Malware Analysis Report

2025-01-18 21:16

Sample ID 240321-27dgracg76
Target ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e
SHA256 ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e

Threat Level: Known bad

The file ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Detects executables built or packed with MPress PE compressor

Drops file in Drivers directory

Sets service image path in registry

Modifies system executable filetype association

Modifies WinLogon

Adds Run key to start application

Installs/modifies Browser Helper Object

Enumerates connected drives

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 23:13

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 23:13

Reported

2024-03-21 23:15

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 808 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 808 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Windows\SysWOW64\reg.exe
PID 808 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Windows\SysWOW64\reg.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2340 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2300 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2300 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2300 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2300 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2564 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2564 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2564 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2564 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2188 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2468 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2468 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2468 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2468 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 612 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 612 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 612 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 612 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1868 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1868 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1868 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1868 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1496 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1496 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1496 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1496 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1680 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1680 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1680 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1680 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2748 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2748 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2748 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2748 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1464 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1464 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1464 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1464 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2828 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2828 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2828 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2828 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1408 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1408 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1408 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 1408 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
PID 2816 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

"C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe"

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp

Files

memory/808-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/808-1-0x0000000000380000-0x00000000003B4000-memory.dmp

memory/2340-2-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2340-7-0x0000000001F90000-0x0000000001FC4000-memory.dmp

memory/808-12-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2340-13-0x0000000000400000-0x0000000000434000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2300-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8dc3dab53ae6df5248810c9a1e1379e0
SHA1 36336d47ac7509264a769967ab635ba0dd50dabf
SHA256 268a1c5ceca19446c05ea0ca66490e29bbfd0544b6b45868cc758d4c0aa47afd
SHA512 62ec424c9dc3784369614d8f3b9e9cd002c6570082aa65da45b9d561fb48727a70ce08cd14ef6508154f17f1bdba397605c19f00f69ef5c70038bb53a26fae3e

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e2230b302a32e02f8acd3ac753ef7286
SHA1 7a0d4d3fccf90b533045234d033f65660b476834
SHA256 8c8b25e06cee7fbbf9bdad15cf51d88a46cb5debcc41fad8ca7353d3c1395b71
SHA512 05add2ed729b24780fa60c42035cd348fa1baa36a06e847601f8b3c00f2c530b93d13e2762badad78f429cfe44caf1a27c53152312f6e7b2d248c1d42120d60f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 91cf2a05a18aeb632e0456767c93cd4b
SHA1 40b9374d1632b9ecd8b9a44f90c809173290cee4
SHA256 5601954c3f6ead18d081009048bea26032531c00228e4cefc0e7d8d73fecc97c
SHA512 18caa861ded656ab13abf43b0ff209b8af231c083af12e4e9ef9a442fe77fcf14c4e38dc7aaa831f5551eae59987235049b37dc5e11e5c80f6582a858f7cd687

memory/2300-19-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 514659ceb5639b3e3098eb01ef5fba83
SHA1 7ab049e7508ef21217e0f14de72232510505bb06
SHA256 9b48b26f3a9462bb8e0436421c466ca2f40337a64766cfb81c4546f970bd16bb
SHA512 24fa043ae5640dc54978ced582b78a145ac2e529035f8bb401048784ca8b9c080cfb1aec2212c7eee2a75b031966a0754b86db900412ed399dcb01321890afe8

memory/2564-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2300-24-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d131e446cf91507741ff44c8f62773d7
SHA1 4d2da97d63e8424efe04828338e643c9665de347
SHA256 2e1e65c347c07d6bf923d90967e0d34960f588f71d6d283535943039362125fc
SHA512 d8c64e9b88004314d0715f8bfc776ad31ad71a5c79b609330caefb8386d461fce21a085ae5132ce570c06b9f17291eb665375bc61ed4ebb522ff03b0fc1e55aa

memory/2564-28-0x0000000001F60000-0x0000000001F94000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ab0b0314e109a272fe0753f658dcf125
SHA1 5dbbcca5171245c5c58155e0c967894cc068e39c
SHA256 b58b047e10705db07154fe04b4d421d3ec4bd18f3e93ae3e03fe665fb70c9247
SHA512 b2d8953a3e5b0fc565725ae939aebb7df88612471131fb9b2bf77e71ebbbef5b54026814e7ecc69a7204aa7e642c85ae22ba8f1f9d43675f6890cea6e72dee8b

