425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
Size

312KB
MD5

4f7ebb5892a07ac0732374506f3a2955
SHA1

9cdd99c74f6422cf12a9d4c7c1940defa8db95c8
SHA256

425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a
SHA512

d46763190de3b34f435b390cda6aed683a4271690eba61bd4423171a0f663e642a239376c6066d778ba297105e305f6a6051ffebb1b8581c6fae4bf0f87d9f84
SSDEEP

6144:HrnkP+6bB0H9rj3fMobS1bS5pwWbS3b8ohnkP+6b5thbSxbSgdbS5bSxbSHv/B+Q:HQ+Qu9piwpwIG5C+EtdehueABf

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Detects executables built or packed with MPress PE compressor 64 IoCs

resource	yara_rule
behavioral1/memory/1100-0-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1896-2-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000900000001222c-9.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-8-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1100-13-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1896-12-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a00000001466c-14.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a00000001222c-15.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-19-0x0000000000390000-0x00000000003C4000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000a00000001222c-20.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3024-23-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000b00000001466c-24.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000b00000001222c-28.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2512-27-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2508-31-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c00000001222c-36.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2512-39-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c000000015364-40.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000d00000001222c-44.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2252-48-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1156-47-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000e00000001222c-53.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2252-56-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000d000000015364-57.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000f00000001222c-61.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1724-65-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/568-64-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000f00000000f680-70.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1724-73-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001000000001222c-74.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001000000000f680-78.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1928-77-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1964-81-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001100000000f680-86.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1928-89-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001200000001466c-90.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001200000000f680-93.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1560-96-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001300000000f680-101.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1576-104-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001300000001466c-105.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001400000000f680-109.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2752-112-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001500000000f680-118.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/912-121-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001400000001466c-122.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001600000000f680-125.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/476-130-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1756-129-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001700000000f680-136.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1676-138-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1756-140-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001500000001466c-141.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001800000000f680-144.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2844-147-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1676-149-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001900000000f680-155.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3012-157-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2844-159-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001600000001466c-160.dat	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001a00000000f680-165.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1540-168-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3012-170-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x001700000001466c-171.dat	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 45 IoCs

resource	yara_rule
behavioral1/memory/1100-13-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1896-12-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/3024-23-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2508-31-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2512-39-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2252-48-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1156-47-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2252-56-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1724-65-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/568-64-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1724-73-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1964-81-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1928-89-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1560-96-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1576-104-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2752-112-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/912-121-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/476-130-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1756-129-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1676-138-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1756-140-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2844-147-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1676-149-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/3012-157-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2844-159-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1540-168-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/3012-170-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1540-177-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2176-185-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2308-192-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1096-200-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2572-208-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2464-214-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2692-217-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2464-222-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2416-228-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2104-234-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/836-240-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1284-247-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2228-248-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2228-255-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2044-263-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2056-262-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2668-269-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2056-270-0x0000000000400000-0x0000000000434000-memory.dmp	UPX

