0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10v20210410
submitted
18-05-2021 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Size

1014KB
MD5

9886479ae7902f047409a32d28c9ca9c
SHA1

a973cb1cb0c088bbde87338eff2136d56db5f97e
SHA256

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0
SHA512

eb6298a867136dba43d7e2180ed5c9c0e744a278b005ee3e624d8291860a391f7621a01f24902c62d35b0c91ac64f0f40b6f65996847cfdae8479525783188c3

Score

10^/10

adware persistence stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Modifies system executable filetype association 2 TTPs 29 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Drops file in Drivers directory 60 IoCs

Processes:

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	upx
C:\Windows\SysWOW64\drivers\spools.exe	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\J:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\Q:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\L:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\K:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\J:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\Q:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\X:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\Q:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\L:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\T:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\E:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\X:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\I:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\O:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\J:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\G:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\V:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\I:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\O:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\M:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\Q:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\K:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\R:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\O:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\E:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\U:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\P:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\W:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\S:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\N:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\I:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\I:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\E:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\F:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\O:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
File opened (read-only)	\??\H:	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Modifies registry class 29 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

pid	process
2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3948	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3948	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1292	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1292	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3776	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3776	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3340	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3340	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4052	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4052	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3752	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3752	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2076	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2076	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3848	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3848	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1748	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1748	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1504	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1504	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2244	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2244	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3152	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3152	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2700	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2700	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
360	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
360	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1816	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1816	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3324	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3324	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2736	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2736	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
592	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
592	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2220	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2220	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4048	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4048	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1000	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1000	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2196	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2196	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4060	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4060	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3460	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3460	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
1820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
"C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
2⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
3⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
4⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
5⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
6⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
7⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
8⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
9⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
10⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
11⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
12⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
13⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
14⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
15⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
16⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
17⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
18⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
19⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
20⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
21⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
22⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:592

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
23⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2220

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
24⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
25⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
26⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
27⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
28⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3460

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
29⤵
- Modifies system executable filetype association
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
C:\Users\Admin\AppData\Local\Temp\0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
30⤵
- Drops file in Drivers directory
PID:2284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
db774dc4bfd50f353bf0b656fe9dfc49

SHA1
78733c953ae0e6cad1d23dbc5188f46710e506d8

SHA256
35627feca2c4715540fe574a72b4ee01315c4b0e9b5dbe5f8177b373f4b6c017

SHA512
846f642c663cb0fa0454f05d786468c592b50ffdf87c3e7c9089577176be8396904c0e601794712a97cbe2b88d2381ce2022a85f9eb503393fa80a00c5093eed

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
437c397c70c8aecd65d5cef94d6fc4d2

SHA1
f6c5554ce405aa1cf3441026906c2e4d374e19bd

SHA256
26f45887202825046ba6eb15f1d11ca60c84ab4072cba7644a1e83f4486f4de1

SHA512
1ecd77a4e0dc77e3e6fd57f33ad62bacf4862a8fa0ee2d1c1f409aed7598f88bae36125d4bcebaef43409d64bc1547a997c7ef59dc6a3e7cc51315e6797ba185

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
a864e2c4c16b7e1e7f37d3a541aa0ccd

SHA1
05944a4cc2a818c334245570f63cfece935a6dab

SHA256
1758f66c8904052cab915b236eb93659501627ef44b2c14ef5c6c4dd6739602b

SHA512
3f6a30dd53b6447d0e2079f159b16b870b0c6f34af3d2bc373d8636eee908cc67c1320b50423907d8d77934693112aedacdf345e00546daff6813a19199a4ba1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
MD5
c17b36639ea9621cd1bbb33dbff9e926

SHA1
9f75affddfcf2b8c5c85019d681f791066183d29

SHA256
f1f308cef1ae8b1d755cbf392125a892076e678d91f828f6782b747fa4fc5b16

SHA512
99cbd044879549d1184c00c8d444d4e2bb12335a3e5efc629a461c6fee7bbfd90779af2ddc1ae9f58de4306d2d06890a6c53216da873fd4869bb07230c3d8c8f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
85f7e88ce5c6cc3ae5664bff65636f13

