Analysis Overview
SHA256
ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e
Threat Level: Known bad
The file ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Detects executables built or packed with MPress PE compressor
Drops file in Drivers directory
Sets service image path in registry
Modifies system executable filetype association
Modifies WinLogon
Adds Run key to start application
Installs/modifies Browser Helper Object
Enumerates connected drives
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 23:13
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 23:13
Reported
2024-03-21 23:15
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
"C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe"
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
Files
memory/808-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/808-1-0x0000000000380000-0x00000000003B4000-memory.dmp
memory/2340-2-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2340-7-0x0000000001F90000-0x0000000001FC4000-memory.dmp
memory/808-12-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2340-13-0x0000000000400000-0x0000000000434000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2300-10-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8dc3dab53ae6df5248810c9a1e1379e0 |
| SHA1 | 36336d47ac7509264a769967ab635ba0dd50dabf |
| SHA256 | 268a1c5ceca19446c05ea0ca66490e29bbfd0544b6b45868cc758d4c0aa47afd |
| SHA512 | 62ec424c9dc3784369614d8f3b9e9cd002c6570082aa65da45b9d561fb48727a70ce08cd14ef6508154f17f1bdba397605c19f00f69ef5c70038bb53a26fae3e |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e2230b302a32e02f8acd3ac753ef7286 |
| SHA1 | 7a0d4d3fccf90b533045234d033f65660b476834 |
| SHA256 | 8c8b25e06cee7fbbf9bdad15cf51d88a46cb5debcc41fad8ca7353d3c1395b71 |
| SHA512 | 05add2ed729b24780fa60c42035cd348fa1baa36a06e847601f8b3c00f2c530b93d13e2762badad78f429cfe44caf1a27c53152312f6e7b2d248c1d42120d60f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 91cf2a05a18aeb632e0456767c93cd4b |
| SHA1 | 40b9374d1632b9ecd8b9a44f90c809173290cee4 |
| SHA256 | 5601954c3f6ead18d081009048bea26032531c00228e4cefc0e7d8d73fecc97c |
| SHA512 | 18caa861ded656ab13abf43b0ff209b8af231c083af12e4e9ef9a442fe77fcf14c4e38dc7aaa831f5551eae59987235049b37dc5e11e5c80f6582a858f7cd687 |
memory/2300-19-0x0000000001FC0000-0x0000000001FF4000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 514659ceb5639b3e3098eb01ef5fba83 |
| SHA1 | 7ab049e7508ef21217e0f14de72232510505bb06 |
| SHA256 | 9b48b26f3a9462bb8e0436421c466ca2f40337a64766cfb81c4546f970bd16bb |
| SHA512 | 24fa043ae5640dc54978ced582b78a145ac2e529035f8bb401048784ca8b9c080cfb1aec2212c7eee2a75b031966a0754b86db900412ed399dcb01321890afe8 |
memory/2564-20-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-24-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d131e446cf91507741ff44c8f62773d7 |
| SHA1 | 4d2da97d63e8424efe04828338e643c9665de347 |
| SHA256 | 2e1e65c347c07d6bf923d90967e0d34960f588f71d6d283535943039362125fc |
| SHA512 | d8c64e9b88004314d0715f8bfc776ad31ad71a5c79b609330caefb8386d461fce21a085ae5132ce570c06b9f17291eb665375bc61ed4ebb522ff03b0fc1e55aa |
memory/2564-28-0x0000000001F60000-0x0000000001F94000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ab0b0314e109a272fe0753f658dcf125 |
| SHA1 | 5dbbcca5171245c5c58155e0c967894cc068e39c |
| SHA256 | b58b047e10705db07154fe04b4d421d3ec4bd18f3e93ae3e03fe665fb70c9247 |
| SHA512 | b2d8953a3e5b0fc565725ae939aebb7df88612471131fb9b2bf77e71ebbbef5b54026814e7ecc69a7204aa7e642c85ae22ba8f1f9d43675f6890cea6e72dee8b |
