ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Size

446KB
MD5

7117337199731d38da136f6f472fbb7a
SHA1

be11f1e3de5d90c06ea5e76648f36a00266cf7de
SHA256

ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce
SHA512

446f935e5510303e37a13abf7ee5ddc13a76bda6bfff5fe9a3e472cfe71f41eab61c7884f77cb7c4df5b6c6717c72985039efed789d5f7907df3879eb2a31f92
SSDEEP

12288:gQ+Qu9yus9exo/2oweeKie/fU94ieeZXnAeou:8I9exo/2TeeKie/fe4ieepnAeou

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

UPX dump on OEP (original entry point) 52 IoCs

resource	yara_rule
behavioral1/memory/1048-0-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1048-9-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2196-10-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2800-18-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2716-19-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2416-28-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2716-27-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2416-37-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2756-45-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2880-47-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2756-54-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2784-64-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1040-63-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2000-73-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1040-72-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/476-81-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2000-83-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/476-90-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2328-98-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2240-100-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2240-108-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1704-117-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2056-124-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/832-126-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2272-134-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2056-136-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2272-142-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1172-150-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/912-157-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1528-166-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1732-171-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2204-182-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2560-187-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2672-196-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1144-198-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2672-205-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2584-214-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2496-215-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2896-222-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2496-224-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2896-231-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2768-233-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2768-239-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2020-245-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2740-246-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2020-252-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2136-259-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/1372-260-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2136-266-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2244-274-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/808-272-0x0000000000400000-0x0000000000437000-memory.dmp	UPX
behavioral1/memory/2244-280-0x0000000000400000-0x0000000000437000-memory.dmp	UPX

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\Q:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\T:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\T:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\T:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\M:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\L:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\L:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\M:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\G:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\P:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\S:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\L:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\J:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\E:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\U:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\H:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\E:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\S:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\K:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\Q:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\S:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\X:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\R:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\N:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\O:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\M:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\W:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\R:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\I:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
File opened (read-only)	\??\V:	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2196	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2800	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2716	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2416	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2880	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2784	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1040	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2000	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
476	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2328	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2240	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1704	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2056	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2272	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1172	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
912	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1528	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1732	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2204	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2560	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1144	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2672	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2584	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2496	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2896	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2768	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2740	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2020	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
1372	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2136	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
808	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
2244	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2196	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	28
PID 1048 wrote to memory of 2196	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	28
PID 1048 wrote to memory of 2196	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	28
PID 1048 wrote to memory of 2196	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	28
PID 1048 wrote to memory of 2512	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	29
PID 1048 wrote to memory of 2512	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	29
PID 1048 wrote to memory of 2512	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	29
PID 1048 wrote to memory of 2512	1048	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	29
PID 2196 wrote to memory of 2800	2196	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	31
PID 2196 wrote to memory of 2800	2196	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	31
PID 2196 wrote to memory of 2800	2196	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	31
PID 2196 wrote to memory of 2800	2196	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	31
PID 2800 wrote to memory of 2716	2800	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	32
PID 2800 wrote to memory of 2716	2800	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	32
PID 2800 wrote to memory of 2716	2800	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	32
PID 2800 wrote to memory of 2716	2800	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	32
PID 2716 wrote to memory of 2416	2716	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	33
PID 2716 wrote to memory of 2416	2716	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	33
PID 2716 wrote to memory of 2416	2716	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	33
PID 2716 wrote to memory of 2416	2716	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	33
PID 2416 wrote to memory of 2880	2416	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	34
PID 2416 wrote to memory of 2880	2416	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	34
PID 2416 wrote to memory of 2880	2416	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	34
PID 2416 wrote to memory of 2880	2416	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	34
PID 2880 wrote to memory of 2756	2880	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	35
PID 2880 wrote to memory of 2756	2880	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	35
PID 2880 wrote to memory of 2756	2880	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	35
PID 2880 wrote to memory of 2756	2880	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	35
PID 2756 wrote to memory of 2784	2756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	36
PID 2756 wrote to memory of 2784	2756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	36
PID 2756 wrote to memory of 2784	2756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	36
PID 2756 wrote to memory of 2784	2756	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	36
PID 2784 wrote to memory of 1040	2784	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	37
PID 2784 wrote to memory of 1040	2784	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	37
PID 2784 wrote to memory of 1040	2784	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	37
PID 2784 wrote to memory of 1040	2784	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	37
PID 1040 wrote to memory of 2000	1040	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	38
PID 1040 wrote to memory of 2000	1040	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	38
PID 1040 wrote to memory of 2000	1040	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	38
PID 1040 wrote to memory of 2000	1040	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	38
PID 2000 wrote to memory of 476	2000	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	39
PID 2000 wrote to memory of 476	2000	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	39
PID 2000 wrote to memory of 476	2000	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	39
PID 2000 wrote to memory of 476	2000	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	39
PID 476 wrote to memory of 2328	476	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	42
PID 476 wrote to memory of 2328	476	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	42
PID 476 wrote to memory of 2328	476	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	42
PID 476 wrote to memory of 2328	476	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	42
PID 2328 wrote to memory of 2240	2328	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	43
PID 2328 wrote to memory of 2240	2328	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	43
PID 2328 wrote to memory of 2240	2328	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	43
PID 2328 wrote to memory of 2240	2328	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	43
PID 2240 wrote to memory of 1704	2240	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	44
PID 2240 wrote to memory of 1704	2240	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	44
PID 2240 wrote to memory of 1704	2240	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	44
PID 2240 wrote to memory of 1704	2240	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	44
PID 1704 wrote to memory of 832	1704	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	45
PID 1704 wrote to memory of 832	1704	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	45
PID 1704 wrote to memory of 832	1704	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	45
PID 1704 wrote to memory of 832	1704	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	45
PID 832 wrote to memory of 2056	832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	46
PID 832 wrote to memory of 2056	832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	46
PID 832 wrote to memory of 2056	832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	46
PID 832 wrote to memory of 2056	832	ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe	46

