping.dmp

Download
memory/4032-163-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2016 wrote to memory of 2512	2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 2016 wrote to memory of 2512	2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 2016 wrote to memory of 2512	2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	reg.exe
PID 2016 wrote to memory of 2984	2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2016 wrote to memory of 2984	2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2016 wrote to memory of 2984	2016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2984 wrote to memory of 3448	2984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2984 wrote to memory of 3448	2984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2984 wrote to memory of 3448	2984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3448 wrote to memory of 3152	3448	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3448 wrote to memory of 3152	3448	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3448 wrote to memory of 3152	3448	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3152 wrote to memory of 3220	3152	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3152 wrote to memory of 3220	3152	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3152 wrote to memory of 3220	3152	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3220 wrote to memory of 3472	3220	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3220 wrote to memory of 3472	3220	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3220 wrote to memory of 3472	3220	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3472 wrote to memory of 200	3472	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3472 wrote to memory of 200	3472	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3472 wrote to memory of 200	3472	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 200 wrote to memory of 3464	200	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 200 wrote to memory of 3464	200	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 200 wrote to memory of 3464	200	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3464 wrote to memory of 3756	3464	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3464 wrote to memory of 3756	3464	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3464 wrote to memory of 3756	3464	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3756 wrote to memory of 3984	3756	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3756 wrote to memory of 3984	3756	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3756 wrote to memory of 3984	3756	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3984 wrote to memory of 3808	3984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3984 wrote to memory of 3808	3984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3984 wrote to memory of 3808	3984	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3808 wrote to memory of 1316	3808	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3808 wrote to memory of 1316	3808	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3808 wrote to memory of 1316	3808	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1316 wrote to memory of 2292	1316	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1316 wrote to memory of 2292	1316	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1316 wrote to memory of 2292	1316	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2292 wrote to memory of 4032	2292	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2292 wrote to memory of 4032	2292	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2292 wrote to memory of 4032	2292	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 4032 wrote to memory of 1256	4032	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 4032 wrote to memory of 1256	4032	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 4032 wrote to memory of 1256	4032	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1256 wrote to memory of 512	1256	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1256 wrote to memory of 512	1256	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 1256 wrote to memory of 512	1256	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 512 wrote to memory of 2276	512	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 512 wrote to memory of 2276	512	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 512 wrote to memory of 2276	512	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2276 wrote to memory of 204	2276	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2276 wrote to memory of 204	2276	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 2276 wrote to memory of 204	2276	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 204 wrote to memory of 3996	204	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 204 wrote to memory of 3996	204	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 204 wrote to memory of 3996	204	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3996 wrote to memory of 3332	3996	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3996 wrote to memory of 3332	3996	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3996 wrote to memory of 3332	3996	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3332 wrote to memory of 4016	3332	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3332 wrote to memory of 4016	3332	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 3332 wrote to memory of 4016	3332	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe
PID 4016 wrote to memory of 3836	4016	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe	7cc89c6281d8b30d48ffd9dafb6bb47effd5a90d778787e544633fc058177b09.exe