memory/2564-32-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9980655ccba09ff7996fb44b52c13bc0 |
| SHA1 | 8e55ae1bd198c7c73a5e97b1b44c82767deec2bc |
| SHA256 | 907df2231ca60bbd6cc0fe0956563d3de0a34ebed48db635d8877a2c272633de |
| SHA512 | ca13fc65a32b558a77e7bfdc9051e6aaab4e187b83a29afed4f9705e8ba37773785e9d3726b9ad4c653faeaf157a199b2951e0b037f11b8c16a82c6f8577aeb7 |
memory/2468-39-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2188-41-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | eaff1a8c6d2179275f7b869522b6794a |
| SHA1 | 7245b4f83785442b21cec95bba8ca5c6b965d3d7 |
| SHA256 | d815ac2860a907fc794cbce9c1ef4732444ce088071334f8a462d690c4255921 |
| SHA512 | ecdb35a49a9fa2d04ed8869458cc942c83fad0116ff44840d4689b64e2ca9da30b44600d303f01fcfa6e84b00036bb4eaea2f2ce0d0baacde51fe393a027c3ec |
memory/2468-45-0x0000000000550000-0x0000000000584000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d7142adb40656f2a7cac577553825644 |
| SHA1 | 40eb3c48691741c03a4e80e417c3035e03dd8ba3 |
| SHA256 | 8805fba574c95e9364f553ca7705a9a0ef12f8171d1e84b80879fd8ffd446e80 |
| SHA512 | bb426f80f9c5c4930d8914abcd3892429b8bedc6e32906ec09fdffd01db124fed3faa76ce8f03c263a626ab3c260e74915ba400a8a99c34f7167ad33f70f0136 |
memory/612-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2468-50-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d3713dcc0763be4071f2e4f003f4465c |
| SHA1 | aae7a1a4225eddb99f4d29408c1a2b93d85fea22 |
| SHA256 | 82954dcfa0b03b3a1df18a961fbd8208dd48582aab1228e4a8f4e4de393a6a42 |
| SHA512 | 90578180ca25fcd10a41320c1baf31d77f3aba4c9dcdfef49c0903b3973405f164dda7ff8139d19261f31eb7db82a03ddb69477a70c83532ab760d2152b7a329 |
memory/612-55-0x0000000000390000-0x00000000003C4000-memory.dmp
memory/1868-60-0x0000000000400000-0x0000000000434000-memory.dmp
memory/612-59-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9c5532a0e3daccc1349a8d5cd23948b1 |
| SHA1 | 1ae08d7653458b2479e02b74fa25421d836c3db2 |
| SHA256 | aac590e3ca8729d9b7ee573fb12875c7492c10b234367e30b9c995fdc60e124d |
| SHA512 | 39466292d71a9afee1a0ec47db0a7b5c03bafff68ef18239daec4e24d104edc2a93cd31603f0a52ca30707366a44bfbde096a2fae58e5f97357544cf75ee8aca |
memory/1868-64-0x0000000000390000-0x00000000003C4000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a39bb5bb8e395cd52ee873ded0abbb5c |
| SHA1 | 19e74addde55181635fa8f89991c4348989c589b |
| SHA256 | d092feac3feed0e6c15e1d5b010726c04111b6dbaf41f70adf764932ea1a5473 |
| SHA512 | 33ec820cc1c6869c5beb7f65452ade068b1b51cfbeb29499b8e037bf80af3a99f2b46a352831912159c2f2064b5a754e804c0273f5d9a5c2edd718bc72dc678e |
memory/1868-68-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1496-75-0x0000000000540000-0x0000000000574000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7607c2ce558c4e5d538983c002f5844f |
| SHA1 | fac59a65e1597971be54533595079d35df21240c |
| SHA256 | 7212390e8c9a0e1e4fdc52c070988a1e886418f482b0a14f5e613b7b7cd4b5f9 |
| SHA512 | 55b3263844e4eae1d737f50626ca90a0d65e403ae86862231233b3d428480ca88b25eb5ad5b5311b238f5237262c120b37a85ac927ac2b39771abb600994be23 |
memory/1680-76-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1496-78-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bac9026ff7e0a5b97301a755b21ea5ff |
| SHA1 | 16495fb370b39ced793c5c309fc57e2a0998fb4c |
| SHA256 | a07a551b4180958751c2e21f9cb70ad0e841c68ccc3e42ae87664d60b3044b67 |
| SHA512 | 910c282b62bd25fc045205ef6dbd461cde0e9aa1af08060dbe9bc765bf24d148a41033c491fd5b332f1f24e07fdcd68dfb8f3f8301f42f419ed12a67d68218b9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 36275a7da2ce786e13507e2bccc74133 |