C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
"C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
  C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
    C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
    3⤵
    - Drops file in Drivers directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
      C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
      4⤵
      Drops file in Drivers directory
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        5⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        6⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        7⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        8⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        9⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        10⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        11⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        12⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        13⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        14⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        15⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        16⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        17⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        18⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        19⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        20⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        21⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        22⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        23⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        24⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        25⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        26⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        27⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        28⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        29⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        30⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        31⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        32⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        33⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        34⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        35⤵
        Drops file in Drivers directory
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        
        C:\Users\Admin\AppData\Local\Temp\ad96e8e2dc661d59e25a8d7f2f3f1a79f4b0736f69d34a3bd0b4ba67357e8cce.exe
        36⤵
        
        PID:1688
- C:\Windows\SysWOW64\reg.exe
  reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
  2⤵
  - Installs/modifies Browser Helper Object
  PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
460KB

MD5
94a43443a2f0dd1459e982e9eebde7a6

SHA1
6cd5b8b6136e9dffd5ead90fd232ecbcd7cef8cb

SHA256
acfe0cb0548f5c3d1f991acc57e91ae29281c3381ff7c0cc3aaf77ceb98b8ee8

SHA512
fa2b82b5d57b59c3483e667867f6bb05b754c807ee5da59fdfb3c1b16d49d8ff5ae1c1212240683e393f76ac401ab4e30a9353520b2984a5b9267a9a0fb2a064

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
464KB

MD5
f8a558715f2516e82f1baf46e3caaed9

SHA1
3a72634ea78e3e1c69b08f267b6d0b84ff68901b

SHA256
d46797d2669946088ae9871c062359dd400e6109e6000100ed6f3e420b09e9b7

SHA512
fd2bd08706098365c6bb31ec05e64cf2bae29e7c604063f6825d4a92c80f57f9ddc9d2e3dd875b2ee16c2ab6517352ca3029ed2dbaf01589725c8750fa727095

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
463KB

MD5
6754dcd07794516ef31fae5b87ca74c3

SHA1
0e0bf558b8cf00af14e49080598f3db7fca3b73a

SHA256
2ddf7051997cf681544783806c24777e0db9ddc840c9cf33235e5049f7d4e39b

SHA512
5b21642ad719f25c6b976100ea0cf5ae21425dd53d7dea80964d4ba98852100d12a12d1780feef3ead585d9ef0c02d4ab1b3329ba4aa3fc86f94304344681c3a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
464KB

