2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f

Analysis

max time kernel
148s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-04-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Size

429KB
MD5

e7a88e7e9d684a29c4642040ae274420
SHA1

7ee3a7cfaf1a8db45f6dd2195d2e93ae74377ec2
SHA256

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f
SHA512

c48f2957648e2ec794712a84cc1bcd78c9161578f14853d0507711d437780d1a17ceb9ea91a702e2ea7bb2920c18c5ca31646c9de65c9600ec9d7a92eec0aa2b
SSDEEP

12288:HQ+Qu9piwpwIG5MtQ+AeUjeAeheVqZe7J:Xpi4EMsemeAeheVqZet

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Detects executables built or packed with MPress PE compressor 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1760-0-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1760-1-0x0000000000820000-0x0000000000854000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3056-2-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2768-10-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/3056-12-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1760-13-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2768-18-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2452-25-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2972-29-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2396-34-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2452-38-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1076-46-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2396-48-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1076-55-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1836-60-0x0000000001FA0000-0x0000000001FD4000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1836-64-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1428-71-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1828-79-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2684-87-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1616-83-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1616-95-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2288-102-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2292-112-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2268-111-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1912-119-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2292-121-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1912-130-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1748-139-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2896-143-0x00000000002F0000-0x0000000000324000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-148-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2896-147-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2208-156-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Users\Admin\Local Settings\Application Data\cftmon.exe	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress
behavioral1/memory/904-161-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/528-165-0x0000000000400000-0x0000000000434000-memory.dmp	INDICATOR_EXE_Packed_MPress
C:\Windows\SysWOW64\drivers\spools.exe	INDICATOR_EXE_Packed_MPress

UPX dump on OEP (original entry point) 43 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2768-10-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/3056-12-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1760-13-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2768-18-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2972-29-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2452-38-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1076-46-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2396-48-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1076-55-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1836-64-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1428-71-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1828-79-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2684-87-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1616-83-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1616-95-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2288-102-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2292-112-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2268-111-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1912-119-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2292-121-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1912-130-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1748-139-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2208-148-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2896-147-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2208-156-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/528-165-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/904-173-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1568-182-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2772-190-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2736-197-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2556-207-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2728-206-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2556-211-0x00000000003C0000-0x00000000003F4000-memory.dmp	UPX
behavioral1/memory/2556-215-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/572-223-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1996-229-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1728-235-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1456-242-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2460-243-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/1456-249-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2652-255-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/2672-261-0x0000000000400000-0x0000000000434000-memory.dmp	UPX
behavioral1/memory/848-269-0x0000000000400000-0x0000000000434000-memory.dmp	UPX

Drops file in Drivers directory 64 IoCs

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File created	C:\Windows\SysWOW64\drivers\spools.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

description	ioc	process
File opened (read-only)	\??\W:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\P:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\M:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\M:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\J:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\R:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\W:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\N:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\W:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\H:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\E:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\N:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\J:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\Q:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\S:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\I:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\O:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\P:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\L:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\N:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\U:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\K:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\X:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\G:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
File opened (read-only)	\??\V:	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Modifies registry class 1 IoCs

Processes:

2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

pid	process
1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2768	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2972	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2452	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2396	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1076	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1836	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1428	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1828	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2684	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1616	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2288	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2268	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2292	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1912	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1748	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2896	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2208	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
528	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
904	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1568	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2772	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2736	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2728	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2556	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
572	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1996	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1728	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2460	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
1456	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2652	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2672	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
848	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
"C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Sets service image path in registry
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
2⤵
- Installs/modifies Browser Helper Object
PID:3024

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
2⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
3⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
4⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
5⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
6⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
7⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
8⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
9⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
10⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
11⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
12⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
13⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2288

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
14⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2268

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
15⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
16⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1912

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
17⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
18⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
19⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2208

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
20⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:528

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
21⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:904

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
22⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
23⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
24⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
25⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2728

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
26⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2556

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
27⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:572

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
28⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
29⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1728

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
30⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
31⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:1456

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
32⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2652