memory/2564-32-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9980655ccba09ff7996fb44b52c13bc0
SHA1 8e55ae1bd198c7c73a5e97b1b44c82767deec2bc
SHA256 907df2231ca60bbd6cc0fe0956563d3de0a34ebed48db635d8877a2c272633de
SHA512 ca13fc65a32b558a77e7bfdc9051e6aaab4e187b83a29afed4f9705e8ba37773785e9d3726b9ad4c653faeaf157a199b2951e0b037f11b8c16a82c6f8577aeb7

memory/2468-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2188-41-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 eaff1a8c6d2179275f7b869522b6794a
SHA1 7245b4f83785442b21cec95bba8ca5c6b965d3d7
SHA256 d815ac2860a907fc794cbce9c1ef4732444ce088071334f8a462d690c4255921
SHA512 ecdb35a49a9fa2d04ed8869458cc942c83fad0116ff44840d4689b64e2ca9da30b44600d303f01fcfa6e84b00036bb4eaea2f2ce0d0baacde51fe393a027c3ec

memory/2468-45-0x0000000000550000-0x0000000000584000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d7142adb40656f2a7cac577553825644
SHA1 40eb3c48691741c03a4e80e417c3035e03dd8ba3
SHA256 8805fba574c95e9364f553ca7705a9a0ef12f8171d1e84b80879fd8ffd446e80
SHA512 bb426f80f9c5c4930d8914abcd3892429b8bedc6e32906ec09fdffd01db124fed3faa76ce8f03c263a626ab3c260e74915ba400a8a99c34f7167ad33f70f0136

memory/612-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2468-50-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d3713dcc0763be4071f2e4f003f4465c
SHA1 aae7a1a4225eddb99f4d29408c1a2b93d85fea22
SHA256 82954dcfa0b03b3a1df18a961fbd8208dd48582aab1228e4a8f4e4de393a6a42
SHA512 90578180ca25fcd10a41320c1baf31d77f3aba4c9dcdfef49c0903b3973405f164dda7ff8139d19261f31eb7db82a03ddb69477a70c83532ab760d2152b7a329

memory/612-55-0x0000000000390000-0x00000000003C4000-memory.dmp

memory/1868-60-0x0000000000400000-0x0000000000434000-memory.dmp

memory/612-59-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9c5532a0e3daccc1349a8d5cd23948b1
SHA1 1ae08d7653458b2479e02b74fa25421d836c3db2
SHA256 aac590e3ca8729d9b7ee573fb12875c7492c10b234367e30b9c995fdc60e124d
SHA512 39466292d71a9afee1a0ec47db0a7b5c03bafff68ef18239daec4e24d104edc2a93cd31603f0a52ca30707366a44bfbde096a2fae58e5f97357544cf75ee8aca

memory/1868-64-0x0000000000390000-0x00000000003C4000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a39bb5bb8e395cd52ee873ded0abbb5c
SHA1 19e74addde55181635fa8f89991c4348989c589b
SHA256 d092feac3feed0e6c15e1d5b010726c04111b6dbaf41f70adf764932ea1a5473
SHA512 33ec820cc1c6869c5beb7f65452ade068b1b51cfbeb29499b8e037bf80af3a99f2b46a352831912159c2f2064b5a754e804c0273f5d9a5c2edd718bc72dc678e

memory/1868-68-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1496-75-0x0000000000540000-0x0000000000574000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7607c2ce558c4e5d538983c002f5844f
SHA1 fac59a65e1597971be54533595079d35df21240c
SHA256 7212390e8c9a0e1e4fdc52c070988a1e886418f482b0a14f5e613b7b7cd4b5f9
SHA512 55b3263844e4eae1d737f50626ca90a0d65e403ae86862231233b3d428480ca88b25eb5ad5b5311b238f5237262c120b37a85ac927ac2b39771abb600994be23

