546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-03-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Size

527KB
MD5

d2a84cd7cb1e7c8a63820f030753a8f5
SHA1

15d0538bc7013357e897f02c7e2175c122b2e826
SHA256

546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350
SHA512

de53165cb051c841207371ab0a05a1a69f9aadced101c419e3bb83f167da69ab1c1e1e524d1bf20573ae99f41490ed3f66afeaac6a6bf8367613947607c4c51e
SSDEEP

12288:gQ+Qu9yus9exo/2oweeKie/fU94i8Z3D+RXseaj9Mav:8I9exo/2TeeKie/fe4i8ZQseaj9Mav

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2936-2-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2508-11-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2936-12-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1844-10-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2616-19-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2508-21-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2464-31-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2616-30-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1456-40-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2464-39-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/624-50-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1456-48-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2588-59-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/624-58-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1564-69-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2588-67-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1564-77-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1184-78-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2276-88-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1184-86-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2392-99-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2276-98-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/268-106-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2392-108-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1128-116-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/268-118-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/916-127-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1128-129-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2736-136-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/916-138-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1256-146-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2736-148-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/932-157-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1256-159-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2000-166-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/932-168-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2000-178-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2200-185-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1944-187-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2480-195-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2200-197-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2492-206-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2480-208-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2604-215-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2492-217-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2524-225-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2604-227-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2424-234-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2524-236-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2792-244-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2424-246-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2792-252-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/864-254-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1728-262-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/864-260-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1728-269-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2088-270-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1740-277-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2088-276-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2032-284-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1740-285-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2804-293-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2032-291-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2804-299-0x0000000000400000-0x0000000000437000-memory.dmp	UPX

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\X:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\T:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\P:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\H:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\W:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\N:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\I:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\N:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\H:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\H:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\T:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\V:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\L:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\R:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\L:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\R:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\W:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\N:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\E:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\E:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\R:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\Q:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\O:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\V:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\S:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\X:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\R:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\W:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\V:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\U:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\G:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\M:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
File opened (read-only)	\??\K:	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2936	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2616	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2464	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1456	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
624	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2588	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1564	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1184	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2276	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2392	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
268	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1128	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2736	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1256	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
932	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2000	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1944	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2200	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2480	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2492	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2604	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2524	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2424	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2792	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
864	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1728	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2088	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
1740	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2032	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
2804	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
680	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
812	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2936	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	28
PID 1844 wrote to memory of 2936	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	28
PID 1844 wrote to memory of 2936	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	28
PID 1844 wrote to memory of 2936	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	28
PID 1844 wrote to memory of 2832	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	29
PID 1844 wrote to memory of 2832	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	29
PID 1844 wrote to memory of 2832	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	29
PID 1844 wrote to memory of 2832	1844	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	29
PID 2936 wrote to memory of 2508	2936	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	31
PID 2936 wrote to memory of 2508	2936	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	31
PID 2936 wrote to memory of 2508	2936	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	31
PID 2936 wrote to memory of 2508	2936	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	31
PID 2508 wrote to memory of 2616	2508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	32
PID 2508 wrote to memory of 2616	2508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	32
PID 2508 wrote to memory of 2616	2508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	32
PID 2508 wrote to memory of 2616	2508	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	32
PID 2616 wrote to memory of 2464	2616	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	33
PID 2616 wrote to memory of 2464	2616	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	33
PID 2616 wrote to memory of 2464	2616	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	33
PID 2616 wrote to memory of 2464	2616	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	33
PID 2464 wrote to memory of 1456	2464	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	34
PID 2464 wrote to memory of 1456	2464	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	34
PID 2464 wrote to memory of 1456	2464	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	34
PID 2464 wrote to memory of 1456	2464	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	34
PID 1456 wrote to memory of 624	1456	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	35
PID 1456 wrote to memory of 624	1456	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	35
PID 1456 wrote to memory of 624	1456	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	35
PID 1456 wrote to memory of 624	1456	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	35
PID 624 wrote to memory of 2588	624	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	36
PID 624 wrote to memory of 2588	624	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	36
PID 624 wrote to memory of 2588	624	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	36
PID 624 wrote to memory of 2588	624	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	36
PID 2588 wrote to memory of 1564	2588	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	37
PID 2588 wrote to memory of 1564	2588	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	37
PID 2588 wrote to memory of 1564	2588	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	37
PID 2588 wrote to memory of 1564	2588	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	37
PID 1564 wrote to memory of 1184	1564	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	38
PID 1564 wrote to memory of 1184	1564	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	38
PID 1564 wrote to memory of 1184	1564	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	38
PID 1564 wrote to memory of 1184	1564	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	38
PID 1184 wrote to memory of 2276	1184	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	39
PID 1184 wrote to memory of 2276	1184	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	39
PID 1184 wrote to memory of 2276	1184	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	39
PID 1184 wrote to memory of 2276	1184	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	39
PID 2276 wrote to memory of 2392	2276	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	40
PID 2276 wrote to memory of 2392	2276	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	40
PID 2276 wrote to memory of 2392	2276	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	40
PID 2276 wrote to memory of 2392	2276	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	40
PID 2392 wrote to memory of 268	2392	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	43
PID 2392 wrote to memory of 268	2392	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	43
PID 2392 wrote to memory of 268	2392	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	43
PID 2392 wrote to memory of 268	2392	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	43
PID 268 wrote to memory of 1128	268	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	44
PID 268 wrote to memory of 1128	268	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	44
PID 268 wrote to memory of 1128	268	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	44
PID 268 wrote to memory of 1128	268	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	44
PID 1128 wrote to memory of 916	1128	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	45
PID 1128 wrote to memory of 916	1128	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	45
PID 1128 wrote to memory of 916	1128	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	45
PID 1128 wrote to memory of 916	1128	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	45
PID 916 wrote to memory of 2736	916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	46
PID 916 wrote to memory of 2736	916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	46
PID 916 wrote to memory of 2736	916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	46
PID 916 wrote to memory of 2736	916	546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe	46