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
33⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
34⤵
- Drops file in Drivers directory
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
C:\Users\Admin\AppData\Local\Temp\2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
35⤵
- Drops file in Drivers directory
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
435KB

MD5
f19d3ac6e2fe6bcae0b0e9b5b4eeb8be

SHA1
52eeef04ff69b6b96850dffa1755237bbed56dc5

SHA256
9da199e66a4f8e38c00238ac7405e8b34c2d3e2fa56552369dec89db92847038

SHA512
b05cf4d323ec9a7a0ed2269995b2d974e5474f83554996e76a957b26b2b2dd9fd0a0c6badcc312755556f987a865034a72bfbfd0bc1bf9d1ed780d1a93ea18f1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
458KB

MD5
2a8d6d16d8b2b625c9cfb89d01f921e2

SHA1
a424102fc08639fe57a34591c611bff99ead68e5

SHA256
70e2494224cc817a82d0f2a62c02cea98b8152ce95b55a38c1a27e0a8ee9475d

SHA512
f905563bcf65671682d00c84950d8b9e17b235c1d9afb072ffc2273b57529ad9b2c5ff96255d04ac7ea5b97f26af68a2a4c1f36c8bd27fb133cc36a1a86abd41

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
438KB

MD5
ad161bcdd8aacd603aaabd235e16a918

SHA1
487265666cb00c5c834007f11c117739f519fc65

SHA256
2028323986c4a9d2c42546373b9da93fbc229da920225c9fe9343029c5fce29b

SHA512
a7aa0cd9ce1cf55f131bbb0b2eb6f390f03d5d8efd0b6113445643015f9b54986639a945706c43195c611e3d5ca058b4cc6059795828257f12208522592599a1

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
443KB

MD5
ce20635352910d2bff67c6a8401b6521

SHA1
d8b13db168a29842cd9c8a36d1368638d1952e77

SHA256
9676b237dcb14072782d511ec5ce1e3b52a197dadb366024e8d2065ddfcbfb3d

SHA512
ebcbe0cb50c6ad4039682bd77c711f1c6f6541751613837d4e3a3bf0efade57268cc416bee8fd97ca5aec49a96998aa36fec43c95a9627591b87e1cae333a7b5

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
444KB

MD5
7e0c7ec888f9c2997ca96ff95d480d9b

SHA1
e87e79803aa3dc4777c5ad366965a93cc0fab48e

SHA256
4d7999e088209b5b9cf520d8b268ce422cf3df4f1fa865a9f99f6845af250a61

SHA512
5dd9db29ee686a65908d2706f183be25a96f532d35ff956191ba2567cea09fa6b5737a6078828a7f50a692e534e62edd47469433bbfad0bac777aa7a0a68e7dc

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
442KB

MD5
9abd91c58ec0488678bfed956bc1908e

SHA1
60f7944a926c96846af5c9e9f44176d69ddb5835

SHA256
77f638336cdd61c74a4a6686e11a55bfa0eeb20c34c867d3a027db0f5809505b

SHA512
a0c2b26ba5306190f37c2aa52c24ceb6ed21e082111dbcc0dbec3c6cf5bd8db756033fb80e8589374d7e98fa3255e6bd5dfbde4d25c70c73699301babd690b91

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
443KB

MD5
7010923e165980e82c76389e4923cc38

SHA1
b153178d1306d6122aab9ccf7603c7ca797aec92

SHA256
6c413850152c23c69aef413f28a8fbdb41593a08100bab30ca733f3bd2072f3e

SHA512
4cadde47906ac370836a948b3b99a15c900931be063823a9bce2a4ad7d1afe4923b16e00ae9d6fe5818b3fd0bc094bb1b131cab992406b96fb2764e89df04353

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
440KB

MD5
0e015acf6aa14091d8e9006df158f027

SHA1
3aac65c7c26ffccdac8fdcef068482a071d09534

SHA256
37c3ac87d8b32f9a159e19c738a0efa06cc234b41980dd21969f412bab4d6e52

SHA512
ea24ea2fa3899ee3423705df2b065b83101a495ec8152d034f09009709820e18991073b11ca4d970b3fcc35001bf9e0faecf405ce482d840f3295689b2099f82