memory/1680-76-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1496-78-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bac9026ff7e0a5b97301a755b21ea5ff
SHA1 16495fb370b39ced793c5c309fc57e2a0998fb4c
SHA256 a07a551b4180958751c2e21f9cb70ad0e841c68ccc3e42ae87664d60b3044b67
SHA512 910c282b62bd25fc045205ef6dbd461cde0e9aa1af08060dbe9bc765bf24d148a41033c491fd5b332f1f24e07fdcd68dfb8f3f8301f42f419ed12a67d68218b9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 36275a7da2ce786e13507e2bccc74133
SHA1 465013bf864dc7a1e96d438aa9814269a18097ad
SHA256 457f84622969f4b0fa0dfae63d60249b57f7c2a3278ec9b0afa9df113133827f
SHA512 99e6e473a158fe56148413698bc560ce5289efd961c35ba25ac4f35f3fa407634aaabf3e6b3ef855a7a4d3a315558f077974689e1763e7a0517d8257ee8a4020

memory/1680-82-0x00000000003C0000-0x00000000003F4000-memory.dmp

memory/1680-87-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2748-85-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 68ea13e86bd087ebb6d8bd0177a7077f
SHA1 3a637c64a405c7c998d1b312adcb2de7cdedde15
SHA256 5628bcb1acf978c62b285be3ad61508d4f6c5a49a01b496d88c1180f3fe8c771
SHA512 26404fa7a1ff2d714947979c21bb6f26854047be7fc942db8160a3cea9a294ddaa54b2281e38b5686597672f3681c87cf4bbb57639884f987da4a76233cf6294

memory/2748-92-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/2748-96-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1464-97-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 53d84c047936c3bcf61008ce7a23c727
SHA1 518f235bf9e7d2e5339b097947cd3edf0ddaec7f
SHA256 82c8848faeaccc6e8f356c58cb984b82e9ab26a1a3043d1d6b6bd7b29c127760
SHA512 a62b1b502db8f2ab0c895a90f5ddc4ed51e3e95bb2aac0a47af4d3008e8b1391093cc115a148d85bc2201247a59158c02dd45d0d1705ad484073bd32396c990d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1b02efb63c62ead02c47108f2307ba3d
SHA1 cdc3c11a5dcb58cc06fd2b0a9394471592acaace
SHA256 53c3b6807bf07f45381a9d69e7d2e73af5931f4619676ee0939c7b300565006f
SHA512 1bac0992e193bf52da0b90a7cd230f48a09747b9e5d2c6c6cf8d0a6470fc7d836d4c749c95bc915a5738c50250a6275bca1bfae059e98de8aa88f78ebbd31bce

memory/1464-106-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 91df2aff9ee98e7d30949f64c7a693c0
SHA1 3e7b915d57d8e5c79d5b24c805437b0e08d37407
SHA256 03d2381387556876f1f92861d17d4fab7a2da2c9d810aed67051bb6fab0f33aa
SHA512 4810b48b43a8bdad84c06a4208a2ddd23ccd7dcd4d1f1027ded35ce9120b7f76b77b194d9f9df1a68c1e6917830d6ff9dc17fc10eb8208444f6d4a4803736890

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6618fda8558d84de1a68d8de390509a2
SHA1 8766908c3cf9cb96cd1264531d778ab655525e30
SHA256 1bb7fe4d073bd08a51d6d3eee8b58f500412e52944c6022856ec650b8a54bdbb
SHA512 db2417896ddd107b3be8b83a3ade3ab3829553659607f1c4ba28ad025b6c87a7d744e2780dd14e18c6733ff979b85c5c1863491f1ed2e17090b5a3dc65d8ebc2

memory/2828-113-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2816-118-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 37427ebfa665dd07da0f2581f9eebc82
SHA1 4a9feeb92d9ecdef555e792c450741fe7abfcba0
SHA256 0e003ce1b8525154f9f435f705441dc9bda79314ed6e01baffee79e760a09d05
SHA512 50dfb33129e5f46560da35105695845ad3fce633162609708ec7bf03f95981f5b832d1aa83f3a18026cac737499b61dd65ef1672f87d3d3957580f519e4f70d5