SHA1
5d904ce3cdf5a9a17f4f472325516b7db9d168cb

SHA256
ad204a4b48f6aaf25e2e1aac059aeaa15cce45167b85589ca9d057069c917c2a

SHA512
6286dbe10eb669fadbcf71f46ac1a2ae25e6e603939963b9f26b364b5f46fcb96dff31a71542bf93a93e340761ef77c52174176d55bc39298a83d0bd9f8acae7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
adfccba56b81e92d5b389ef32ad3e439

SHA1
799622a75d953d3769115f8fc13bdeda9a21391e

SHA256
0b8a25c32d59bf1f2e0bffdc9e2e658975a3f4ce6b87f85f43c62274980a0154

SHA512
866fc203f55802b87c43b6dac05c1c2d6367864ac4c1f968ffd18d1fe8da010753819a205493cf668b6a56a58203265889b40bb4c448bfddbc456261af411e61

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
560211c6e1b2b02360868a71957383c0

SHA1
a7ddd9b63f693570fc21c153d53cdcafe6baadb3

SHA256
66fc248c41671d41d81e3254640d7bfdd2145b81cd3630558668b6ba77dbb30c

SHA512
575994d17621729882556ae513b78ec0dd051e731e28fa86ec6b2a0a8230b868b4a4a52320b53eb55ed7bac9f95f1c299c8de61e3730ec871c723395c6ba85e1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
be4e80430e7be4e02c6b98ee08796de7

SHA1
9055a03586162ccbaf369b7dda06eb8688f87730

SHA256
1646703d68ef26ef5e54d170dc8799d80681b0230ce8e57123ea0f90b53195d8

SHA512
410e7d95806507a6ca5d6826313556463645d62ba0a41f1a9226cb93929aa5c408f8d0926179e9a89f6896aa4011b9c92f845a50f9b952bd09d9049fed561778

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6ee97da6d8dbcd279b8573c2209576bd

SHA1
eb913b789e8fc5d948c3d44af6b9676626787b22

SHA256
9b45ac456c478d19c8fa842ec67a692e55325fd53136f00cc5c7112856547d89

SHA512
e144b3cf1f5d5ba4a85b6d55a605e5b95a62bcd1c1594cdf5a42d44d4231a76b32f2a80a59decfa566bdc69d773b14a66d3870308f06858b6c2a41ada8372ce9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
50ca33271231f2512c5d8f8d64f96cc7

SHA1
433ad16128c4582515205172eff0e2a884c27533

SHA256
0a9c60a759d092d969dd60bd6edc72f24764ef4d94760688ed0880d409069304

SHA512
8f888b821c2523b7987f41f42a8b3795c7da45fb2601c85c92a538098bcf83b7a41cf8ee9c0602dc9f0fcb4192f603b34a2733bb3d771f6127d1df2a17f67368

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
5b832c2d656e7d79c5def54ec8275cb3

SHA1
187c14cd76f9e7c56ef130369f561303dc61c702

SHA256
5c8efc926fbe83693131eb5dae885d6abfa42d1a5b0b959059b9340059127494

SHA512
0b31f5df6633ed493aded6919b9f18b5e24d035362be3714307513460942e5b642a3e8ffc3fee0735915d64ae406d9b400f599fe311d519d7542f5fdc586980a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
dac9bbffb95afa21e3ae892e3426a943

SHA1
f0b7a9af4a7b5d42de765b4620ca8d1fba3332be

SHA256
439931caed640f51b6975e08d9c54ee54b28fa7c5b9f51e4e55abc377cb1876e

SHA512
9a32062da58201746dd21d5608d67a47b8fc383e2868e6b8aa580591d668d62eaf3816ea17ad7a19f59270392eb9dfcd945ca3cd1ac59820fe6fbd1e325fc5aa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d6eabef374d9507a5720924537a0c54b