| SHA1 | 465013bf864dc7a1e96d438aa9814269a18097ad |
| SHA256 | 457f84622969f4b0fa0dfae63d60249b57f7c2a3278ec9b0afa9df113133827f |
| SHA512 | 99e6e473a158fe56148413698bc560ce5289efd961c35ba25ac4f35f3fa407634aaabf3e6b3ef855a7a4d3a315558f077974689e1763e7a0517d8257ee8a4020 |
memory/1680-82-0x00000000003C0000-0x00000000003F4000-memory.dmp
memory/1680-87-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2748-85-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 68ea13e86bd087ebb6d8bd0177a7077f |
| SHA1 | 3a637c64a405c7c998d1b312adcb2de7cdedde15 |
| SHA256 | 5628bcb1acf978c62b285be3ad61508d4f6c5a49a01b496d88c1180f3fe8c771 |
| SHA512 | 26404fa7a1ff2d714947979c21bb6f26854047be7fc942db8160a3cea9a294ddaa54b2281e38b5686597672f3681c87cf4bbb57639884f987da4a76233cf6294 |
memory/2748-92-0x00000000002E0000-0x0000000000314000-memory.dmp
memory/2748-96-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1464-97-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 53d84c047936c3bcf61008ce7a23c727 |
| SHA1 | 518f235bf9e7d2e5339b097947cd3edf0ddaec7f |
| SHA256 | 82c8848faeaccc6e8f356c58cb984b82e9ab26a1a3043d1d6b6bd7b29c127760 |
| SHA512 | a62b1b502db8f2ab0c895a90f5ddc4ed51e3e95bb2aac0a47af4d3008e8b1391093cc115a148d85bc2201247a59158c02dd45d0d1705ad484073bd32396c990d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1b02efb63c62ead02c47108f2307ba3d |
| SHA1 | cdc3c11a5dcb58cc06fd2b0a9394471592acaace |
| SHA256 | 53c3b6807bf07f45381a9d69e7d2e73af5931f4619676ee0939c7b300565006f |
| SHA512 | 1bac0992e193bf52da0b90a7cd230f48a09747b9e5d2c6c6cf8d0a6470fc7d836d4c749c95bc915a5738c50250a6275bca1bfae059e98de8aa88f78ebbd31bce |
memory/1464-106-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 91df2aff9ee98e7d30949f64c7a693c0 |
| SHA1 | 3e7b915d57d8e5c79d5b24c805437b0e08d37407 |
| SHA256 | 03d2381387556876f1f92861d17d4fab7a2da2c9d810aed67051bb6fab0f33aa |
| SHA512 | 4810b48b43a8bdad84c06a4208a2ddd23ccd7dcd4d1f1027ded35ce9120b7f76b77b194d9f9df1a68c1e6917830d6ff9dc17fc10eb8208444f6d4a4803736890 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6618fda8558d84de1a68d8de390509a2 |
| SHA1 | 8766908c3cf9cb96cd1264531d778ab655525e30 |
| SHA256 | 1bb7fe4d073bd08a51d6d3eee8b58f500412e52944c6022856ec650b8a54bdbb |
| SHA512 | db2417896ddd107b3be8b83a3ade3ab3829553659607f1c4ba28ad025b6c87a7d744e2780dd14e18c6733ff979b85c5c1863491f1ed2e17090b5a3dc65d8ebc2 |
memory/2828-113-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2816-118-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 37427ebfa665dd07da0f2581f9eebc82 |
| SHA1 | 4a9feeb92d9ecdef555e792c450741fe7abfcba0 |
| SHA256 | 0e003ce1b8525154f9f435f705441dc9bda79314ed6e01baffee79e760a09d05 |
| SHA512 | 50dfb33129e5f46560da35105695845ad3fce633162609708ec7bf03f95981f5b832d1aa83f3a18026cac737499b61dd65ef1672f87d3d3957580f519e4f70d5 |
memory/1408-122-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e7891059a7bb06d9ef04ed7ffc8e9be8 |
| SHA1 | b8fb3620a27c3aa7a2a32301b61e59ece8d06491 |
| SHA256 | 79b796a538fa3102ce284be5446ef71c7a8166e11e11da2ec3fbdb12cb9a1969 |
| SHA512 | acffa6f347fa7b5eabde27a569e6676cba8a88933b9d81faea4fdce78c2ed9b551a11e6c0a07404143ac6be72f3d18242b1ea64f0b1a8b4eaad63d6290a3ad3e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8f66ab3c2fbba4b7127c4b69ed22b7e0 |
| SHA1 | acd4cbb282e0355e11e513a691710192778a886e |
| SHA256 | f36256afefb419c605ce97764b4685345effb63fe8c2a12b5d4874f605e83123 |