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
436KB

MD5
a6a23eb09868b3354450cc6d45473da5

SHA1
cffe19eab46a85c00b41e7d6873b134c25c457d9

SHA256
9ad2bea447517fc5b0ad14f485f6b7446cd0a1f307d12fb84d160bff34fdfbe4

SHA512
2b83dd0079ab2c9cffaa64ad211aabf4d7f0abe092ce6c31a853eddf8324e10fb307b2454ba2e1ac5bbc6e98dfb2b6236113c710e111c15815951cb5969a92ab

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
434KB

MD5
ec1101d3b51f092ca32924c446b09ee7

SHA1
4a25d5ed514fc7e401046b466db66986534c3c25

SHA256
a3608b9fda80932fc36bda548ffbbecb043b8ed7e7806db1b39f2fab6d26c10f

SHA512
92867868c7e0fc5705055e1ca438dc598d3e430dc0ca29c5855b5b1169e2f03d7b32a2ca2387d4ea9b9038d6c3323a6c6342a05f888793cc69b2587314b08c77

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
450KB

MD5
5666a49309f906fcd775e5b66319c3e8

SHA1
e1d12652e9f713aa4df9063a2c663e8862ec3dd1

SHA256
d41c048d8f14e400b0efa7c6b5b9b64659a0df309c74bf511069fc234800a9f1

SHA512
af4f6982be000c71058167f34bc2e1739967c10ec255bb57596b26cfb715232b3cb175dfac2c59787d18dcbe5595243271ec75170e490b87bd74e8f6bfc25413

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
459KB

MD5
14b0c8a1e870244eab4beb8318b34398

SHA1
7cbbaa4ec01ce695feed5e1591989e021e42cef3

SHA256
914cde807ae88efedc3b50ef04ee718c0913f6ee24858a989325dcb003c41d93

SHA512
475cf61618363e9ffb0bad2c945ccc84f471b374104712e9bdaca0163b20edfcad1d0065e9a7dd5f040d7a93422b0f68676b635f4eed3dd228c553482a88204a

Download Submit
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
Filesize
449KB

MD5
4b2302f6ce3f9a8b5e8b6f563690b738

SHA1
29f9c45745ab262bc1e09a76eb5c2ac687eae121

SHA256
c006fdc2611ff52878d7a5da270ac02e4384ad862cc4f067cdcdfa41b7773841

SHA512
9c30c9631551443e02330e9dd062d127b05a83b59ee999949623bf9086244c40e4f8c4ec84e1b3cdf4bbf4a1461bd323934457f3e6924bee126320444a3c1fe6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
441KB

MD5
63c97259e4e2cf49919bc655cde8508e

SHA1
1f5e115f33ad47fbefd9a54ebcf08c5d7efe9114

SHA256
a0739a1fac93e31f159da86a912eacc5140c40a11893cfefa7b7dd3585352c87

SHA512
ccbe6e18663f6e4f7db4ac6ec5f5d69ed9ef53d87fad345d0cb9ab658b478949ac56e85e3d026adb9c1ef9bf1c8eac8e97ea3c25d34013a342447b5ad6ae650c

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
453KB

MD5
6ea4e1f597ccbbea1ec116daefcab689

SHA1
e6897386b91cd31dcf00c4c24abdeab2fc0bde58

SHA256
55d7d80b690613000fdc9eaf409fe2eb02458fe30ed6b65a0df5eeecaf87e54e

SHA512
23c9b0c9a847d7a2a8e22cdfcb26ccf9c5793861167a380352fa8dfd6bb434ac2d2293e5075e1e4d29b6a86f0dd5b3b833c85e7814c256e05494cb19507e33b4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
458KB

MD5
8e74fc515bdc951ae5bad4309014eca3

SHA1
72351d5cc34bb38bdba732de7ef7f20be0feaad2

SHA256
19fdd8cedac6886c7e1d931f022a3bbfb8411236ff974764f1b91a2543f4a683

SHA512
ff1de4ca68b42b3dc29ad2b83aeffef80786fcfac94363a1e2fdae48aec4deb347f1767cb15dfe560f1e401283c0cb810f54a400b121165a89faa025601ab860