SHA1
bd9ccac5305b725cf772b66bff805a517fea15a1

SHA256
385c1c859f8ae9ae734aa46629b9d55966ccc11cb2246d9e53a1750dc524d316

SHA512
64c34dc483003fe08aa06237179096b7dc96fd85dfac4f00f2dab22a88b96c4bc9d65ea22cac1927fc6e663fd413e7689a99001e3b6551ded06f42b12446e61d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
836dcae5a535e6084ef67b4271a73063

SHA1
a526587972836fcc38893be0ceb2d954d5fd6670

SHA256
df00f369d9d962ef585d5788ef35c4bf218c090da63472693d79dafa96247cf1

SHA512
56fe1126b28a4a6e39c3c51d12126bb6da539690f16a6b3d635deef178d2d581affbbf5b59fa23fa08c9d17a155f1ff52e239b43514fc25c0080b189541517a2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
b2fa73894b3e461be2b9ca8dc9997da5

SHA1
18b106b2dfff4d2d9015082eed25c47d59405f70

SHA256
910350e2ebacbcbdb70e1e6529a961fe9802779927b086860984eff5e7189613

SHA512
986a4af5454868b22abb826dc399ff4ab5a9dd8222a12a7d16717e10b599181afa2358de218ce1571b0ab97b462aedb2fa2743011f5dd1fa4ab6f1978ed8728c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
6df983b7972101886bc32f1b2f70f2be

SHA1
fd679769ff4f15d01ae8d638aa1dcdeecb996b12

SHA256
888aa9f04b39988847ee02c320659a5773dcba851d7cee410ae6ed916bc0d5ba

SHA512
c872b99c399f95ad0e5bef757dccc199a0b5e0e1d15dbf70c6878aa122911e8919171aa648a63821ba8953f823019281fee4001253d17706b0656f268bc756df

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
e23618af9e60c33e9d0fa5fca14acda1

SHA1
0c5771a33c902facb00e83c2e1887ffe8036957d

SHA256
87b888ab3658ba31af98fa0af269173a80bf36774c8f223096a8b3a8fa346357

SHA512
5ce613c56bfb976ac29505e3c45f95a56b1cd4415de12b7bf6d85044c3a80f35c37f6baaf0db05b9cce5723d6628ac414a7f4167138bcee44f7ddc6d8c835953

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
8861e30ad82f68aee687fdf55c01f892

SHA1
f15d81b9c93fc37f765806e0ac46ee659c094ebc

SHA256
f91032022d517eec56b4f726c79269dbeb54728865ff0bfd47eca33973d34cd4

SHA512
1d56f56f424ca0b3e68f160b8a831d28f0641a473db9946c13e09ee1dd18475a595a41c945831bc3d46b7735f5600586bbbec1466ed6e3de575cc88ab02632cc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3b04453620206b8f3ab777f1ff67daf6

SHA1
e4cd6b7911bb32b3ddf30e6fdd8b5f0ce43a5f6a

SHA256
ca9a5aea0dfc0641f39a29f1d9fd5e6e3c953264eee4de6968967219309bcff8

SHA512
8a72ef38d3ee36d26e448a3d69ea7cbe7af34828eb3fda32eb13965170c3f0eafff66af81ab4acc1c29b1b6f6233396555c4567fe0abf9007949f5d96f99adc3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
04aecaea07b35464c38090ca2befb3bf

SHA1
7a4a559ad490d0af191d9e438ed9e1455908e6d3

SHA256
c553f4ad497ddd88423f9b0d2b76e7e1e3cea6841c811242a349e25619730804

SHA512
b191f488dd511592010187cba6c656d300fe34d6b6043e3cb304290f9d6dc575c33453da9c1c7f0150f8d64f7d47a7aa510d54e1538f23201d72e684c3b7ed88

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
3c38879debafc79d862f7cbb774ce913