memory/1408-122-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e7891059a7bb06d9ef04ed7ffc8e9be8
SHA1 b8fb3620a27c3aa7a2a32301b61e59ece8d06491
SHA256 79b796a538fa3102ce284be5446ef71c7a8166e11e11da2ec3fbdb12cb9a1969
SHA512 acffa6f347fa7b5eabde27a569e6676cba8a88933b9d81faea4fdce78c2ed9b551a11e6c0a07404143ac6be72f3d18242b1ea64f0b1a8b4eaad63d6290a3ad3e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8f66ab3c2fbba4b7127c4b69ed22b7e0
SHA1 acd4cbb282e0355e11e513a691710192778a886e
SHA256 f36256afefb419c605ce97764b4685345effb63fe8c2a12b5d4874f605e83123
SHA512 684bd60dfb880dc2d2cd06a2fa67be6449dedbdad7aff81fe9424612513eef93cb395b74718ffce4efb61eac50e3717278c9f96294158c4d5fd38d6a90150513

memory/2816-126-0x0000000000440000-0x0000000000474000-memory.dmp

memory/2888-131-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2816-130-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 58f35e4fa6e141f7b0e40042981d77f8
SHA1 dadf41dc8be7f720bfe25e2b90b51691e22ad24a
SHA256 af8afcf80082679a9bfaf91edff2752fdec45d67820ea39c30c7a85b2cb73076
SHA512 a601830b553c703438ba8c38fc28cc07dc0c60358994d67575cb87a3136e8b9f35be20ed95136db2abf1b3173a912b97bd16f532e7b4299c1c2532810460b2f6

memory/2888-136-0x0000000000540000-0x0000000000574000-memory.dmp

memory/1332-139-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2888-141-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3eb5c5764e3239ba25a799719f0a4c6e
SHA1 b276ac58a97c1ee3c70ddcc5188726b25415d6aa
SHA256 3d096a8b549b918e0428d6ab0762583e34e884e9131c9b03984984e81dcc7bd9
SHA512 cefd0f42a6c7526838d8bc80e984f2ca4c97b366733d315bf86c4e77068640386731894a4dcf42eac14300b42ad54419e161351c4470e9c2ef12f25780e2ca02

C:\Windows\SysWOW64\drivers\spools.exe

MD5 27e176f0ca9eb1c1b25fd6e009e94ec9
SHA1 08002592fe808a8e5ee89b2f0b737296845731f6
SHA256 63d2fe87c5a647f86fc59482ad71cb9c24eb56b9c9a1af5e55b16292ac105990
SHA512 a0988e7e179c102f51caa4393477c8f72c79faf1d542d690944d907df58e60d554eeb4da2d95df675874300a8c7944c2925f0aad670f69be188bcf38fc9fda3d

memory/1332-145-0x0000000000370000-0x00000000003A4000-memory.dmp

memory/1332-150-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1728-148-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8dfee044d25fcafab982dd830451a144
SHA1 6c3d732eca7cd3df3e84794fc5a7714b8a6316c5
SHA256 8fa2fc514a681b8cd21953c894fd02d562ea7d422a09676abd7884b59f9397eb
SHA512 2ac884234fd65da903fa12f28f480294a419e0018f3d305e5375cedfe8ada34a0f951b1fa0de5cc7d646f370541e99e0bd21425bb74d5c3e9d4aeba86c652457

memory/1728-158-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ac64b80c46e4bd0b242964da58be1abf
SHA1 b5c11c4bc6d399511599ee29ee5107634a47ef9d
SHA256 f38b610b82de74bfc753302e6fb7a5416d9554f3f5d0d3ee772c78347b9de276
SHA512 b9262c1aa6831bf798f3cb989379db8dd1ccbb64d6ebf2bf82204f7dba3857b0aee71ae4cde9b4e46beb3f791aa60e78d04920379d8f6fb47aba6343e4e3bc9f

memory/2328-165-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 23f821a4766886c67e49c5426b3b324f
SHA1 363cf8b27703b5a90324e09e50ac9993de33dc7c
SHA256 208bfb58082580f3bb673629d8f6f12e01ef76747f1584caa18ab3e20db91093
SHA512 1fed450690868586fe01e99609042dc64fcb0c6320944c5c63076c469611a09449b903d340c11c79490c26625c5715b604c024b3465f4994acf6245612b75ef1