| SHA512 | 684bd60dfb880dc2d2cd06a2fa67be6449dedbdad7aff81fe9424612513eef93cb395b74718ffce4efb61eac50e3717278c9f96294158c4d5fd38d6a90150513 |
memory/2816-126-0x0000000000440000-0x0000000000474000-memory.dmp
memory/2888-131-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2816-130-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 58f35e4fa6e141f7b0e40042981d77f8 |
| SHA1 | dadf41dc8be7f720bfe25e2b90b51691e22ad24a |
| SHA256 | af8afcf80082679a9bfaf91edff2752fdec45d67820ea39c30c7a85b2cb73076 |
| SHA512 | a601830b553c703438ba8c38fc28cc07dc0c60358994d67575cb87a3136e8b9f35be20ed95136db2abf1b3173a912b97bd16f532e7b4299c1c2532810460b2f6 |
memory/2888-136-0x0000000000540000-0x0000000000574000-memory.dmp
memory/1332-139-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2888-141-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3eb5c5764e3239ba25a799719f0a4c6e |
| SHA1 | b276ac58a97c1ee3c70ddcc5188726b25415d6aa |
| SHA256 | 3d096a8b549b918e0428d6ab0762583e34e884e9131c9b03984984e81dcc7bd9 |
| SHA512 | cefd0f42a6c7526838d8bc80e984f2ca4c97b366733d315bf86c4e77068640386731894a4dcf42eac14300b42ad54419e161351c4470e9c2ef12f25780e2ca02 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 27e176f0ca9eb1c1b25fd6e009e94ec9 |
| SHA1 | 08002592fe808a8e5ee89b2f0b737296845731f6 |
| SHA256 | 63d2fe87c5a647f86fc59482ad71cb9c24eb56b9c9a1af5e55b16292ac105990 |
| SHA512 | a0988e7e179c102f51caa4393477c8f72c79faf1d542d690944d907df58e60d554eeb4da2d95df675874300a8c7944c2925f0aad670f69be188bcf38fc9fda3d |
memory/1332-145-0x0000000000370000-0x00000000003A4000-memory.dmp
memory/1332-150-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1728-148-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8dfee044d25fcafab982dd830451a144 |
| SHA1 | 6c3d732eca7cd3df3e84794fc5a7714b8a6316c5 |
| SHA256 | 8fa2fc514a681b8cd21953c894fd02d562ea7d422a09676abd7884b59f9397eb |
| SHA512 | 2ac884234fd65da903fa12f28f480294a419e0018f3d305e5375cedfe8ada34a0f951b1fa0de5cc7d646f370541e99e0bd21425bb74d5c3e9d4aeba86c652457 |
memory/1728-158-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ac64b80c46e4bd0b242964da58be1abf |
| SHA1 | b5c11c4bc6d399511599ee29ee5107634a47ef9d |
| SHA256 | f38b610b82de74bfc753302e6fb7a5416d9554f3f5d0d3ee772c78347b9de276 |
| SHA512 | b9262c1aa6831bf798f3cb989379db8dd1ccbb64d6ebf2bf82204f7dba3857b0aee71ae4cde9b4e46beb3f791aa60e78d04920379d8f6fb47aba6343e4e3bc9f |
memory/2328-165-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 23f821a4766886c67e49c5426b3b324f |
| SHA1 | 363cf8b27703b5a90324e09e50ac9993de33dc7c |
| SHA256 | 208bfb58082580f3bb673629d8f6f12e01ef76747f1584caa18ab3e20db91093 |
| SHA512 | 1fed450690868586fe01e99609042dc64fcb0c6320944c5c63076c469611a09449b903d340c11c79490c26625c5715b604c024b3465f4994acf6245612b75ef1 |
memory/1428-162-0x0000000000550000-0x0000000000584000-memory.dmp
memory/1428-167-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2328-172-0x00000000004C0000-0x00000000004F4000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | edd53e85eec3d1041a10bd1b2fd4ad0b |
| SHA1 | 273c2aa913dbe0a77b3d0607e5a7d27c7111bfb1 |
| SHA256 | b5bbdbbf2ce5a8eaec7e3a3ecb53eac49d4ed096b3d226392411be9395917cbe |
| SHA512 | 2dafd610da52373a6f970557a9d88f22b22d634d9abc46779748dad73e30e0eb4f19ad10c87c4ef21c6b444cd38ca37ca2b3f033c922b9465f57a9db0f54169a |
memory/2328-177-0x0000000000400000-0x0000000000434000-memory.dmp
memory/876-175-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6d35ee9418395301ebd7eebdd6a24e5c |