C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
"C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
  C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
    C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
    3⤵
    - Drops file in Drivers directory
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
      C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
      4⤵
      Drops file in Drivers directory
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        5⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        6⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        7⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        8⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        9⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        10⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        11⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        12⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        13⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        14⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        15⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        16⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        17⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        18⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        19⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        20⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        21⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        22⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        23⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        24⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        25⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        26⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        27⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        28⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        29⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        30⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        31⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        32⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        33⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        34⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        35⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        
        C:\Users\Admin\AppData\Local\Temp\546d87eba6087a4eafa14149fc5963500dddd3f720637e8bd6e8a2bd949d1350.exe
        36⤵
        
        PID:2304
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
550KB

MD5
710c9a30454dfd6e8849adbde195351d

SHA1
29a743d2766b611e4737423a4b75aa4b26fb1599

SHA256
206b6db431ddba798fe893289b9163587036ffc4b49e8bd5605e3ba972598ea4

SHA512
325f76a46992985a730b487035296b7656ce32acacb5226e643691c2732c47dc8d8ab86a74be872c3f3a513c57b81dd8f4f37ce2f32267c349cf965a78ac3e08

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
529KB

MD5
422d015b5bd1ba5469c35a69f586b2e3

SHA1
6cec360b12e5d4c497b915e8c6aeda6de55f8dad

SHA256
1900abdd5a53625dec174575ae7210e7248e32fcb24e0242b4291d279bc0b9d5

SHA512
dad51301738a6e518a706103f0645572256527d07f8196c11587609daa52c61d65c9879fb4c069c5ffd94485c73ca8111f5a43e07e00b29befdb23221189f237

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
533KB

MD5
419816ff88aa44acc2d841cafaa8f8aa

SHA1
6bf9a4ccec432c87da60296b3ad7498ded89be0e

SHA256
c3eb390ccf799f66e9180151f8aa454132718375668734d10884b7fc0c8bc12b

SHA512
3bb5b3d20c4e1914abf3d1d805451461be346c97e6e811d2cb227e58672d56af3ecb0bb43fdb4ddc623d592f8c1a66d3eafe753a48542ea3f7a269132cdeb1ac