memory/1428-162-0x0000000000550000-0x0000000000584000-memory.dmp

memory/1428-167-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2328-172-0x00000000004C0000-0x00000000004F4000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 edd53e85eec3d1041a10bd1b2fd4ad0b
SHA1 273c2aa913dbe0a77b3d0607e5a7d27c7111bfb1
SHA256 b5bbdbbf2ce5a8eaec7e3a3ecb53eac49d4ed096b3d226392411be9395917cbe
SHA512 2dafd610da52373a6f970557a9d88f22b22d634d9abc46779748dad73e30e0eb4f19ad10c87c4ef21c6b444cd38ca37ca2b3f033c922b9465f57a9db0f54169a

memory/2328-177-0x0000000000400000-0x0000000000434000-memory.dmp

memory/876-175-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6d35ee9418395301ebd7eebdd6a24e5c
SHA1 ee04935f3bfda7284c1725e886bae4996b53dbb0
SHA256 e409f65829c28c56f699d11090ad4f662e82dde7e5752d3a7fd2969a120771d5
SHA512 953131ec1c5f2a5c67419c8e5724778ec87b714ddef656da06aaa7ea229a9e449e77bda8951c994319411d6bc0b580228b6555a12cf11b03e8e379d67a2f054d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5b156d57d178a75062e58acf8771efbd
SHA1 349714da4ac093bca1d80ebf0012944afaba1fe7
SHA256 74156213f3e346faef0e8dc167b9361fcf8609a886006ace6dc9401dc5c165d1
SHA512 085cf14d4eeb539511b98f22a0eadbe1ab3da572708331d7b789bc1f12df5c928dd4bfceac0091f9b91079c91622dc0b3acd7a4375c0989f3ade6775d0aa7cac

memory/876-183-0x0000000000540000-0x0000000000574000-memory.dmp

memory/1668-184-0x0000000000400000-0x0000000000434000-memory.dmp

memory/876-186-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 331505bac8420f307f40001c6f355051
SHA1 78adb44b798844f5e7cdb67e2eb6f68830ff313d
SHA256 67abb5358f67f1832c407960a6f45e3147033c97452c98290d954479705d9a8a
SHA512 5f78b28029331f89abb1bfd3db1ada8a9fee7efae845bb60bcb3697658346e083c35cfdef0b919e05e85ba32400c65c8374c210c281c1a740d5cc14e59520a21

memory/3040-191-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1668-195-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4bea5665df75444f7ea03e123b1c5d23
SHA1 5c26da88d77c5503c2a629b905dcee7105de242f
SHA256 24e9f8d18cad79f5b9450dd746eb9839b22a47a395040feb6482b8f76c12c7e4
SHA512 c30416cc4e9b4d765fa89893c6dec58fe43a3719c8f8d234045f07be56b19b066cb7c781c2f7fed1e8938967d1cdae54984ee297bb0289cbdcc3525ebdee26d4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 469b9e592243edbaa0c240700a9a4a81
SHA1 e6e4be2a5898e6728de4696460de85866bd79625
SHA256 1895dbcd37351904a5f9053ae3e7bb23d5f196e656afd9956e3422e46e1707cf
SHA512 943be9c5088b47a024d0a3b5e8737d0b596952c3c4d99b563440e8b1d87080e4fb1a30457cab350e737ceb4ef8f500056ec272b8cc6d7497dfb1d37488ab3a71

memory/3040-199-0x00000000003C0000-0x00000000003F4000-memory.dmp

memory/2696-204-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3040-203-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2696-209-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/2696-213-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0798d96acd8ec183ee66b04a6cc5abf0
SHA1 4d50d2a05c8c913dd8966ae066cf9fca3921c5fe
SHA256 be3473fb6093dac887dd09627b139b74b93cb8dee33fcc913b0b9b3bc1a862be
SHA512 81cac9a707020f151189a746a5522d7709fc735a60767b3ee451dde5c6d836e45fcf00c271dd4952857c307adad9508b8f621981d03dd0bacc0c5b7eb847fdb4

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8f8938c337cd8099b0db7689e5206739
SHA1 d7e3ff46353cb0b4251244bc1093b64194657c18
SHA256 56f9feca8ab2f1e8e03fa34c36dc5343b109efc6e89c6f1d8910a6697c2ad8aa
SHA512 6abb4346545e1241ee11489efbac171f25ce83b477edccb34a80adb5bd17836591da6749ed41db698845012578b143e9102d43ee044257131281e6167f198004