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\T:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\R:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\J:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\N:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\V:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\L:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\V:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\K:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\L:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\H:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\O:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\V:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\M:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\M:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\T:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\G:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\I:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\M:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\E:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\T:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\Q:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\R:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\N:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\I:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\V:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\X:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\E:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\P:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\X:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\X:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\K:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\E:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\W:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\W:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\W:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\T:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\G:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\O:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\K:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\L:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\Q:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\W:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\U:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\R:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\O:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\J:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\H:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\K:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\H:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\N:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\O:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\L:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\T:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\L:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\M:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\P:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\V:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\V:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\K:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\J:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\T:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\Q:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
File opened (read-only)	\??\L:	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1896	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
3024	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2508	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2512	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1156	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2252	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
568	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1724	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1964	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1928	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1560	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1576	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2752	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
912	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
476	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1756	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1676	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2844	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
3012	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1540	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2176	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2308	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1096	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2572	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2692	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2464	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2416	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2104	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
836	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
1284	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2228	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2044	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
2056	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1896	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	28
PID 1100 wrote to memory of 1896	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	28
PID 1100 wrote to memory of 1896	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	28
PID 1100 wrote to memory of 1896	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	28
PID 1100 wrote to memory of 2280	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	29
PID 1100 wrote to memory of 2280	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	29
PID 1100 wrote to memory of 2280	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	29
PID 1100 wrote to memory of 2280	1100	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	29
PID 1896 wrote to memory of 3024	1896	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	31
PID 1896 wrote to memory of 3024	1896	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	31
PID 1896 wrote to memory of 3024	1896	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	31
PID 1896 wrote to memory of 3024	1896	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	31
PID 3024 wrote to memory of 2508	3024	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	32
PID 3024 wrote to memory of 2508	3024	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	32
PID 3024 wrote to memory of 2508	3024	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	32
PID 3024 wrote to memory of 2508	3024	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	32
PID 2508 wrote to memory of 2512	2508	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	33
PID 2508 wrote to memory of 2512	2508	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	33
PID 2508 wrote to memory of 2512	2508	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	33
PID 2508 wrote to memory of 2512	2508	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	33
PID 2512 wrote to memory of 1156	2512	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	34
PID 2512 wrote to memory of 1156	2512	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	34
PID 2512 wrote to memory of 1156	2512	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	34
PID 2512 wrote to memory of 1156	2512	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	34
PID 1156 wrote to memory of 2252	1156	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	35
PID 1156 wrote to memory of 2252	1156	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	35
PID 1156 wrote to memory of 2252	1156	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	35
PID 1156 wrote to memory of 2252	1156	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	35
PID 2252 wrote to memory of 568	2252	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	38
PID 2252 wrote to memory of 568	2252	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	38
PID 2252 wrote to memory of 568	2252	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	38
PID 2252 wrote to memory of 568	2252	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	38
PID 568 wrote to memory of 1724	568	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	39
PID 568 wrote to memory of 1724	568	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	39
PID 568 wrote to memory of 1724	568	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	39
PID 568 wrote to memory of 1724	568	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	39
PID 1724 wrote to memory of 1964	1724	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	40
PID 1724 wrote to memory of 1964	1724	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	40
PID 1724 wrote to memory of 1964	1724	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	40
PID 1724 wrote to memory of 1964	1724	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	40
PID 1964 wrote to memory of 1928	1964	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	41
PID 1964 wrote to memory of 1928	1964	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	41
PID 1964 wrote to memory of 1928	1964	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	41
PID 1964 wrote to memory of 1928	1964	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	41
PID 1928 wrote to memory of 1560	1928	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	42
PID 1928 wrote to memory of 1560	1928	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	42
PID 1928 wrote to memory of 1560	1928	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	42
PID 1928 wrote to memory of 1560	1928	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	42
PID 1560 wrote to memory of 1576	1560	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	43
PID 1560 wrote to memory of 1576	1560	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	43
PID 1560 wrote to memory of 1576	1560	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	43
PID 1560 wrote to memory of 1576	1560	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	43
PID 1576 wrote to memory of 2752	1576	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	44
PID 1576 wrote to memory of 2752	1576	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	44
PID 1576 wrote to memory of 2752	1576	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	44
PID 1576 wrote to memory of 2752	1576	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	44
PID 2752 wrote to memory of 912	2752	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	45
PID 2752 wrote to memory of 912	2752	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	45
PID 2752 wrote to memory of 912	2752	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	45
PID 2752 wrote to memory of 912	2752	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	45
PID 912 wrote to memory of 476	912	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	46
PID 912 wrote to memory of 476	912	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	46
PID 912 wrote to memory of 476	912	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	46
PID 912 wrote to memory of 476	912	425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe	46

C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
"C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
  C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
    C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
    3⤵
    - Drops file in Drivers directory
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
      C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
      4⤵
      Drops file in Drivers directory
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        5⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        6⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        7⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        8⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        9⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        10⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        11⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        12⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        13⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        14⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        15⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        16⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        17⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        18⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        19⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        20⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        21⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        22⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        23⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        24⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        25⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        26⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        27⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        28⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        29⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        30⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        31⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        32⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        33⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        34⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        
        C:\Users\Admin\AppData\Local\Temp\425e68e21da963a81f9211ffb3e4696f55bee7d9542c64e9335283f9c1577b4a.exe
        35⤵
        Drops file in Drivers directory
        