| SHA1 | ee04935f3bfda7284c1725e886bae4996b53dbb0 |
| SHA256 | e409f65829c28c56f699d11090ad4f662e82dde7e5752d3a7fd2969a120771d5 |
| SHA512 | 953131ec1c5f2a5c67419c8e5724778ec87b714ddef656da06aaa7ea229a9e449e77bda8951c994319411d6bc0b580228b6555a12cf11b03e8e379d67a2f054d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5b156d57d178a75062e58acf8771efbd |
| SHA1 | 349714da4ac093bca1d80ebf0012944afaba1fe7 |
| SHA256 | 74156213f3e346faef0e8dc167b9361fcf8609a886006ace6dc9401dc5c165d1 |
| SHA512 | 085cf14d4eeb539511b98f22a0eadbe1ab3da572708331d7b789bc1f12df5c928dd4bfceac0091f9b91079c91622dc0b3acd7a4375c0989f3ade6775d0aa7cac |
memory/876-183-0x0000000000540000-0x0000000000574000-memory.dmp
memory/1668-184-0x0000000000400000-0x0000000000434000-memory.dmp
memory/876-186-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 331505bac8420f307f40001c6f355051 |
| SHA1 | 78adb44b798844f5e7cdb67e2eb6f68830ff313d |
| SHA256 | 67abb5358f67f1832c407960a6f45e3147033c97452c98290d954479705d9a8a |
| SHA512 | 5f78b28029331f89abb1bfd3db1ada8a9fee7efae845bb60bcb3697658346e083c35cfdef0b919e05e85ba32400c65c8374c210c281c1a740d5cc14e59520a21 |
memory/3040-191-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1668-195-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4bea5665df75444f7ea03e123b1c5d23 |
| SHA1 | 5c26da88d77c5503c2a629b905dcee7105de242f |
| SHA256 | 24e9f8d18cad79f5b9450dd746eb9839b22a47a395040feb6482b8f76c12c7e4 |
| SHA512 | c30416cc4e9b4d765fa89893c6dec58fe43a3719c8f8d234045f07be56b19b066cb7c781c2f7fed1e8938967d1cdae54984ee297bb0289cbdcc3525ebdee26d4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 469b9e592243edbaa0c240700a9a4a81 |
| SHA1 | e6e4be2a5898e6728de4696460de85866bd79625 |
| SHA256 | 1895dbcd37351904a5f9053ae3e7bb23d5f196e656afd9956e3422e46e1707cf |
| SHA512 | 943be9c5088b47a024d0a3b5e8737d0b596952c3c4d99b563440e8b1d87080e4fb1a30457cab350e737ceb4ef8f500056ec272b8cc6d7497dfb1d37488ab3a71 |
memory/3040-199-0x00000000003C0000-0x00000000003F4000-memory.dmp
memory/2696-204-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3040-203-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2696-209-0x00000000003A0000-0x00000000003D4000-memory.dmp
memory/2696-213-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0798d96acd8ec183ee66b04a6cc5abf0 |
| SHA1 | 4d50d2a05c8c913dd8966ae066cf9fca3921c5fe |
| SHA256 | be3473fb6093dac887dd09627b139b74b93cb8dee33fcc913b0b9b3bc1a862be |
| SHA512 | 81cac9a707020f151189a746a5522d7709fc735a60767b3ee451dde5c6d836e45fcf00c271dd4952857c307adad9508b8f621981d03dd0bacc0c5b7eb847fdb4 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8f8938c337cd8099b0db7689e5206739 |
| SHA1 | d7e3ff46353cb0b4251244bc1093b64194657c18 |
| SHA256 | 56f9feca8ab2f1e8e03fa34c36dc5343b109efc6e89c6f1d8910a6697c2ad8aa |
| SHA512 | 6abb4346545e1241ee11489efbac171f25ce83b477edccb34a80adb5bd17836591da6749ed41db698845012578b143e9102d43ee044257131281e6167f198004 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cb5e789d02988266a2a4f4ee7dcefef2 |
| SHA1 | 34b50d954aecf2bd1dcbbfcd9173cc934b437c8e |
| SHA256 | 4293a77465d100fc1459f34da900a73a9315591f2cc3ffbbf648cea0d9adc6ef |
| SHA512 | 9938814d930fc3236845c36474094441b76bcdfbca8655951fc1f5cf69ac4fb2596967c6059cf35f0ff8c47cacca793887dc723af4f4399cda078aa823a35d52 |
memory/2300-219-0x0000000000360000-0x0000000000394000-memory.dmp
memory/2612-220-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-222-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2612-231-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 26282eec9e8fda7f50f29bac5132a11c |