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
443KB

MD5
622b105d1e53d2f72137bf7b4df365c3

SHA1
95ea41bf06e422a5447aea54e72322a315ef6b97

SHA256
bb4efd72b51cc7bf5bbd84c6732ed2207052d82a09e534665fae560e13be8a26

SHA512
1b950c249eef640343ab8321e8c6da089c25b9e3db2cfbabb6dfa53d65e2fb83fe7c4ae1e7c0d3056f140f089f808606cbbacf67493ba790058bd78d8dbfe0ad

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
457KB

MD5
ea975dfdeb8389ac8d6169a620287307

SHA1
143175fc2b501cda86c421606f8c91b0f507dca0

SHA256
9487ad92d8549a31447c5663700485813bce7cacb110adf5d2cc5a662add13bf

SHA512
7d69d675e455c656f3deebccb3c551c9a2fb51891d41aa1c4208f1b17ba2d8be165d9e45f94c4c693e1ba5de9754781743fc2fb8c09b1100c486dc0e09fdaf66

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
441KB

MD5
d067f2b61ecb3166b1ef3327ef27e20f

SHA1
d645618ae626ea8b6a04f923fc886c839a4e4abf

SHA256
d8f7cdea414b0ad77f36c18c574b852171d1236a3004b7daec598551096b6889

SHA512
ef558b0945e273dd44d3d04edeefc243617f9f7720c885cd6261015ffb2726d05f3a0f93f5582ffe395f0030962fcbc217d66a2b4426f80489cfd4ccfd2de9ec

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
460KB

MD5
20ea93789df2fbb7084350c8ccd6d462

SHA1
43dbdfde7018d6ee939325aca28a77a4519e1aee

SHA256
3582ca37392fb6c998f4a8d0aa65ccb798323152a90c53fd91050dc2a0283ec5

SHA512
8bc2e31845862d23a5e4bae603471cdda030028c860f1e9a936215c363dd91d4f4b6075d7662d73992758ef741a058e44a87c741be1da33b4a64f74b607234b6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
442KB

MD5
906a588014b6e727d94d9f4796d9467f

SHA1
476b7861fc6145708c66b9da4c4bdfbca19c1433

SHA256
7b2bcfc47ed65a3c44824f16e2b7ce1e8f3409bb1885d8ed6b6915e56da8d85f

SHA512
a82c6dea09bf42b6daa66eee34f5191f8b884b8b98341776aaf1710d1cd1b340e3a82bb9127df17487dd674f5096bb4136ed7c72d25fdb706e07c21487b250a3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
461KB

MD5
973efb8c1ff8114734bededaedc53e30

SHA1
ac061cf866549fa5c75af8fa95edb6d5fddf5b21

SHA256
abfad34e4d6d2c5ada30aa8ab6bd22995483b80c3c1ee1f6dc4d5d4a9f6e65a6

SHA512
2cd01e1035e27004ca7f49fbd2ed2425e3c8f4c7a1af06a441900387d9755cf9821c956a8099d2504aa51dcdc2155be7e0c03fb4fae5dd08dadcf3f2a35078c0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
440KB

MD5
6c0775f4ed7ad7633a60375905486cb8

SHA1
f963b1847647c17024a8416fbff2f2761e0d1e59

SHA256
bcc0726f2aae45de72f639088433612a577e109e9e0ffb19548c22dad971ba8d

SHA512
bf017a4d8020b55418eb70bb29d9d11042c5a22ce60d2c2f0629efeb8e7c6c8839dfcd2352f6831041c9184a6744b6ff8fea92ac1db0a0d9ae00543bcbdcd5a4

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
438KB

MD5
06042161f526407f070305c74ff4e89b

SHA1
a4dd63225e3979e03f95640c7eefa7a6ee1be0d6

SHA256
4b6750fc830689f946e8b8c186c2b019f00b831b558ed104b90575135e9f698e

SHA512
fa42bf9b4d02657c50609788afd0494d4d118ba9ddc07eb148ae7f072fda96be9af89b542ade70c68fcace11b402718a0c15d2d1ea387252a7f9aeb131e47086