        PID:2668
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
341KB

MD5
bff6552c078eafe08d6b6a8971e855c6

SHA1
f11de224344ddb8f5068cd14a9b46345a771e515

SHA256
c39b24581e01d53509992b88f998d9e2681fcfb8e0c85c9a1058092e55a49a6b

SHA512
921843524042e858add8c3ddf1740314bb4c256e5113fb984d316ab2a4f835c9f0118cfee9070b29a8c85e97207983c09b0af8b5a65d549eb5fccb0519e48497

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
330KB

MD5
53321911ab072a36cca82f08f15f2b2a

SHA1
4d40b9ccb8ffae86f93d6f333c0c834190aa8cf8

SHA256
12423fc5de1f57dba30bdb74706adc75ae24ea7efb78385a83ed38cb02f1a79d

SHA512
b62e7d14589155031c9736c04bcbd10cb5a5016b5cf85a429958b49eef6af808f30254acd5567f14a5ee283e4d578b3552fca24b4fb224188f4936712b830581

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
314KB

MD5
15ea29812472fbd92b4f368a8d96eedc

SHA1
83ee689c70b9aff38f406279b571758e5f7e5f65

SHA256
976f3c0342f167966ef0d1f63a804736157edaa5a5d8c2fd146825bd21eaaf49

SHA512
e1e05bad0b206b30391ed93430dbeb6d9250d423403e94d7985e38c71056a956a068da6f23634dd3956096b6089628522b5e2f76addcd0a7f4c673c4e964f004

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
338KB

MD5
6cf1bbc56144012c2fe6f50c80df161e

SHA1
b9935b08ab6e4af402686dc8f2a6c51d4a887595

SHA256
63eb88bb833ee0358d1efe53895dd09aa922a35aec73f056c28b59c2555a935e

SHA512
80f33d42f83ffd990f4d37c9a2b6055e6bb7e194e3ae60861e6eaaddc1a7bcfc3aada710ae3bd6f4f4dde6f6060f33e132dc358e6dc3975c631acd80473438db

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
333KB

MD5
6cb8abfc6cc9894a494bae60dd60fa6d

SHA1
988287462da32685df874d8c7020295a70803dbc

SHA256
0b96c1bd4b24861cb91194faaefa61327f83a9135a8414c597cfc4da7feece69

SHA512
23d7bc8ef339e9f5a32f9dc38dc09202d4505eb08f3bf08c87db1ad1974471ed05283253e716fe3eef089a5efb4165e8f5d75bddfcb48747d1b25f0a87e3e14c

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
326KB

MD5
bdf3a93bfc5fe525370784c924863638

SHA1
8782ab47cbb7275b01692f5887b5e8c60c3c3117

SHA256
d2814d31e65f0d78b23f0231e2670f1c0a47e3c75adb9f50ceaf294b2d2fd0ab

SHA512
350ef528a3a6605e320de3f42de79f9212622dbbe8cfe43799bd7aec380a65ecd2f3ff05a3a025c4ac89a6a13333bf63bcf2f0fdf74b73862007cf0a32e0cc03

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
317KB

MD5
c6af3dba36262c4eb5ecc150daa417c4

SHA1
dd6ad5e3edbeb43633f4c9cf8c27c114426ff208

SHA256
7a0901e767166d720dc7f05584e0e6b1f8fce36470688aabdc55645faa263970

SHA512
5af3a37efe8afa6ad3ceb0a3b7b94f49c76754f37e657ce8a86c8d54bf4b02566c356fb40d75bef94b9c455a08cfc4536e50a570369228af62923ffe68841436

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
337KB

MD5
f0fdcc5e52f31339ef100aa788489ca3

SHA1
63b70fb666a830b5bc6dad958bd78aa15f80982c

SHA256
7f6de90794d4805fea0f6f8529d4ae5d7381b4e2156bc545e73365d2718cc32d

SHA512
cd5bfa44b4bf5b329034fbfb00a9bfea31d9cfd1a39a9f1ac22beb52dd841e43e899957988410949202c12242b3983634bcbd15287bdb831eb34cb8d69291ff3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
316KB

MD5
bd574f8dffee6800aeb5e4ca059ddc0e

SHA1
45b465208e849fe5852a8e3700f8365d4792726a

SHA256
f7872c7e2f8eb0c4deebf19f326790f6464b7c8cf94198aee9dd02e5a2486d74

SHA512
007ad94f14e74c481bb0795a46ca45bd7335ff4461b2b6442c0c2614cd6e6a89129bd22fc3a0dfd0bb80938e172334220e0f62a84949752c8075e2e0a0d6094d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
314KB