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
529KB

MD5
9af6797db3d4723446410476ea27cacf

SHA1
067226d8ef378c76f78e96a09ab1504a9b82bfe2

SHA256
93dcca40245d6572b5a1b63ad42420a9f03601e4de6e0c5040e584f5063e6186

SHA512
8bf89bed3bb3681d53655bbfcfe78bc7eb0b528034ef49c22007e4ef514426291ad9069301a84cc737bd455978cabc5b53ccbf9efd6b987fbf28a71c37da6138

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
558KB

MD5
d838fdc6c99415a0f84892f0358f86c6

SHA1
5355e2e04adf536c3f27a5489ff3dda4965ffeb5

SHA256
3c342a02692a94d73681bade4221784f8698527acccf61d696e9bf69cdf8579d

SHA512
ed6360a4fc63422d6c7f3a1baca805a3f21d5a6cbf79781fb4c4743dec2a393f0d44c48764a1c858d4764efe06dbf0903eb8274727d070bb3a716e0c6c29954b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
535KB

MD5
24c9a1bcc3f6a0fea427e531112f60db

SHA1
0f9637a889aad6e0669399d61f4cff2262391007

SHA256
d0e4f6406ea3fa37099e58f4d0fade8540615a73798e53f687aa382c36d46210

SHA512
8f7453011549fd14fffdae798220978a64d738ed75ee7a8966cacbfd35f76fff167329b46581cda995fd6b7c8bdbb3700a30ce09e51b90857d5b77da6d139ef7

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
538KB

MD5
dbe2d369657f8d047f1106e2a88e6987

SHA1
797c66dfe950801061e2a794f94761ba8c33d38d

SHA256
b7d1cf16082fae6d618e2a00f9d285e4c888bb5f7b5509c06ef78766302992e8

SHA512
39f50cc69e14cc1ac327642f7e39bf289d3a314839d259cd915ace836529a01894c292cbb670b95de267c70f45f82d0d8c0b79d864f62e0dc633b92957d07d9b

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
556KB

MD5
c1808e46dfc6dd6c97662164dfcd6f26

SHA1
3b3d3a35b91e7a97bebd4dbb0e63f694985c1a30

SHA256
7f4da1b56abae21097f72065512d866af773f0dc0ff44408e12103a03eed748f

SHA512
0261f338539e40f66f213b6660c0cbb1a22dfc719f48aeec0705887e060d41249b3508ec65033d56e8d0653d844f002b020bc4f4704b3b923d17cd0fcca68aa6

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
550KB

MD5
dcd109fc2fd9b35d408b92dfe426d45e

SHA1
ee19132e48781dc8f2ba484bd694468ec7e8c613

SHA256
ab20bb88c692529b1c0e81ba91d5e59d835127804d37abc3e41f65aeb9c6b4f9

SHA512
faa64acd405e47bedfd69f2bfa6944a5cca1d47b5b5dcbc77259116c0359de4dbe95aa149b1d57709f594e54d3dbf657df221ed9a9201b27d641a0a5c44281f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
554KB

MD5
982319750d66b15a30005d2a49731431

SHA1
7dd7a749a1c034c1ffecda47a737303377e7ecd8

SHA256
28c91b5bc99d6a80e822726d93c3beab7c2ca5ce07f2ad043659f18a3807802a

SHA512
d6988b0fee3b5212def4d8a58f936eb4c7e53877bbd7381a3df3897c7d8987d1078ba17e07a94caf528ec7a444ea37663e06fc96ae5b5bdbf3065c7c917de959

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
532KB

MD5
e8c7bb390f2e23ea243243c1e9cf769e

SHA1
6c6de2e26c9a72951ac86063787480a7e53921fe

SHA256
4313fb2b0d03ddfa8a4cc2fd57391c58bf261c8553dcd2361e06ab5a84d1df66

SHA512
54ea3a026649134a43f4f540df72b4bc39cc5676668136d25bfa5b5c23a7617ed211033cac5ce3178bf8a50034005218b8ea6dde8fd046f0e849b6107dca737d

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
529KB

MD5
c576ce6a25ca7cdd8e883733e6ae34bf

SHA1
21c2c98d735ecfa3e6648de53b88a66884c9cd89

SHA256
4cb4b22c399cdf860da4a9c5fbaf18c755e75da47f5e76e7794f402fe66cdfcd

SHA512
f32ea6f7d69f22225e5f434f740d05083a9745f4ff4ae1eb39191bfa69e279b334c465c11841b7657256d59d70e08557f0e90beb1b54e08b587cab54127cd1b4