MD5
7d6a65256f93157d5b76e76be2510e71

SHA1
fc116370c47eba64db5bac72b214897325e85eb7

SHA256
7e563bf808c865124762ff832c80b69f63dccf6891fa604b0f82d5a6d1242f07

SHA512
404797f48d75b2a354b223b256039b85464f32593740703d920370dd207ce97678ea1f21df3db60473fd58a83a3755f3c78bf0546e0085ef1f2f9d2bba12b109

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
466KB

MD5
5536fa98485b7937bcf38c3a3284384c

SHA1
4aec353bba54f7214dd83bb46b506b8aaea4224b

SHA256
8933e9c4be802b09d177412b658a6a52abc63bb5d8352d2edf6339630175a67e

SHA512
2aed5b81c68d1ad49635374298bb4c497c56e930f4871b4ff8e4f36b34b4f1109e440fa867f51d6d0204f920b0c4334f24b164e4e06448386f61c7e2507098f9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
455KB

MD5
ce8d7603532b51b19f16bfadb702a377

SHA1
f8aab23dd380b8cae7e4325b1aa7cc71a9496d90

SHA256
b94f69e372a79ca9652f2de07a64c9622e675138f0337e1f213c11d06cdf523e

SHA512
a9c53bbe3031bfe635d590c5a5df10f3f0ad759b9355a67656091ca12d05563251ab0b510b4287e959ca0d19b73f8b894f0ca44161f4861f561abc28da003762

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
456KB

MD5
c615349e1d4e6fd1bd9153ab0cbb4f1a

SHA1
e4d1ba11554cc9b84bd74d6563ea4d7e69bd4320

SHA256
27f514c8e1594e7af2a1e59cab341fa8f58faf30028eced6cd3e232638086353

SHA512
e954f1a2c969ac969733c2a92c018ededb69c3e427d02d4a41fdbc1bf0b6cb076454bc6e36dcf14a7860dddd4ab5eed45e0a71639349d85c5740a32cbd38f3be

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
450KB

MD5
4ecd289823b4606be6eb89cc138331ef

SHA1
c95e82c598a28bdfa468b25a792cf653b51967fe

SHA256
073bb99e318ca25a9139671e927f99e6eb344467cee4d9065819f42f838fe0c1

SHA512
becee87ca57d08d094f199ddd2634eeaeae369e51d0922ef5a3d311a1b11f67a4705515f1b0e059c51013b5e355bed1ebfe128b274fb8ec9d3d2403932a8c0a9

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
456KB

MD5
782d7a63f5906f6c95952fa61ab81f59

SHA1
cb304a65b3e6becd528b69530ac1ff0ec8a8a116

SHA256
2154a1ac06f89aa77a837983169d056d52eccc550ee3de66db7324b55f5c5e6e

SHA512
7d83b28b4ea66475bddf1f227dd1da888763d648d95c18bf887caba90e4cf3200cd5083745c2fb4abe0832a5af7b28dbc40c7e134074e5adc81fe585e462df49

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
466KB

MD5
429509b75b757456195256946d284add

SHA1
7bf3c9da504b91b3758b208de6433fc36e3d44f8

SHA256
68c98075ef625248a4495e50f887d00edb675388dd1f18f975952343bd9cf054

SHA512
de46984b1cb694dfcdd20f36a5ac5dcc5156e6a45e3aff3b880c057dca115b29706dd8e9b32532fcdf76e06e3766993678f59f5964eb69e3c7d91a94bad870dd

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
474KB

MD5
7378d212f72cd8c4c1a9572c3c87ce06

SHA1
3295fd59ec25ca163e17f6cd330bfb112f4896fb

SHA256
a952c29b636f0d4dd175d46cc07f99b1cd2e7afb0b967dfbfc30d80264b01b30

SHA512
5f17a87e8c149ee41167a3277d5b057b27841e58a94d78f316afb6c2fd06d3948fed0bfcfc3e4f1242fd71f10e27b5d4be9eacbeb403b3a30e55984d483a03bf