MD5
133f9ee22a9cc233d46c2580b6dd0fdb

SHA1
c29863fdc8d18135005cb554a91eb4a8e574b9c8

SHA256
966a4a804e78145b1def07d943abb4365530a96485434a3cc5b52e931322c064

SHA512
3ec26c50f48b47f7ca7f61d98ea7453283e29299f0644b2024af29ea7816286060cbc67bf341f78b485883643bc96ef6215c35172440cbc5fbfd37aa22ea4cf3

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
331KB

MD5
5a3e41ccfbd3787865c8c476af69d157

SHA1
1d026a609ee7e40680f83d1184bafc5b5209e665

SHA256
2bd4465dbffec7257842a812b1ee196d3893f426cde186353fb62e22ec08b850

SHA512
0bb1e3a1114579fe9ae19f8dacca67b765601968026656caf982a9289804579b877dd5280187d15767d0cd8b20716bb91a9cb512309c8a9fa63621deb40b0688

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
328KB

MD5
110bc53d993544918d41b1af62f2964a

SHA1
2d5c96a5ef004c46f0af4832c25652c925f26f5d

SHA256
b5e52e7c970c14e13840b3ba02841f91a872095dd976d89a05882702f3c6481c

SHA512
928008d6ef288bdf1c80cd2386906a54a50ddf50c5ac6f3866d8c06b0b23845fe3c00106270cf51ac8560f93731932e4103db76b8d83ecd33c45087b3f95ee4a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
321KB

MD5
8d6e200ba89ea1b1818d950cbeccc600

SHA1
b8a801af5b57baa2b92cc0dcbba15b2b8d09d69c

SHA256
f6b7b799c3e3ca00bf5ad1f9cd9ab9db022e341660e6af3a8ae2ae668031b159

SHA512
f638231e1e71b8cd8c4b9f72a93068f2593183082599937a40c7d32f9457fe5a4f13ab9cb23ee98b7130c82227c5f821e350fed0c3313bad6fdc5b7554642c6b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
335KB

MD5
f1f5811b0aa7dbdf6e5d4e64307518d0

SHA1
341ce1b222a9acf264fdca3e57a1a251756f3d05

SHA256
b62735a402c3df45b480e7bdcbe550930a586ceca00197a59cb4514be03fe7c1

SHA512
394564f0ee0a62a5ce9a4e48d114ff91d5cffed81dee83fed220449e1c8458e3efa08149dfcd317ad7508bc0c5241575ba08c56c27de8043efdc3713bd73d855

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
234KB

MD5
4ad7a7f21a41a0e3d590f0fed6c85493

SHA1
3c98fb2d5a0dca70eef0be3903e81fb47c79cbce

SHA256
0eb2f9ef256f83d5cd6bd1c457fb5c4bc0c1de24e7a55145acf70a89c77b9463

SHA512
16e06ffebfcaf66ad9063e3b20cfe77d4b23118cb41e0fdc02becbc68f33ed1a0f008e2675c50c956b76115e1b3d49ae05166623bef3b33c8916c321d4c723a7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
320KB

MD5
dd545038fbbb24a2978ffeb4f579dd98

SHA1
13595e6ea045d2cb4f51f7da553a24e95e95f334

SHA256
183316e1cb2ad4973a7f86e205fb295bd1ccaf0f17392d2e9c4691346b523a25

SHA512
1b3d45d10c4cd46ef87b2ef9df4f61c6c67a93a0c8bce5190fb42c0a59bbc60a5c01e9d03bbadee3c887d59015c3e90b1271dbfa095551ae57ec7da72377c758

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
337KB

MD5
213227ad1ad361550d6dc5a596d1b283

SHA1
779ef467df8c17ef1065318ecf9bd8ebfcb55a16

SHA256
ef8c28991064253a67a21ff8cf8810c173a97cad6571c7af00c1ef0c6120d800

SHA512
3c0d65f726d139d00c6f091384810a522bf6f54cf456f3ae0899de43b5fd42de9f66ddf0361cebc3bc18bff830148410b555ed176ccb2fab4c38c56f79d2f876