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
541KB

MD5
38b5ea249ce762bee070d7b1afafc048

SHA1
b59b8cbfa714c9fe87d4228dc3e0184276a744b7

SHA256
e076fbe8824824dba477930de23f2caebb559aabc938a14a38c19029a0cc7d5c

SHA512
c154b4f2c3b83e6bcd9811734ffa297b1368d068bd6fd34a5939a626c2508131f510c7fc77b1b0174f50f89dd4d8f4f24db8dec9b1d87ceaf60d6bcb24b82706

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
528KB

MD5
63d0724c6700c5ddf93e035f0c9d6e3f

SHA1
133b98a338384b2fcab662defd2b7511e3c9347d

SHA256
c8f7ddace887369bfaeb8a8bf4b1bf0f4c09b76982a9bd3fa366e61880e4ad5e

SHA512
73b1e141f037b0b8a06ba49cda9c96336129861f4f8615b95b1e6f1c069f854ae2c8f52216892ccf5f9804a945eae3c2d9484f5b25eda6f334e42480df6bb9d7

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
551KB

MD5
6680c274094b13c7e8c6df4a7df1ed5e

SHA1
a05e8da7a67d57a43fdd2211bcd796183cc8e1d6

SHA256
5b62f54cf2e66def182a8c4213275d3c517c624f6fd4e7f93c5d21e836c02493

SHA512
96de4353c8cbabd04da9eb9a4df13cbbd4c565b147350b7f8546d1a5e0d1db116119f34d399df197aa7dabd2c8fdab0dc920773f2d55de9ebd18c34e2d308bf2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
544KB

MD5
4287e92028181ca358c890b1ecab817a

SHA1
b499f6ca0d39aaa0b49aa5a4c7d6c5ec760b8423

SHA256
b69df0b2d7fb5393b88de728775b6727974a99c6224b71e278c3e29dddd7ac13

SHA512
b424c98ac5508877a09179801c9fe426317675e883249550e1b2332d97f7d98b43bd99353bc402b9bb7510ace6816bd804599b25e2a9c5c4eb0e9e2c47cd7529

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
529KB

MD5
1d68372e3d570c8ecaa7193528f9ec2b

SHA1
5a2c611d41a881268a2778288dabfeb354201a78

SHA256
3dd31bb3de81e6092f6c9d350d2d1e61129aa38903041cd94997a84f45a0dc5a

SHA512
d3a1d0736df15dd0c26ce0495a465563eaf5e83c388af5df40df1805aefc211f075617251b1efb5122cc764bee08e5aab39333aa499bf75539245c6f3182726f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
556KB

MD5
563369f29568410702f106f5b0497b7e

SHA1
e25624add08e19fe8348651ba2207dd16fc1f5c8

SHA256
e558a7efc3dd408ac18503a5ffa53cb1ce4fa78e4b37bdc5e03aa025ba9a5835

SHA512
2e4c4ca295e6477790020b9edc6732972c767b1e171f7066e2bdc007b09d8ad120e002407e644adcde6c35b6a2a2ad8555251b01af2ea5d398d70597519797f0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
538KB

MD5
25a38e4efc5e95a51655af96d02d3f7d

SHA1
4f648c45ce5302a972a8bea3c4e30e82bc6970db

SHA256
58da3c8a4b4d0497a5a15e1e7e928b85b5e42de161847614e95d0209655d074b

SHA512
8e8581df0b52ab9c3ca27762d21fcd8f718cfeea4b5b8e63b9559b70a27f64bf923910726120364c45701575807cef5858432ccafb8f5bf7fffadc669403cb1b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
558KB

MD5
c46afcf33464f50fc4c0356a3e0db4cc

SHA1
af1533be8b9dc6aa121e18a751d08ee34369d155

SHA256
ea15af261431483124d1dfad9a72551da1cbcb2fdfb81a8de2ab54dd28706dec

SHA512
555cbbbfefd302bfeae17d18198770e0ab958e59846a1c61a4274b3f880788a7ef7cf19a4faf006601c84d8fa5bdac42e36eacad7321473318db1ca01b097662