SHA1
fdaabd15f905eb7c583a47de84c6e45a89c39273

SHA256
86e2e8aed84e90603e10966feb5462a837ce3914fd6e0ea4660d3339e120db38

SHA512
9156a371a7fde4ce145512d8f6590df9deac9aeffb7c30841f1579e046edb7b2ab577a4283dafa1c531132e2557fef5724a4510104fea00ed5fe3df9325ade47

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
58b587f7ac12f1efe50234134244f0af

SHA1
9c897a96780929303dbda9de59126763a76a09fe

SHA256
18618583469e3af109c3418c906d124c35be247c8b23a47b2e72345059fa0ab8

SHA512
e32ccb1157fe24776ad50c2784e7e61cf66168b45f23c71940ce73fabadbd2228cb3bfe659f966d64a8b6a6a0f36c91240aff4a8684bf54c2b6b9ba646c0dd4b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
f56cea2083f378f2d09a8940e94248cf

SHA1
7cc7ec90056cc77f84681ce349a661af085d6d57

SHA256
2d6281df4c164317db885fa7b24829ad859603a1513f4be5df1bb8e39fa91341

SHA512
c95ceaefae7c54e741efb3fc8e5268086b6522d5ffbb67b270a93c4086e79c9dfafbf26c4c2cc06ffc8c4ade2fc7bf9d23a35eae68528c0573de0741ce7f89c2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
a881131f9cdca5d976f3d4cd21320bc9

SHA1
375b62c84de21a29d1ad27ab9e9275700cd616de

SHA256
cad66d4be39bb9848d92e38c5521e331793acee50160af7cd96e9b77fcb77ebd

SHA512
4470804b76638dd7ad4c61cd95b62a3fae3e4a1b2e9db0172f791ec7ee407ff2bf41e18b22bad4fb068c44b854c43dbaf0b99201734ee3308c81e5fb4c5959fa

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
1c1f016395bfe7a4910f08b1afe87a31

SHA1
7d9d84e08f3ace5585a2c1016bb60ce430916273

SHA256
e8c7c94ce2985bd26e319faa106c6b9a9e90b01f3fb457792de0ad6f67a3e5f7

SHA512
edf81f4bfcbe4c8f71a8070b684519dfaf7f1d90f6752c1be764b9b1efc5af31db22a5783efc2ad72d6265ab43590cb5c7241c1ca4619c493a62054bac5dc3ef

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
MD5
d09c803a6384a24b3e021657ca780b99

SHA1
7765758673892bc10f7bb2d297614325a29c1133

SHA256
55c8ff601ccd0eac9e6671840357fed18a7f3197f1a544a4ec6e11b939fb422f

SHA512
602b1bc7afc536a8103286619903d0c7e4600c504fe4f831e5528e2a1b366bafae228db0b71f62379895c60f257f473df32fabfeaa36072e4dd723616431231e

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\c:\stop
MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/360-179-0x0000000000000000-mapping.dmp