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
330KB

MD5
f85d981bacdf32f55941b9232668ce9d

SHA1
9db7e894d2ac816590021a3512bf299350a2c584

SHA256
13f2cfbe5dfc4480afe1149f3f924f31c2791fb2763d74bea27c184d7d490268

SHA512
0ea3be4ddef3de56893d8f8209a92061a328de9697e0002b3640da95e871ee25651fe451a516020cfaf4331ce0fd12ef579bf27bd44ee506c674edd52e05252a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
315KB

MD5
4e8caec85d90d137db8fd6f42cd224d4

SHA1
d50eacd19ccf32e9bfef6e3414a5cea45b8ad700

SHA256
bc05d64a0eebb8261e835057674976159f1560c2cb340289fe9a701f7bc9e765

SHA512
ce170206d4063661b85514a30460a39b69f4dd181ac4340dd28a1cfff12414579e7853775b29d1ed21b67e5bcedf3850cdbc0cb32c798e975e0e1b6ad489b49b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
79KB

MD5
1088b059d741a6923aed08c774cdc08f

SHA1
274d26367079ab876590808a3bafb33ba4f5b19e

SHA256
658b6c8dcc5e8d8fe59f29478c51d7bd1613dcdeda3c0774b3a74efb87fd6fd8

SHA512
edfe6847d0374f680bc2016ef1d673316cd8b36ce999238008e39d83119d553f0eefa5c02e6ff6dca5ea13cef3ca81cfa3caddf920095caf978a2109f56b4b85

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
337KB

MD5
ff745fc3723361b636562e1701dfe14c

SHA1
9b92a80b13c0dd423b11d9c8ee943cea25f6ed21

SHA256
30ee19bfcdac0867915236a8be73cae85002795ca2ccd37caec86936c7f02c42

SHA512
9914d5d4fab8a7496debb60130d38e79c643dfefd4d348dd0ea789296de984126927a08e7df18c8cd885bb1c3ee2b406598d8b3a8ca5ac0cef9deb9fb1ed3881

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
315KB

MD5
c7f2d560166bc33e812817a5040467e8

SHA1
c30e172520d35d56e56c14d39a24812dc50ab846

SHA256
5a75e11cfd01df627a6e9efeac15f1e2e1bac7e84242fb02f231a535f54dbe4d

SHA512
50b14772bdf6f236942c4638cc8ae0353eb4121678ccbe2e274776474cf9b8a91591331011bb79d7f4a946534ed011d9c50a4012b475a9b11b9b4389b0035243

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
317KB

MD5
f7efce1606cc443935a54f75d2a8b788

SHA1
319b99c7b857ff35fc5578d90d29e3b8bb380836

SHA256
cbdb7e507fd7e56a753d3267d91a866fc48033db3f62cb4d975fd01e9de031bf

SHA512
d71ce200fc90d4d9d3a867ff4f358bc4a15ec3fb5214ac1d4e97dc3d449728e5a1fae94761b14a1d9a532bdbccb46a5212a232960692c6c1fae344e429109295

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
337KB

MD5
69484c9d042f8e56d2184d2206b8b1d9

SHA1
60b09d91153025137cc4c120bad6ef05ecc06674

SHA256
9d2ef1bc279cd2977328e1b75db3d1238bce458521e4506e755e98e4bd59fa0e

SHA512
1810840ac5cecf2f43f2bf2c4ecc3264a67a99cb625ae3004f3071845b4f77a16f8bf26ad3542bb81b46eec2774ac8987e4158ba52f366e38dc877dee0559df5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
338KB

MD5
01feec3db3554c56c56335f2985cb7f1

SHA1
3260347c0f9cdfaa1182b523e66b5931a5bc60ff

SHA256
4fb063e39eb5d106b3aa4b05992744a96363bbc3a0e1a2c5b5966749636b81e8

SHA512
6e581b621afaba7c26ec1c320fa8307addc699d8000da54f1a559a25b0002b6e9268d1404f83c3f1c8c815139d72159f1d4b9d17d2121c99e553909a07d9ff29

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
341KB

MD5
2ccd719244edd69054e401dc8f078eed

SHA1
027fef7be2a24c269003c00c268168d6c36fd3f7

SHA256
7387b784c76e406bb254ee8620d2019cdd35fa6273fba46b93111d9a3624e635

SHA512
482c8dc730a721cb77ad385556059929a36fa287b9594aef49d1d95cc2849ca57be96becca32e2ca78a59c6def1a631cef645e06dbf90c3ddd80eac3406dcab3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
332KB