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cb5e789d02988266a2a4f4ee7dcefef2
SHA1 34b50d954aecf2bd1dcbbfcd9173cc934b437c8e
SHA256 4293a77465d100fc1459f34da900a73a9315591f2cc3ffbbf648cea0d9adc6ef
SHA512 9938814d930fc3236845c36474094441b76bcdfbca8655951fc1f5cf69ac4fb2596967c6059cf35f0ff8c47cacca793887dc723af4f4399cda078aa823a35d52

memory/2300-219-0x0000000000360000-0x0000000000394000-memory.dmp

memory/2612-220-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2300-222-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2612-231-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 26282eec9e8fda7f50f29bac5132a11c
SHA1 e6e1c400b2dfaa1ed35b0deebfe7d994fc29e06b
SHA256 c89e6aca90c4a80147389e84d872c58ce549bb1c54a99cba1c6dfd2c6e756512
SHA512 41a65602250db494ecfac0e146d462855a36c1d5f5a2b00efae1d57a481f3e72ccc42b2d95960046174ac9cfecaade496adc5c9adc4ad0e070d50c4a0799d141

memory/2612-227-0x0000000000390000-0x00000000003C4000-memory.dmp

memory/2188-232-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0dcae2959e096d2d7078349c7ddde6fd
SHA1 67d31140683f0d0a82cc4e081171bb96bb4a1f14
SHA256 e7d6a1774d225780914b96fe776b18f79448a21f6bf63312117335b5d875980d
SHA512 af95fa889f6dea12311a3e1b296e303d0024a28cdb5ab9cf9fabfcc25526c3358a29158675c69608a2ddde8bd57439ba5df1af4425ecfd8d851bd86bc3b302e9

memory/2188-237-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2188-238-0x0000000000830000-0x0000000000864000-memory.dmp

memory/2480-239-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2480-245-0x0000000000400000-0x0000000000434000-memory.dmp

memory/992-251-0x0000000000400000-0x0000000000434000-memory.dmp

memory/612-252-0x0000000000400000-0x0000000000434000-memory.dmp

memory/992-258-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1764-264-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1556-270-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1360-276-0x0000000000400000-0x0000000000434000-memory.dmp

memory/304-277-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1360-283-0x0000000000400000-0x0000000000434000-memory.dmp

memory/328-290-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1872-291-0x0000000000400000-0x0000000000434000-memory.dmp

memory/328-288-0x0000000001F20000-0x0000000001F54000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 23:13

Reported

2024-03-21 23:15

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

"C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 bublikimanager.com udp
US 8.8.8.8:53 171.255.166.193.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.79.70.13.in-addr.arpa udp

Files

memory/968-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/476-5-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 aec04ed7c629d94449731a279bae9961
SHA1 957de03dba4853041a4004be25ac00f8ccf24c90
SHA256 80ab2aaadc8c89a51147e7ed72fb4d4f014d5a82c4114e64958b07569bbd63e0
SHA512 188ea95f081731f9f7f5632a9d82c5f3d52e16c66144524efe0aef022fcfb33a6abe1386a1cfdda169dcdbc1880d44711bf0ad97ebb7dd76f182b9ef6dc88fa6

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/968-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 13fe5d48923456746eabd678389abdeb
SHA1 799723ff31f0c49487c2c1ee293d172353c6aeba
SHA256 7fc2205f2c2e77268834a737b78bd49a3bdb44252d6bac4ca802392591a2809f
SHA512 faae9418e509458e7a0bd7352eaccc7758e61c3a97442567943a22e4bff6e717535ceeaa9bb0257141f0659f1464d339d4c1431313afa3febe749682bc4d8d5e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d830dfcf25aa1bb0f714d27b183a0bdb
SHA1 6b1ce152eafd067ceaa8b25fcd29836f2d4dca1e
SHA256 c90cf6b2c47ba3268133ce4eb61bf0b01a3bb476348996d98c6284ab27a72d30
SHA512 509bbb058656445066d32941b2691792de96c71db3c657d3ebcacaea4e61921cace86ff655123cc43e51a72aa4430e811ab147346a636e3022e50e530f5e2c92

memory/476-18-0x0000000000400000-0x0000000000434000-memory.dmp