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
438KB

MD5
a19a7e38a5fcf852f50dff4eed9a3cd2

SHA1
326dcb7624b678c76045571269156ea5361f5a75

SHA256
4a76d9e8c635b3c6ec9737624862866e59ea68bc4bc507bf0ec8977c128982d9

SHA512
62304ad0e23d9f70886ad23dc51cd49102699d5e08f447370d6b4d0da6962153255ecd9634e18e2a362d05f457a7554dfc28c0e42befa48a736f152a6c6228d0

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
454KB

MD5
4bb33aac177c97ce08435c6247c43b00

SHA1
c8d868448060d700f6400004e0760532093da72f

SHA256
dc1cebde6c1c59b2fb132fcdffe9c23d035bddb76847fb5aea7d3436f6bc65a2

SHA512
4799ff00ccd06fbee38d8d8f7b71caf21347dae6d2c9dd896fa93ae78fc6b58bbae2f215c8e8009518cd00618854f86349a3b2389f82b47fb2eb15f1f1b87688

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
431KB

MD5
7b3ec915139b5cd1f09a17d229c88a60

SHA1
2649799da15a4c0b808b6802f2647cb593922a2e

SHA256
fa8c77087d4c58c32dae4fdf258e715031f39eaafbb111fada9f7d6b458668d1

SHA512
8876d94a2e047cd159de59a88821d4ec75e8c5b82bab49c03e257f606274119d0d80874935eebe2fb7fa023e3eff64928c3c4c37ad7d07758d25f4cd25cfa747

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
431KB

MD5
7e8c9c6c70c2ab040162012e424de85d

SHA1
caebebc430e61b5f87a7f26d0bc50e9a2cbd9b85

SHA256
d645a5e88a68262c2ab208a342d8c5fe24c61af678d968f6166b631b71c4206b

SHA512
25fab8a380974d80284743a21405e6bc7fdc2193397688a1ff70e0c938b7f27b2d5be857578f38efa394dfee24baa2ad17f79107cf50b886f1dbfd0fb0f3c2d6

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
453KB

MD5
75aaeeeec529d272cb06537d29f319fa

SHA1
465bb5b4a2e19c204ac3a33b19e5d6a8c1bc10c3

SHA256
e7c7df5bc0a10ce9e2b0a119f81514b0129b3fe2fd59bf7b6c1fd4ba0b134cac

SHA512
38148880c665173036f2d76fc02282725efed955b921fbb393accc1cc8c25b2a5fc82b33a31cf645d90208dc9cba390a5eb015b827654ccae4ce806374a6fbca

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
433KB

MD5
e4d778090fba8b72c3234f3fecd80df4

SHA1
a70ef3bc62dedebc7a7c774dee9a87955c9705f6

SHA256
f9f280ee3582720a7c1e6c07a6acf4663f7ec7b2091acab681dcd7ccb0fb7582

SHA512
73a0f7bca345aab7b4867785065019de3419cadaa870a68981c4291f219fe6e043e57e47979f6308de72d5a4faf9c6b18a0671f20edc47ab6d22f5528d35441b

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
457KB

MD5
58e7143e0a46776577bd58d9bc597024

SHA1
44e58a9205483c37d09fdcb15c0095c700af623a

SHA256
01603537c34e87816a67029e932357818be469f2ed553052be1f534acc22cd93

SHA512
310ec666831e43e160f73fe556836a52412c118082364b6e1d32c9b09a413d436332adb285c0a365db72edf1074200e3698dfeb18917d833bdea2c754880491e

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
453KB

MD5
eecd045a855cd054b6ccb5a7ff135892

SHA1
bba0a7cd630b9876cbf4b97ad86e11fada0090b9

SHA256
115caf6057907ec0edb1438dd947928214233af2b35efec1cca244d88db0c9ac

SHA512
b9cd06857a880d93b1549581ce5847384fe1798d3dff6fec1c660bd0191fe9679d8e1e81d472408b3f53fdf554e3d08f244353abd4cfd407930d017bed83a7a3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
446KB