MD5
9ae16cddb6befb112fa90f76729e90fb

SHA1
88365a773fb365a62a820e9f0e59727f9eba0268

SHA256
cfaa759cab12bb0fd8b4210ed7d5c387aba8383031057ff3a43cd6b0f50c2ccd

SHA512
836790d1f7862c4869a7996863e1eb607ee77141d49774de701b3269ef0e650da4fd2bb7cfc6465107197bdd25d420520e05de4b1b4f4022a44e84e835254da9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
330KB

MD5
9c7a149f90da12f90d03b79c5134548d

SHA1
a81becd5815be8e60d45d24f72347909233437fd

SHA256
4403d0c5e530a20d319c403676d4326d92d1a87f84166f912a1cd38c5b160834

SHA512
df90d34b84267e31a4ea759e7d8be6e840fe6e3a5cb74c024254ba045e426815ef8dbea409e3eaa671993a6d3d20c95ba5507c1eb553f992f467b472da61317e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
336KB

MD5
60b19b9e90ecccc1d98bf6d452c07c92

SHA1
5bec3d46699fe48ae5d20c080e7c31ba019ec93f

SHA256
5f8dde9cc4cd866d03b119bf05900e5a25006d4559b95ec6f21c0c2962d03686

SHA512
7b58a6394b1b1d9c4bdbdf5eef70df1a011659ff2f8e0792fda3c204ec2c41ee095057e029c42b952e06c6268306d489d935743bbb38faf3114f6e6699edb4e6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
328KB

MD5
bbdd96b2f04cd322fe4a9d10fe85432c

SHA1
55af70352164f1b3716a07307a0e3e31e6e8819f

SHA256
20603bf6cf3ec65c5d6b8a7204af7af3ce7a75f4843e3f85b378735cc498e7d3

SHA512
ae2ff797aff45daa644506a8cc7c8bfd3f57727e685e575da4e5a9dd9222ae01faefba0fd28f9fc3d1b43c0dc8aae34daa2d604af0bc39d0d7f346e473dc1459

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
343KB

MD5
ef10f495cc6f3ce20c19b67f9e1a5a09

SHA1
201c33c23d6d6c346fed522d7eff5648612587ae

SHA256
30f9bf84549abb63d4b1f6a973eaef8ccbcf2b15809f7655f5c869e405bae5f7

SHA512
a72bbb712370cbb6b032df12374d72a2b162df6015a6d3a999e53195b14c6afff3979f2467754bb4920832827a5cdb48156a75bd6b17539480235406cd308ec3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
343KB

MD5
32a4e5cedcc0ceff50d5f3047a29d5c4

SHA1
9e7023e9839bc940335a908d636ccda95c10d76f

SHA256
62264a3451d584a48b127e4cd70367dfb8e38700e0a20845e0dc41e5725ac8af

SHA512
80c9a75a94b07f1aef8857713ed3a11296cd6686ba80de323064f9e883acb99c338527b25b9d9fe49de26c3cbdefe2e3d3400cecd230072582b7a05e607e71a3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
334KB

MD5
d524038ef7efe4e8cc9b172df72f347c

SHA1
f7fadb2f54b88cb75cc82f2cfdbc90c7fcdbf56e

SHA256
5c148835b66461d2c2265bb4d991dfff06b46212100e7f81d962fd763746e557

SHA512
1918500520611680295673399b70668bcb7bdb471880adcb73335a15b149daf0d3d01a5137a8c19c2df4f6c1cc83d951d99df0d63e2ec44b00e98eda9bde0bc3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
332KB

MD5
3a57abd52ee63fcb141edb48d2c7eb1d

SHA1
bb88399344b912113e44563dbaa5da5401d52988

SHA256
1b55754b300d261b8c6685c52dc69103fac7cfc53225377afe0e0eec243475cb

SHA512
447dc8266c7feb72512cbc75638807bf6a95719410bb34037c2e2ebaa583e4e941d9fc2a973501005d0d82f7ff168533a885c19c8e5c48d4219e8d5302ddbe1a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
338KB