Download
memory/592-195-0x0000000000000000-mapping.dmp

Download
memory/968-163-0x0000000000000000-mapping.dmp

Download
memory/1000-202-0x0000000000000000-mapping.dmp

Download
memory/1292-119-0x0000000000000000-mapping.dmp

Download
memory/1504-151-0x0000000000000000-mapping.dmp

Download
memory/1748-147-0x0000000000000000-mapping.dmp

Download
memory/1816-183-0x0000000000000000-mapping.dmp

Download
memory/1820-206-0x0000000000000000-mapping.dmp

Download
memory/2076-139-0x0000000000000000-mapping.dmp

Download
memory/2196-203-0x0000000000000000-mapping.dmp

Download
memory/2220-199-0x0000000000000000-mapping.dmp

Download
memory/2244-155-0x0000000000000000-mapping.dmp

Download
memory/2284-207-0x0000000000000000-mapping.dmp

Download
memory/2676-114-0x0000000000000000-mapping.dmp

Download
memory/2700-175-0x0000000000000000-mapping.dmp

Download
memory/2736-191-0x0000000000000000-mapping.dmp

Download
memory/2968-167-0x0000000000000000-mapping.dmp

Download
memory/3152-159-0x0000000000000000-mapping.dmp

Download
memory/3324-187-0x0000000000000000-mapping.dmp

Download
memory/3340-127-0x0000000000000000-mapping.dmp

Download
memory/3460-205-0x0000000000000000-mapping.dmp

Download
memory/3752-135-0x0000000000000000-mapping.dmp

Download
memory/3776-123-0x0000000000000000-mapping.dmp

Download
memory/3820-171-0x0000000000000000-mapping.dmp

Download
memory/3848-143-0x0000000000000000-mapping.dmp

Download
memory/3948-115-0x0000000000000000-mapping.dmp

Download
memory/4048-201-0x0000000000000000-mapping.dmp

Download
memory/4052-131-0x0000000000000000-mapping.dmp

Download
memory/4060-204-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 2116 wrote to memory of 2676	2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 2116 wrote to memory of 2676	2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 2116 wrote to memory of 2676	2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	reg.exe
PID 2116 wrote to memory of 3948	2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2116 wrote to memory of 3948	2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2116 wrote to memory of 3948	2116	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3948 wrote to memory of 1292	3948	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3948 wrote to memory of 1292	3948	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3948 wrote to memory of 1292	3948	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1292 wrote to memory of 3776	1292	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1292 wrote to memory of 3776	1292	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1292 wrote to memory of 3776	1292	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3776 wrote to memory of 3340	3776	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3776 wrote to memory of 3340	3776	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3776 wrote to memory of 3340	3776	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3340 wrote to memory of 4052	3340	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3340 wrote to memory of 4052	3340	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3340 wrote to memory of 4052	3340	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 4052 wrote to memory of 3752	4052	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 4052 wrote to memory of 3752	4052	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 4052 wrote to memory of 3752	4052	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3752 wrote to memory of 2076	3752	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3752 wrote to memory of 2076	3752	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3752 wrote to memory of 2076	3752	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2076 wrote to memory of 3848	2076	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2076 wrote to memory of 3848	2076	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2076 wrote to memory of 3848	2076	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3848 wrote to memory of 1748	3848	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3848 wrote to memory of 1748	3848	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3848 wrote to memory of 1748	3848	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1748 wrote to memory of 1504	1748	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1748 wrote to memory of 1504	1748	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1748 wrote to memory of 1504	1748	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1504 wrote to memory of 2244	1504	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1504 wrote to memory of 2244	1504	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1504 wrote to memory of 2244	1504	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2244 wrote to memory of 3152	2244	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2244 wrote to memory of 3152	2244	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2244 wrote to memory of 3152	2244	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3152 wrote to memory of 968	3152	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3152 wrote to memory of 968	3152	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3152 wrote to memory of 968	3152	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 968 wrote to memory of 2968	968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 968 wrote to memory of 2968	968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 968 wrote to memory of 2968	968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2968 wrote to memory of 3820	2968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2968 wrote to memory of 3820	2968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2968 wrote to memory of 3820	2968	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3820 wrote to memory of 2700	3820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3820 wrote to memory of 2700	3820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3820 wrote to memory of 2700	3820	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2700 wrote to memory of 360	2700	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2700 wrote to memory of 360	2700	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2700 wrote to memory of 360	2700	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 360 wrote to memory of 1816	360	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 360 wrote to memory of 1816	360	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 360 wrote to memory of 1816	360	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1816 wrote to memory of 3324	1816	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1816 wrote to memory of 3324	1816	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 1816 wrote to memory of 3324	1816	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3324 wrote to memory of 2736	3324	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3324 wrote to memory of 2736	3324	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 3324 wrote to memory of 2736	3324	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe
PID 2736 wrote to memory of 592	2736	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe	0dd81f56f279afc218ecee419bfce86bd1c339b68012cef75b9586f0e276fef0.exe