MD5
fbdf3bb3b7b16ea904349708bb57373b

SHA1
0c01224d91252bce10b29a81da0fa01515e9b578

SHA256
b3dbb82f41b959d8be8f52b1a736ed823217641e55fbc904cd36317417a9eebd

SHA512
7278572db601df4a5abcf0a6ff35092750d6d3dc2e13150c6187bab0c6e1a4bd7748a6cea6b815ddab3d9d4ec7690b9ae76fc466b09a5122ec6fece78ed7472f

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
457KB

MD5
2fa412982cbc342e02ebc1638e6d76c5

SHA1
234cd7e62e7c1f4bb6d77e95a1027b564e660b4e

SHA256
feae2a28909a8003dbec2dd959e0a3c4222142aa9a94f5caf36b1da69ff34b17

SHA512
1a1f5751c64d3b76492e3eb36850b1c1f9ae1821da3ce0edbe4a43610ab0689ce2a9348fd2ed2930960065a8335e59a1b39748024b27478c8234aac856797a2d

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
455KB

MD5
e932c7fcf1d471b98d5029d92e034f16

SHA1
220fd1df68da44be129df7fb170d5f5df4aa877f

SHA256
4142d339e4861cd12cb36e6baf97d0da18d9b27f10296f000c9363f5accaaec7

SHA512
c4075137dac661dab24c8ec0751f4e6be24f6586f11450cf792625293b0f89da7409f6d92df337cc749ee85fd6fbfd1fcc58551ff69a32b80e1c73e3dd1b6f23

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
429KB

MD5
596842189c97710241b4de18203a613a

SHA1
fa3a8c9c738a9ff10dde6ff2a17673f308b88a92

SHA256
6118a4204433fa4de02268ebdc416f423b6dc8ab7f8c6b4931b4ad9eaa3a5208

SHA512
a3d15b996fa1359ac02d0de56e50828bc32b3f36f771788e28f20b7b3b122d1a0339027d3e8098bd0965ec8c342adfba0bafa67e825c3affbeed774d8e5c33a3

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
452KB

MD5
2bac57be4b400d0be6219740afac777c

SHA1
7026babbcca4ce3d911a41723be523a621f72af0

SHA256
9051fab2003e424d0201a4b08ce1008f0c1f84eb464cfd9f0efea9e089db443a

SHA512
bbf80975594e60a9761a631d951328576ed7d3050c279aa480ebb5e7ec0fbd619ff5ff2b39e4c6a21011b8bf59c262ef175afd742db6fd2445a4871906394688

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
444KB

MD5
fd1018e223199b04d140277c47b12e62

SHA1
6daf49537ff86962e79032b3d085b39e188ffdb4

SHA256
18a620ed6a8f86973f69088837ea9bd744eee4a58a9801480fad92f26c5cfd0a

SHA512
0717a090966279c77e0dbd54abf24400d8ffc97251c31d8aa533e75220fe1a419b620c4bd5ea0d846c306226d68af0c32fb6f3173c5f4e2c2436ff38a61c28ec

Download Submit
C:\Windows\SysWOW64\drivers\spools.exe
Filesize
435KB

MD5
6711b5cdf0db81add7c39e902e8841f6

SHA1
209f985bcdf0f52f04a9b24491970bb55062d05a

SHA256
84e41bb6489522a70d5b96778f63895a4ba0b556400149c00060f38aeca4026d

SHA512
8ea4742cf84e6378511c1f36898ea86e13ddbebb56ab5901ca76d4000624deb20d20fa09eebd2cc7a2167821c37149cb0980d303519d90fab7e91ecc70fbc9c6

Download Submit
\??\c:\stop
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/528-160-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/528-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-266-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/848-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/904-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1076-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1428-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1456-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-182-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-177-0x0000000001D10000-0x0000000001D44000-memory.dmp

Filesize
208KB

Download
memory/1616-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1616-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1728-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-1-0x0000000000820000-0x0000000000854000-memory.dmp

Filesize
208KB

Download
memory/1760-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-60-0x0000000001FA0000-0x0000000001FD4000-memory.dmp

Filesize
208KB

Download
memory/1836-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-126-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1912-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-130-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2208-148-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-108-0x0000000001C30000-0x0000000001C64000-memory.dmp