MD5
a3612bdb023fb00fd6b6ab17ab7721e0

SHA1
aa0a8f3bf57f86cc862ce8a431c4035af8266c4e

SHA256
cb283844c93646c3cf041c4ba3d21522952e77e7f6a6335d8e3ac68d94b5d0ea

SHA512
d429abb56c1f65b073b0ef9e1f326c71a6f1e533e8b1636c1edde81b61762d8b8353dc7c318a29ca82fce227f7dc054f5bf9dc7bdef6c85c54e46bcb55261b29

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
341KB

MD5
b1d8115ddfd559c9dac5679db1cf3d53

SHA1
84da96d0d77488faaecc70430892d2a5c16f3690

SHA256
06c29a7786e9bc80b417b58c5a0c215ee9554442c39c5b5b7090125ccc7e44c6

SHA512
ecfce4a83811cfe7a220abf09c75c33df99909b1894717e7780110cacf2e172925022dacc4fff396d3a127da15594100b691d8c9fbae49332686cb9bede7c54b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
342KB

MD5
3229a0baabac6a68b6ebbf0d2368af35

SHA1
2881e963cf2932b3ba7a570520185ea79c866178

SHA256
2cfea26427d20782869c128a9b938e23f7a80af0ffd5feff79435db6efc4505d

SHA512
1fa42d59bb410b7cdd232238318f7442604bad60426c60c5625de401555c376f387a80c0c6820bf31dae3a367d6961347444b5e36193fe46794ba9a06244bc94

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
324KB

MD5
2db63e091abc6f5763eab21624bfed47

SHA1
8916a8489b2ebafd1fde03b0a0527daf914d1740

SHA256
9d23a113d32d3bd110ffadf97476baeed6b5077ab964436f67734cd6f9fc9554

SHA512
bdfcde072c9f8ad6e689a721fd7b309f97decabbe683c2951e1470259980248bc11ab1bfc04d89b6186e1c29b941f6f336a28898cad902486e600cc1ebdeab04

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
14KB

MD5
13aec22cde3035df7b140ef34bf278ea

SHA1
07f21a53096625b96abb442d8a06c7c82f5d25e8

SHA256
af14d818dac02481c9e98f3273bbed9c10c079a25cacdbf25e559c0a8c96cf3a

SHA512
57c55b746924ec79430a30f943268ef100619dccb2226765fe3c50a26b30ab061b3d86f0be04506a3d36555fa1726ddd3668fcc33ebabbc7dae6a4f1ecd44e55

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
320KB

MD5
85ea8efd846e674abd5273bc4a9b0fe2

SHA1
75dd878a25ac11d96f4ee1d2bb67ab44d11b3301

SHA256
d93c38342b75338310f92c98b74c4e3eb4711e1a8e1baca1828d3a5bff0a5542

SHA512
94e6d6553fb1cd8f8f312f1f300015687ef86281ac63986ff32c4f5d61dd9a1a6ab3359ed775021be1265932e591d0f469e9914d3f4196de647ebbe17fe52d81

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/476-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/476-127-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/568-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/568-60-0x0000000001F80000-0x0000000001FB4000-memory.dmp

Filesize
208KB

Download
memory/836-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/912-117-0x0000000001F70000-0x0000000001FA4000-memory.dmp

Filesize
208KB

Download
memory/912-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-200-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-1-0x00000000006D0000-0x0000000000704000-memory.dmp

Filesize
208KB

Download
memory/1100-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1156-43-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/1284-245-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1284-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1540-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1576-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-146-0x0000000001BF0000-0x0000000001C24000-memory.dmp

Filesize
208KB

Download
memory/1676-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1724-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-135-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1756-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1756-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-7-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

Filesize
208KB

Download
memory/1896-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1896-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2044-260-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2044-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-253-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2228-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2252-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2416-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-214-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2464-222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-31-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2512-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-204-0x0000000001F70000-0x0000000001FA4000-memory.dmp

Filesize
208KB

Download
memory/2572-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2752-108-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2844-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2844-154-0x0000000000360000-0x0000000000394000-memory.dmp

Filesize
208KB

Download
memory/2844-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3012-167-0x00000000006F0000-0x0000000000724000-memory.dmp

Filesize
208KB

Download
memory/3012-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-19-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/3024-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download