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
548KB

MD5
5d4c340b16ea30f72fc842c149879b9e

SHA1
3622c4a35ef6968429f8cdf2f2e836a39c8459cb

SHA256
ba93adfe591cb10e4406cb13a75e84630bc591f85958c02873e214bd7f41f62d

SHA512
b3d4117db2c595614f3a4b33be270368f0d8e74d43da86555c670004346bea856c8114e0767395a6a1b9989fb809d02ae2ce9483983c691c591965ac0577dbae

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
542KB

MD5
7b31e9a5d3ff5beb95112ee5962e16a0

SHA1
ef38decc3d80c83b1a5d7bea10b95dd12ddaaeea

SHA256
196789d25e4f8234d5e7f99413e748f156ea926d00a6cba9298ad5500440bfd2

SHA512
aed4acf923ab8d60d2698eaf43e4331d8de5a0ac30f5f84aa6711f792873ebaeb7db78a174bacc521b6c7e93963dcfd5b2cad7c61895391684249694ae419663

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
535KB

MD5
4ce0e1a489566d30f86fb76f6a4e6ea5

SHA1
1ac321c8574cb810cef56ba18e5b5dd0be73ad9a

SHA256
8cbfc09dd1b04d2a0c6d7907d058f20fd405618ac810c6a50bc018addcb6a42e

SHA512
6c7b8be81ea09cd5a0251494df735ff1292cc3b9e29413162ec8ade9c21fcf330e0afa9f06ec429a53542e58fff21016e0d663d8492a4609a62a35d2240e3150

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
530KB

MD5
67b36bf005581e017c79f28703c28a11

SHA1
c81818cd455ff7bcd6361dfc3f69e12f880bb9ed

SHA256
df82969ae62ffad592d25c2fc7d44adc82abd1c3c1b6e2dc8267383f520156ca

SHA512
4eab4bf3c6b22d51bb834f2e581e6b65c42a55fb20fed61551eaf0206ac901efa4a7c12cfb08dd5c2080dd29374698ccb1dffccde1a77a3b411cb26b588daa8a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
554KB

MD5
06b4994fadc24d5e63be9c34a27db503

SHA1
cc404e06d5305816a06679ffb2ed8ab804a4b4c1

SHA256
4293d310d289e5423670b5242480f4a89d869fc18513a097dc66f9428d5ce025

SHA512
c2ee699ce64c4855739765ed1f2d86b44d48162d3cac4d985c76795cb3bb60069a5402475c4fa593f1ea9cbbff2963ac84de4754659c363cf6cbff7ba26355a5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
549KB

MD5
f2144e4d668a5e60e384a1d891a5f71c

SHA1
faf29272cf37bfe6e3bfd00c570f48bfc36367c1

SHA256
2efcc2997d1b6e8fd681a0fd7d0d474ae57d0e042bea89ffcda3d14f2918f39b

SHA512
23f06d87bd1b1563af259bb57df83ea9dad55b9dcdfb9edab96011f3e2e66954bf797bd73774ed505266b0fa34cec3696c5c0f44fc4722078bedb63a15770bdc

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
531KB

MD5
196be6d186cc8dfc77f9f5379a2d4399

SHA1
149834fcac4d756658bf688f19703125b0b0e3da

SHA256
29e50f741e9b924c466fd7268f51d04e40b6626ac7f45ff8a30767f458d23be1

SHA512
a63ef5fe97c6c5f0860c90e0c2e1a03f7a5a01fa89a634ee6cc8ed2b3637bb860348674c7c676f31851b48deca5e5830a2705f3cf3de9b39aa5165c946c2d7e5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
531KB

MD5
81ef49362f096c8e0c1d737d978be72a

SHA1
c0366beb27c2b787456ba4f365be6f30a4f088e2

SHA256
ab5b07c04d5dee193dc2ac9c0b725acbbf4d8a3898a39a0d7f6a13f88d5bce59

SHA512
e0241264a40bb9f5dd0af83be4136191a3bb6c2cb024ce1ae9fe260d251626e742f351d17a711bd57a5488f2d4631fd0930469c3acc87f7f6e57ab099eaf0d08