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
457KB

MD5
11413bf5015881da0eb2a5f122a34c0c

SHA1
1e4c8f3191befc3724bab6b7674095077e3103ed

SHA256
db1085f61e9cdff05f5324e4df930cb541a30d15c087b904ba392b67ba6f5211

SHA512
59a1ae7e6f431d58baf1575713d589f6b1638397683858fda0d2f1acb56971425945cb0ba4c96bfb1a9c17cc7f953a214fec842ca899c4eebd71cc3ecf029e89

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe

Filesize
474KB

MD5
37c93bf878d97fd27147955d728738e5

SHA1
a1a0f8e8e8e519eeee51b44b2d7940d0c6437e15

SHA256
ee124a0c8d54d4fc0fbddc17997141f69ef76d2ac12a8f708fd3f7fcb50f7388

SHA512
187f11a49d8a7d59572432d76647806e2621fac4a34f8202734f5b16207af638c72830115fc0183029402075f8b25c2127d9c394987e5715119342778cd35814

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
446KB

MD5
076170f8a9950680b32d6fc3d5865cdb

SHA1
a6ed86734d0ea1adfac4e39f6cc376f3103fd1f6

SHA256
2f903f6b8499ec2a4ca43d51e3cf6127d70d1e8a1b825ebfa96a831cd21992d2

SHA512
a89dfb0f1fb62d3eb7c9b58096ac0846227b4c916d39fd580e5968a243c084fd61557135f45f48edb72e98cf306a94c009f846923a7e956f54ae9019884d8e12

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
476KB

MD5
757acd1504afd4e45ed4dd73faae8afb

SHA1
c0a663fb37d929b1ac548ca46460e870ef54d1c1

SHA256
fdcbf8afdc56b08024782ae94071df1f2201abd2e4725338bd62e373a0605ba3

SHA512
ac48d8a270d3701ec90ad0bd04ee5098b607172bfd863739edc96988af91712d56d8cc8a804ce5d0b009f8770a8e7302401873f408dd6f8bf0f11b16d2332018

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
469KB

MD5
684bdb33cfc117ecd5c5e5fe2c72912f

SHA1
e3d482cc1613080b164dc993b2013dfe9be227ef

SHA256
f3a5f4845493648e19875d3a96415400f53508a0bba5a475c13aed44307a19ea

SHA512
9d898aaa76901537f4c18a494989595da3d114c9a5cb55918ffb67a93e8ba3f0ea6bca2bb6085ee8cdf39baf811252b9ccadee421d4f65d482ffe12726a32612

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
451KB

MD5
38508be90cdaed029d3922b6ea14e3df

SHA1
252e6e828c3e121f84aaaf13b4bdf02ed5eb3357

SHA256
4d45d6da2c194bff2b8681bb1bc7daca8ea179c377d94dc91d6e892254423bd8

SHA512
dce52ed736a1cb8834430e567c2117a566a8b5c56dc338e957a7a646223b5a53f46b71d3b49abba1564793859263a00d0c0f3b9965f7ae30d29463e3598667ff

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
447KB

MD5
8c0b67b7da9eec3f4c125a7c153c253a

SHA1
611f63475662378777e5ab4d2b19107b4619b52c

SHA256
870ba913ca7911bc22f255eb500972f14fa6ad8e2bf6948d279a65994bfe472a

SHA512
bf8fa84de6e53a573b46bf1f8d6764490397ba6ec28298273c4a78c5061513eb04fea09ab0760b47b01fe0ecbc40d1a4b7ba1e35845e131ad00c74abea12fecb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
469KB

MD5
96ad64efdbb557b866338eccd426a052

SHA1
437c3832d0086024f33ede734cf672b164714366

SHA256
f050d7bff1fc04c9c0dd6754a4847960098454269c1b217e7fc0f5c2d7bda3af

SHA512
612e68525adb08223b2dc29fb7cd1be437d7ee68889c0be930a6f23eafb75a61d453ced9dca3260081fbb5d6372f2b2406e7960311e01268e60d35837a674163

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
461KB

MD5
1675d1c40ec3393aac1d159f8a59610e

SHA1
951d302b52a9921a2fcd6fc2ca1754a2e43a8d77

SHA256
d7d98123c12636fb6b0225a4b4b2fbd49c365a68e39217e0412bb1d3927c74ff

SHA512
2c47111f8e65b72a2df65fc68bbd5413dba1a46fbbc3e806c288912b1a2eb1102ce22f1589066cf102b1157040f2210453a852bdd83666b2655ca48be75a5b66

