Analysis Overview
SHA256
649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7
Threat Level: Known bad
The file 649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Detects executables built or packed with MPress PE compressor
Drops file in Drivers directory
Sets service image path in registry
Modifies system executable filetype association
Adds Run key to start application
Modifies WinLogon
Enumerates connected drives
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 20:44
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 20:44
Reported
2024-03-21 20:46
Platform
win7-20240221-en
Max time kernel
158s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
"C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe"
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
Files
memory/2728-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3020-1-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a52bec6b3adf339f218227dea61c00ec |
| SHA1 | 3928a3ad5fe842da5591759f2d18f44527281cb0 |
| SHA256 | 4486f6e10989138ec3f9410c3a6a19ba1d3c294adc7eef6e806ddc8a66081d5b |
| SHA512 | 9f4669159115122e12c4a7fd05a18c3a5688d7ceb68ae64881cc34a6d1db8b843fdf13bc3ab58baee8ae7c94b8234657a5272351eb4d561d76a0663bbc41e5cb |
memory/2848-8-0x0000000000400000-0x0000000000434000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2728-10-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3020-11-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 71436464e4acb95f739abd0e07fb7f75 |
| SHA1 | 06fe54d408f12c056b9dbc40559f1c7293924094 |
| SHA256 | 06fc5bc35afa048390d9bcf395050ad7f3d9367bf200239b9944ab2221a29bfa |
| SHA512 | fda31230f9253932aa2f7f6f9ce45e7ffd77ae8f5bfda028218760b39dd846f48ab587b22e20410a24d878c095da6fcda0255fb62f3872e53ece4acdc200eee1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6010efe69c26475ff49ac5c8fa89ea92 |
| SHA1 | 06d374289aefc888c6ad4a1e5b3784fe1c3a5456 |
| SHA256 | 487ecfe780e8614d691012f00ce61ed94783a3417e6e8b6cb209a751978fe293 |
| SHA512 | 307e6cbd45ac60e26d0b37a68b7cd5a40b25febe61129e2c3f19869161c8b91839c8e2a97f97c308ad1f840731faeafa9153b0b2eb9b1c38c9a04d17415cc1ad |
memory/2848-19-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2848-15-0x0000000000370000-0x00000000003A4000-memory.dmp
memory/2448-20-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2448-29-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1160-30-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2448-27-0x0000000000310000-0x0000000000344000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1a058fe2193e2fa4bf8d0bebee02cad8 |
| SHA1 | 0dac0bf040eaeefd50ce55dd44e11a52b68073ae |
| SHA256 | e408f84f7526c7c1b97706dc24629c74b44dcf103b5167874c7e9dd9fbbbe4e2 |
| SHA512 | af0dd8deb2419e67498087f8b50d12dc37f48c44506151370e7ca6fb737a5dbf40dfb42303edbaffccab64d452606b2beb06c1f22f15836c76a6af684974f404 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 87507576587cccfff38663ef74d79130 |
| SHA1 | 714f8256a725f65c57c8611e541ab2a691014456 |
| SHA256 | 1cb7ff24e927648928c7ad5ad0505f203c134f7e284212df17fd64b11c5dcbc0 |
| SHA512 | 4928c565b4a23bd579a98284da6056e97224a46282572b9990fbe121d14d545217076bb7781c5aeec26d06f1b7df5914cc632cd60c5bfd3df95e813f0b5aa2d4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 020004e203d366e5df49dc78f584f646 |
| SHA1 | 1a5dacf9da5b319713cf23b7d13d77965943e735 |
| SHA256 | 706e4ef0c1441af4d4cf96a7497c341c6260046765ecc1a56cdfd3f06037914f |