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
558KB

MD5
31124a91dfd3b7aaabe4edba525f7370

SHA1
30108ebe269d09b2fe15306823cb2d612eee661a

SHA256
e141180f31b83f7b798f9a262696b536373455fb18490fe03ab030a18edcc00d

SHA512
d1e52a35fc31e64620a752c3ef513834d56fedf82468b9b77c1fd3ea49780a7dd22c429d1ea519a47ab572269cacb8cf156a992a094d6aaaf0379032314f3b5e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
559KB

MD5
00d5135508c9878d75c5275d037c6237

SHA1
30a077fcc6b367d06b07ed5d5e40fd9826f8c2d3

SHA256
4c641817bbfbd4770c62fd9818b078096b5da13b366aea40ef0c5fe22029eaa8

SHA512
c8375f31f16ecbd52f87f039167116ab8f7cf22a583b0e0f5f84faf60a4155dff84d9893c23a22f80c5027ef8210d37836e3cb6587ced9ad5b8785454db2a8e9

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
538KB

MD5
54dbef24352c2b99a226ef83ba648e59

SHA1
2cb569df6f545732a39e24310257c88528a7d390

SHA256
5eeda9d1248422bf9f6610d85833ac0af7b964cdbbb55b3ace1116208bfca646

SHA512
1d99660496fb3b892a1e84ac8a82a58ed4ed7133d52adad4fae529c72780d10fcac83d77d84449760e25736c4b13e87780c5c0431566b5948da3ea66301e7018

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
535KB

MD5
4378c81d66212aaa84892ce6322c84fc

SHA1
b49e0f8f9fcced40e67607b17592ee7c1c422754

SHA256
26d932f186d04794a833c9d7148e0e3be143e2ebadfced9f9a266e8277e4fc95

SHA512
a495ddb5f1b496282ba31ec2d837e8e75b8bc42f1774a0247bce23c65be3e39b4328ae33ee6d9fb1707700c3bb3cfc78a119bbbc5c27e8ecd6a0e58178138eda

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
547KB

MD5
f54eca9891e3bd500e136006922cff6e

SHA1
159b1ce0c68d94e2340af5ed0c3e126cb8d15846

SHA256
f0cbff5ef9e9c9ab94f217cc762ec23100e8d765e23db74ba471ae3fa850b80d

SHA512
9620f7901151bac0bc13042829d7091f505435a0c9886188a8c94cbc20977b268f7f19be959b415b89c652c61830e816348fe9141ef6f9f6a5791811f1118a58

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
552KB

MD5
59e8e50b0a18a751b55d7f3b37857edd

SHA1
cf9ad61f49ecf354bcd43976bb5f1777ae42e9a3

SHA256
74468108f8b19abfb6a99e6dc2e17f29412a5b069ba99a24337fce1f4772ef27

SHA512
90ba2c01f62355dbc7982803395448b7b285ec5eeed5926144351da6bb7f2d3e29f86cba4a6170d9bc16c199df7013ecaca0108a43a7042044fb8c0aa6414283

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
558KB

MD5
88fab475f07390614c89c6560e8399da

SHA1
530b3e0b08b91278af4180ec764e6e20441710f0

SHA256
b6b1ff1176d6ca9127306aae11045f3bc9984e81584a7b22d247eb289823087c

SHA512
b869e27f7d651b69715aed846fe9b3a068558a2422be1296069ab278895878699b16df5ff35fbfbf38e15c5959ba1e948eace79c584b7bf112a7ce29f9859f17

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
545KB

MD5
f37416a4c20b2b55b4aa9c13e17276e8

SHA1
3d12cecb6020c3def5787192148bec96592b09ef

SHA256
ebf90a3e2641cd10fd760da4086e0622b47125622e91a1b96811e744c7917e2f

SHA512
0684efdc0091bba37b2f20904b40cb6caf0072afe1f4c0e3dcbefaaeae54f0a5f4282322b620c8573272aa844561c24340b50d0acfb30891959a3ba2e647848a

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
557KB

MD5
4ef9de10cf2f2b6d625e4410dab6abc1

SHA1
3b7503c48e26bf517daf68f2f8c3a2f635fddc74

SHA256
349a9729ba0f9a90a593b0d0963fae6b4513b6773a8c39ad8df31e4747210c3f

SHA512
186f09806a17e614ca2530ab4a72e53a15ed9caaa4fab0debb4df9fe7865ea107149a5623e551b1076a93d4124128a4b419761977b2edbd3520f432b6621a978