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
472KB

MD5
3791e6004cfac2ac53aa09ef2560713a

SHA1
9f7979c955e6f2494c960f7200f3a6836c5c51a6

SHA256
78bde2ff8ced4cc8ca98e2e8cff40bb06f2e4ade69cbdc301e43bbcac30875b0

SHA512
bb593ecadadb0c815599ba1d30ac6311aa2ed4277b450b7a8d51c9e126538babca45318d15abfa80f29fb0f6357b70959bd1679a7b613955590597f5d3fdf024

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
473KB

MD5
fef014232a80bec4a61be93cacd91ac9

SHA1
fbc6fd0b6c9704322cac2e26430b18e1fed1aaf7

SHA256
9e2029251138e9968c59525f4b9e43213b90176a81341f9c139108c9ae82aea3

SHA512
a446d0adc265977fd00b61b0188ab17c1df22c16a880601300b6cc665a029174cb364331f44decb545ad2579c27199d7dcef9cb94ac3a60ace132a14340804a3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
465KB

MD5
c5b5e0f2ae6de20e9483585bc5f39585

SHA1
2d84e16a01b2743692801aa43120259454c0d5d9

SHA256
46f9cb1d65aadb9267aa52cb3c4b03cbcb8989c9e20460a12345bafcb291cb34

SHA512
e8fd1cbbbd306d62a150b59fcfa04e6801af6685ef2641be366ae233227fc4627e3c0e24cfd2d0cc0c5f30314ed800c3f4f41c618a770fdff36f08909baf4813

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
461KB

MD5
725db1c23aadefbedb738a48f235234a

SHA1
6b1fa6dd5cf9d02d779abb45a602641c8aacec2f

SHA256
102cc5ab8f2d37a5be3b281a14479548ccb45d1dfc1c6cefe09498b3047853f9

SHA512
2da8a228d57d33e2f2d763919bedd4422be78ef4e30c0947fb139287b6fe126eeb707210b031efcee3b9e2257d245f37a43db551e0cfa89eb00b9139a56c20ab

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
458KB

MD5
d5f8e68fa6c3d572540f0e3aea70af50

SHA1
fa84c363c78fe93a4b9eefaba245b19a300fc8a7

SHA256
eba029fbbced0ab3c710cec18b1b36248b69b8a5b98bf582ae1d2547c9a00472

SHA512
bb9da1987b29bc5fe193677da8a7da8a18aec99bcb49f23cc4feb17220317a30b77b665c791ddc85c95325865ea64172461ed3b7b6b42686d36d0c033f95e9d2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
477KB

MD5
ff6dab5dc51d8e8d9fbf63a9723856b5

SHA1
1f4e7752f72cdfb238582940c06a5f147aac4d4e

SHA256
5e3a162e8ac4881dcb7bfa836e4f48a3e06056ccb0735bd47b604ab6477693df

SHA512
b071b2d019c82ef8a201454d2959912b9420ad99de02c3010e6e32641abdfbfac6ce5bd094a0cb5bce277a8a3901ff71cfb10007f5e7bd2da12daa0f569443cf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
448KB

MD5
99514363abcb440cec5026be71d09ceb

SHA1
0136abe21d1a5441860de3ff3510d81c6364fb5c

SHA256
b9e8202706a46b855293813bf6db03ee9d34b9f592611f23967123ab3e5eea55

SHA512
43ae41e1bc93d0d9a5d939bd5d970044962c6c77e3fabd74dff8ba98e9d97a797de71853f4370dd14cb1cb5c0c2da684009b43d71f93838d525273a5729c5378

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
468KB

MD5
14e70b57961e227189130d818a95ea84

SHA1
816bb3030b928733f273f3c1ce12c73542d844b5

SHA256
564a90a1f18808a07d01a1baa453a3bdb2af53c7f0a3b761217e642271802c7d

SHA512
98b61dc797fd1acbe391841af56eb90991673267b611f6f67418d28c1bdfd8cec045ce8fb6926200b70434a65f08fbb46973fc80ba041d35c96cf214c1d04eb4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
473KB