| SHA1 | e6e1c400b2dfaa1ed35b0deebfe7d994fc29e06b |
| SHA256 | c89e6aca90c4a80147389e84d872c58ce549bb1c54a99cba1c6dfd2c6e756512 |
| SHA512 | 41a65602250db494ecfac0e146d462855a36c1d5f5a2b00efae1d57a481f3e72ccc42b2d95960046174ac9cfecaade496adc5c9adc4ad0e070d50c4a0799d141 |
memory/2612-227-0x0000000000390000-0x00000000003C4000-memory.dmp
memory/2188-232-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0dcae2959e096d2d7078349c7ddde6fd |
| SHA1 | 67d31140683f0d0a82cc4e081171bb96bb4a1f14 |
| SHA256 | e7d6a1774d225780914b96fe776b18f79448a21f6bf63312117335b5d875980d |
| SHA512 | af95fa889f6dea12311a3e1b296e303d0024a28cdb5ab9cf9fabfcc25526c3358a29158675c69608a2ddde8bd57439ba5df1af4425ecfd8d851bd86bc3b302e9 |
memory/2188-237-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2188-238-0x0000000000830000-0x0000000000864000-memory.dmp
memory/2480-239-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2480-245-0x0000000000400000-0x0000000000434000-memory.dmp
memory/992-251-0x0000000000400000-0x0000000000434000-memory.dmp
memory/612-252-0x0000000000400000-0x0000000000434000-memory.dmp
memory/992-258-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1764-264-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1556-270-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1360-276-0x0000000000400000-0x0000000000434000-memory.dmp
memory/304-277-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1360-283-0x0000000000400000-0x0000000000434000-memory.dmp
memory/328-290-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1872-291-0x0000000000400000-0x0000000000434000-memory.dmp
memory/328-288-0x0000000001F20000-0x0000000001F54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 23:13
Reported
2024-03-21 23:15
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\spools.exe | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
"C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
C:\Users\Admin\AppData\Local\Temp\ad25a9ca7ec4475dc6fa3b50d4da92936bf0aff10eb2394e2cba5c56e59a787e.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | bublikimanager.com | udp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.79.70.13.in-addr.arpa | udp |
Files
memory/968-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/476-5-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | aec04ed7c629d94449731a279bae9961 |
| SHA1 | 957de03dba4853041a4004be25ac00f8ccf24c90 |
| SHA256 | 80ab2aaadc8c89a51147e7ed72fb4d4f014d5a82c4114e64958b07569bbd63e0 |
| SHA512 | 188ea95f081731f9f7f5632a9d82c5f3d52e16c66144524efe0aef022fcfb33a6abe1386a1cfdda169dcdbc1880d44711bf0ad97ebb7dd76f182b9ef6dc88fa6 |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/968-9-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 13fe5d48923456746eabd678389abdeb |
| SHA1 | 799723ff31f0c49487c2c1ee293d172353c6aeba |
| SHA256 | 7fc2205f2c2e77268834a737b78bd49a3bdb44252d6bac4ca802392591a2809f |
| SHA512 | faae9418e509458e7a0bd7352eaccc7758e61c3a97442567943a22e4bff6e717535ceeaa9bb0257141f0659f1464d339d4c1431313afa3febe749682bc4d8d5e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d830dfcf25aa1bb0f714d27b183a0bdb |
| SHA1 | 6b1ce152eafd067ceaa8b25fcd29836f2d4dca1e |
| SHA256 | c90cf6b2c47ba3268133ce4eb61bf0b01a3bb476348996d98c6284ab27a72d30 |
| SHA512 | 509bbb058656445066d32941b2691792de96c71db3c657d3ebcacaea4e61921cace86ff655123cc43e51a72aa4430e811ab147346a636e3022e50e530f5e2c92 |
memory/476-18-0x0000000000400000-0x0000000000434000-memory.dmp