Filesize
208KB

Download
memory/2268-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2288-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-116-0x00000000003B0000-0x00000000003E4000-memory.dmp

Filesize
208KB

Download
memory/2292-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-267-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2396-43-0x00000000006F0000-0x0000000000724000-memory.dmp

Filesize
208KB

Download
memory/2452-38-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-33-0x00000000004F0000-0x0000000000524000-memory.dmp

Filesize
208KB

Download
memory/2460-241-0x0000000001E50000-0x0000000001E84000-memory.dmp

Filesize
208KB

Download
memory/2460-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2556-211-0x00000000003C0000-0x00000000003F4000-memory.dmp

Filesize
208KB

Download
memory/2556-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2684-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2728-202-0x0000000000390000-0x00000000003C4000-memory.dmp

Filesize
208KB

Download
memory/2728-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2768-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-143-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2972-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3056-7-0x0000000000370000-0x00000000003A4000-memory.dmp

Filesize
208KB

Download
memory/3056-2-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

description	pid	process	target process
PID 1760 wrote to memory of 3056	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1760 wrote to memory of 3056	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1760 wrote to memory of 3056	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1760 wrote to memory of 3056	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1760 wrote to memory of 3024	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 1760 wrote to memory of 3024	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 1760 wrote to memory of 3024	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 1760 wrote to memory of 3024	1760	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	reg.exe
PID 3056 wrote to memory of 2768	3056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3056 wrote to memory of 2768	3056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3056 wrote to memory of 2768	3056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 3056 wrote to memory of 2768	3056	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2768 wrote to memory of 2972	2768	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2768 wrote to memory of 2972	2768	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2768 wrote to memory of 2972	2768	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2768 wrote to memory of 2972	2768	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2972 wrote to memory of 2452	2972	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2972 wrote to memory of 2452	2972	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2972 wrote to memory of 2452	2972	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2972 wrote to memory of 2452	2972	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2452 wrote to memory of 2396	2452	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2452 wrote to memory of 2396	2452	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2452 wrote to memory of 2396	2452	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2452 wrote to memory of 2396	2452	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2396 wrote to memory of 1076	2396	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2396 wrote to memory of 1076	2396	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2396 wrote to memory of 1076	2396	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2396 wrote to memory of 1076	2396	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1076 wrote to memory of 1836	1076	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1076 wrote to memory of 1836	1076	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1076 wrote to memory of 1836	1076	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1076 wrote to memory of 1836	1076	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1836 wrote to memory of 1428	1836	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1836 wrote to memory of 1428	1836	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1836 wrote to memory of 1428	1836	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1836 wrote to memory of 1428	1836	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1428 wrote to memory of 1828	1428	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1428 wrote to memory of 1828	1428	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1428 wrote to memory of 1828	1428	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1428 wrote to memory of 1828	1428	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1828 wrote to memory of 2684	1828	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1828 wrote to memory of 2684	1828	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1828 wrote to memory of 2684	1828	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1828 wrote to memory of 2684	1828	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2684 wrote to memory of 1616	2684	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2684 wrote to memory of 1616	2684	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2684 wrote to memory of 1616	2684	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2684 wrote to memory of 1616	2684	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1616 wrote to memory of 2288	1616	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1616 wrote to memory of 2288	1616	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1616 wrote to memory of 2288	1616	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 1616 wrote to memory of 2288	1616	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2288 wrote to memory of 2268	2288	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2288 wrote to memory of 2268	2288	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2288 wrote to memory of 2268	2288	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2288 wrote to memory of 2268	2288	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2268 wrote to memory of 2292	2268	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2268 wrote to memory of 2292	2268	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2268 wrote to memory of 2292	2268	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2268 wrote to memory of 2292	2268	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2292 wrote to memory of 1912	2292	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2292 wrote to memory of 1912	2292	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2292 wrote to memory of 1912	2292	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe
PID 2292 wrote to memory of 1912	2292	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe	2eccfd4a551febe9fd022ffb64c68267f9368eb0b432eed57d9ba48c6b2d2e3f.exe