MD5
9961371a7724622a878cfe82645a2076

SHA1
a1a88c1ddb3cd925c9478c5f4e0c9c97f515a94e

SHA256
ab422b36c0f34f162b3e140bc7ece5d23b1d75ae20a58d65c798ca677001b9ce

SHA512
744dc7b34045844899f5cc1c9d8a5e5354c6144b3a038b10cda82ef74a8268d0243f322f2dbdd711a2f77401df6afa679496f12bf70daa8f48efde734cb243f2

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
11051185eb3e3057314d7b6f9e2bf757

SHA1
cef01e999b90351033b9a2f96602a2c0610faf41

SHA256
c6ff9ec0ce1fe1d34eb36d63fb7e7b491ab68aa73566e90c617fb1681ea1719c

SHA512
10ce886407fef4fd0384aa058d373bcda9d385dcfe65d24a24909e03559036fb70c0145e74020db84f3cb123c5c72c06f3cb37a9b6e1d8bd396ef3a1198c9819

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
473KB

MD5
c90d952fcccbcec4d3916758a9cddaa1

SHA1
451f7b03ef443fa6e8da24b18a50c0d8c0b7199e

SHA256
b30bc4cebd73e5c263193733147378ece1a597c8cd11d268831aa8cd79694a53

SHA512
38e88e9164b94c394afda55e2af5c68a9769dd5ec1d3ac3008f3064f02feab40b87562ff45600c519c4f8fbc088aa029a3570af7bde6a41f24b75a6927feb9fb

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
448KB

MD5
f6be12191ff5e73cfded49926d9318e7

SHA1
28f02a9e9c70214841dccf629da8af64dd79323f

SHA256
b7c324aad1813242cb07a8a3f4fadc9a5d57024cb0a49a694df2fd9b7a4fdac9

SHA512
ba49e7440e342c92ad54b236f2cbc0d5ce0093786d64e8d89e0dfdc81ad1948a7eed1559f963053a24d2d84799fc5eb92aef1410fe508aa7b4b9af170be4e328

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
164698c9c086952e1d66efacd0a2f627

SHA1
48f18da8fc1482a53ab756e5afe5c488497d2a4f

SHA256
69ef50379934781e4481805c4975ac1c8baf86980bf03690568bc0629d3a2634

SHA512
deadebd364826cb68f5d4725b1a38e4482bef00a045947457984ea3a355c3d8ded52baf23f347be4de806fa83db912382ee35f493040adf92990b93c08f61fb5

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
472KB

MD5
d7e074017adfd3c9cf7ef9e54aeacaa3

SHA1
f2fbac54837ccfc761785275cd05600b56d304db

SHA256
78d92e22b074374d195d1ed042623d43c830f3ef60ba90b97812cd9fafa5fb73

SHA512
bdd9451266cf61afb2bc719603fefbfaa73942237e0579abe8faac4820c90defa7e9c9136b8fa697755ff8ff0da2bf0bad7d42fa6074d9248ec13e00a31061cf

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
464KB

MD5
179f0b273616684c98c11973f10e01db

SHA1
2f0edfd83394cc56f2a0254bcdce1a59e459240e

SHA256
a3054f023237181191bb25d3ad8b0979b9cb3bb89831bc6f38ab8a59039375e3

SHA512
a527f25ac810e434b95b8c48e2cc4aaf48b2730c658f4388f6e86e9a05138ce15b3ea7efad37dda128f596d5fa33f432481c41c2a42617be0b53457161347cf1

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
463KB

MD5
d4660570cddbf2ae589ea57804874c2c

SHA1
f00b22fb3521bd07089125daf2142cb6034cfd62

SHA256
3a7581fdff80cf5b3568c14582ec6416d474723b36df594afced0c8f5f0a6e7a

SHA512
26ffea161d44e0e01ff554106ba389605c3aa8fb44a50d0a2f89bf44f85fb615c53d5d526d00f3c38b94545debcf6231b6f4097f0eb835e389fe183079e588dd

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
473KB

MD5
739b2f82d38a2c8e3a423e1de7d94986

SHA1
02ce96ac8f0d343b8b4d8704df29b64bbfd01c33

SHA256
b68fd896144cc4d1d6e6888300f9f184ed44c81718d582877ae36422ae311edb

SHA512
6bcf1579be3ae40d92ed849aebc17bc8c96e8f35d3dcd3f5d61a46145055f36154a570e41115761ada7c49ee6cdacb435a990453b90da3c66356b6ff9d86a151