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
542KB

MD5
b44fcd3c807305d3b3520c09dee3e875

SHA1
f8c01678089d7b99edcac5b197832435d9f660c7

SHA256
d5c42883421cd9dff22e9581c8ce9ce9e1ffd7fb21867ec1ef9ebb821ddfd53d

SHA512
9e868e5cda663827a2abc74d69af0a6e87440fc816576b873523a230dd778e779b868f2a7aa3601e4b19d7a65b9e8f761d22f882038f1c14bf336957641ed12f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
534KB

MD5
187215e52c7a761cfd95c489091b26d4

SHA1
77be6dd2afd5c7ffe9bb4b5ba40fb15adafd5968

SHA256
1ca596cbcd8459610f1cd6b55b241c8d24e6fb970d0a887d0fc1f0e7c0725f3c

SHA512
2f75335aad9ec3b6774926fc984fe4c96173333c1565d3d38b89c0d1a2f9820b9aa618d4b76cdce81dabf8430f94a68ab8e521bdda34bcbe9d7efb82ebe49d3c

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/268-114-0x00000000004C0000-0x00000000004F7000-memory.dmp

Filesize
220KB

Download
memory/268-106-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/268-118-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/624-58-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/624-55-0x0000000001F50000-0x0000000001F87000-memory.dmp

Filesize
220KB

Download
memory/624-50-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/680-307-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/812-316-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/864-261-0x0000000001BE0000-0x0000000001C17000-memory.dmp

Filesize
220KB

Download
memory/864-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/864-254-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/916-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/916-133-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/916-138-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/932-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/932-165-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/932-157-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-116-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1128-126-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1128-129-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1184-78-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1184-86-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1184-87-0x00000000005D0000-0x0000000000607000-memory.dmp

Filesize
220KB

Download
memory/1256-155-0x0000000000360000-0x0000000000397000-memory.dmp

Filesize
220KB

Download
memory/1256-146-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1256-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-49-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1456-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1456-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1564-73-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/1564-77-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1564-69-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1728-269-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1728-267-0x0000000001F80000-0x0000000001FB7000-memory.dmp

Filesize
220KB

Download
memory/1728-262-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-282-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/1740-285-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1740-277-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-1-0x0000000000390000-0x00000000003C7000-memory.dmp

Filesize
220KB

Download
memory/1844-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1944-184-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/1944-174-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1944-187-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-178-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-166-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-173-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2032-291-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2032-292-0x0000000001F60000-0x0000000001F97000-memory.dmp

Filesize
220KB

Download
memory/2032-284-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2088-276-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2088-270-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2200-197-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2200-193-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/2200-185-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2276-94-0x00000000004F0000-0x0000000000527000-memory.dmp

Filesize
220KB

Download
memory/2276-98-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-103-0x0000000001C40000-0x0000000001C77000-memory.dmp

Filesize
220KB

Download
memory/2392-99-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2392-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2424-243-0x0000000001F70000-0x0000000001FA7000-memory.dmp

Filesize
220KB

Download
memory/2424-234-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2464-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2464-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2464-35-0x0000000000830000-0x0000000000867000-memory.dmp

Filesize
220KB

Download
memory/2480-208-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2480-205-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/2480-195-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2492-212-0x0000000000370000-0x00000000003A7000-memory.dmp

Filesize
220KB

Download
memory/2492-217-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2492-206-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-11-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2508-16-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/2524-225-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2524-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2524-231-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/2588-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2588-59-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2588-68-0x0000000001FB0000-0x0000000001FE7000-memory.dmp

Filesize
220KB

Download
memory/2604-227-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2604-224-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2616-26-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/2616-30-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2616-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-143-0x00000000004C0000-0x00000000004F7000-memory.dmp

Filesize
220KB

Download
memory/2736-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-148-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-253-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2792-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-244-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-293-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2804-300-0x0000000000390000-0x00000000003C7000-memory.dmp

Filesize
220KB

Download
memory/2804-299-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2936-2-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download