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
450KB

MD5
e3a48ab272620938e2c1a44712e4edaa

SHA1
bbe0e80fd68350eb591fe299b4e40f401a788fcc

SHA256
5d798b6eee8515f0594286b93728accaf63af75257e81a2d29c3983a88664ae5

SHA512
20502f6572974fd2024af3a5da3d9308cbbc4258f353724dc1c202cb4f5f7707aedd3bcb3bfbe49fe7398f224381217799a382434b457353fbde3ff1c99a119c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
458KB

MD5
7cf37e180dedcfad4891f108f5409d6e

SHA1
32c2446424e8db2bd7fa2a21f0b24ae33c9fe723

SHA256
f9c16c7a64a78edca52aa2bb66231bce85ae4411cdfd3112bc3193f44166a0e3

SHA512
c66e8f0abcb4a49353bcd2d52de067d25489b2b3f6fd734712d498d590a8982d55ad9c118f986ff3f0c2bcd34ed6d05a6756b968e35b89ce346f7dd90847eb10

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe

Filesize
448KB

MD5
e346b47243e2b50d722313836d175255

SHA1
09df481e913ab7df5547594fb5afb99297b575e2

SHA256
db751961d2dbbe07c597167784ee6e3bc0fea4d424c8e96f0cbd791208192aab

SHA512
d01078122c18e1376048834cf45849663d0ebc6359ec14889af31d6c28ce7df09b9c82fbcdcec4b60a15d199c3c0c4b90815909589b48d200e5ba39cd7dabcfa

Download Submit
\??\c:\stop

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/476-81-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/476-90-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/808-272-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/808-273-0x0000000001FB0000-0x0000000001FE7000-memory.dmp

Filesize
220KB

Download
memory/832-126-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/832-121-0x0000000000390000-0x00000000003C7000-memory.dmp

Filesize
220KB

Download
memory/832-113-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/912-157-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-68-0x0000000001C50000-0x0000000001C87000-memory.dmp

Filesize
220KB

Download
memory/1040-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1040-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1048-1-0x00000000003B0000-0x00000000003E7000-memory.dmp

Filesize
220KB

Download
memory/1048-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1048-9-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1144-198-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1172-150-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1372-257-0x0000000000320000-0x0000000000357000-memory.dmp

Filesize
220KB

Download
memory/1372-260-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1528-166-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1704-117-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1704-104-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1732-162-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1732-171-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-80-0x0000000000390000-0x00000000003C7000-memory.dmp

Filesize
220KB

Download
memory/2000-83-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2000-73-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2020-252-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2020-245-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2056-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2056-133-0x0000000000840000-0x0000000000877000-memory.dmp

Filesize
220KB

Download
memory/2056-124-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-266-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2136-259-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2196-10-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2204-182-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2240-100-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2240-108-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2244-274-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2244-280-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2272-142-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2272-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-98-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2328-99-0x0000000000340000-0x0000000000377000-memory.dmp

Filesize
220KB

Download
memory/2416-37-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2416-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2416-32-0x0000000001FA0000-0x0000000001FD7000-memory.dmp

Filesize
220KB

Download
memory/2496-215-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2496-224-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2496-219-0x0000000000380000-0x00000000003B7000-memory.dmp

Filesize
220KB

Download
memory/2560-187-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2560-178-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2584-214-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2584-210-0x00000000004F0000-0x0000000000527000-memory.dmp

Filesize
220KB

Download
memory/2672-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2672-205-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2716-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2716-19-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2740-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-45-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2768-233-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2768-239-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2784-59-0x0000000001C00000-0x0000000001C37000-memory.dmp

Filesize
220KB

Download
memory/2784-64-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2800-14-0x0000000001CE0000-0x0000000001D17000-memory.dmp

Filesize
220KB

Download
memory/2800-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-33-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2880-44-0x0000000001F80000-0x0000000001FB7000-memory.dmp

Filesize
220KB

Download
memory/2880-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2896-231-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2896-232-0x0000000001F90000-0x0000000001FC7000-memory.dmp

Filesize
220KB

Download
memory/2896-222-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download