| SHA512 | a0b7182711caa85a8cd55d0ca96462ebc270d85a838db3f23efa70d1d6cc3576798a83c09c1cd9881e7949cb748fa4e13d6fd650365da85554fc4a139771f472 |
memory/1160-40-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1160-36-0x0000000000380000-0x00000000003B4000-memory.dmp
memory/2752-41-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ecd7ec6a3642bad963d906bdb7c9de23 |
| SHA1 | c0b5a4bb8e59821477999e6d43d0bfc145dd6308 |
| SHA256 | b9d8f817561060c2df9536e1f82a239f07885725ce490e8495f5f2ec3c4d4fa9 |
| SHA512 | e370a58de1fa361b6920c898eacb3c7317018f2c97d0bda74dc3edaede6332f1c8540f6d4c3c48b499094c16c8c2d5b0bb64f5ccb8a1b0c05b01223acc1c0ead |
memory/2752-45-0x00000000003B0000-0x00000000003E4000-memory.dmp
memory/1812-46-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ac7d71d48927043003361affe8bd0a7b |
| SHA1 | c357f6ef3b5aaac305cfef9424e32345573594c7 |
| SHA256 | d643fa611ba66d676a5025f583c8f8e4137d727cdad395e2c68a88ecf2b69d11 |
| SHA512 | 082bb337e4dd475622363c8d5d48d66bbb519d8ce8b8e4561d6a1d4ec1f31d5c7883a8ab09a36bf71691080577b472ee2791dc65274f8773b362316670279619 |
memory/2752-50-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c193477ff9b8b9950a3cd0236fb218ff |
| SHA1 | 08f7bef1c3c390f5e9d689e0ccb9362818430f65 |
| SHA256 | 472bb4cd309c993e20836f510dd914f5baa60bdfd0ce35f49821f38985dd2a94 |
| SHA512 | 347e0080464ef33e7c20b8c30ac6f4ea4164d5990a77e5bf8e3d5d975283ac75e3544628e4a0a71ad8f7984ca80fe9f68730a1929b4b7de1f3210adce29123b3 |
memory/1812-59-0x0000000000400000-0x0000000000434000-memory.dmp
memory/804-57-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 31e41e4c26ebd4111e94944c1c5ef619 |
| SHA1 | a3ff1dbfacd5a38ee2c4caa2d926b74b0d58699f |
| SHA256 | 23c37f7905d6adc483a2e82f99a08e9e370d4f90d77e42ea55edb91425ea417f |
| SHA512 | 545c2fb57f8e51384f1c8b35c7ebb1b232a1eb8773dd52a01775aeeea7001947ae3a4e2d0153b6058cc4747157b35ceb0d832dc84b9b4676f702754e4933b034 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 47f28f6884618077240c6ea331e3bed5 |
| SHA1 | edeb9439f16e92de7c25e12d4026bc8b1648d4f0 |
| SHA256 | a3f91cf0f40c8d5bf56c3c1988163fb67582e97bca4171289f56008bd2ed9fd5 |
| SHA512 | ef6517951010d95f0515e629bc9f4f79c4bc853d3c8f1d5c9e01cacd95e78bc1ba354816ffe2583b5b285ac50b113daf881cb62d22dc0b6f7ed82ad7a8d9d140 |
memory/1684-65-0x0000000000400000-0x0000000000434000-memory.dmp
memory/804-69-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | caf050c7e9d7560f3506fe2811778e37 |
| SHA1 | 43bd61a4411fcdff7eb58050e386f8d8acfaac71 |
| SHA256 | c63dfd7504d2e3632f9f4096ba6bf28c9b856d766fad1d8e086224e877f4d1d7 |
| SHA512 | 7ee7a3f63c6a84e6093676b14fe332dbab1ed36d2c06bce9cf5a9edf3e4b020bd2fbc3716041cf19ac1a001ef9693a9beeed40faa12403960d648ce0efe74ae5 |
memory/1684-73-0x0000000000540000-0x0000000000574000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1229d3901582cce6da781850d3e544da |
| SHA1 | 95d5cd55bbe674ca433a4f1247a4c6cef3786005 |
| SHA256 | 88b6d8b806bf1a7c8a8dc7099cff280fc150e79f959918b5a984136bc40d42fd |
| SHA512 | 46217b5570faa1eb11e2905936c7eaba8c8c12424bd106b436eea6f9f846060ad87962105947b98652ef17eb2dd80801e01b10fa4c32715440f495f703aa7dd4 |
memory/1684-78-0x0000000000400000-0x0000000000434000-memory.dmp
memory/624-76-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4bd6f0537d5d428f46fd52433d2679dc |
| SHA1 | e00534a461cdd97ec832069b30b4555115122e79 |
| SHA256 | a8a27d16f7c70efbf8b1ecbfee9b67235fd7d8a63b1b2e609c02357330b68f3d |
| SHA512 | 63fddd56d4c9d4cebfa61f6c3465e30b5d396288ca27788756a79229534c1c6f544438da20bca2a62d5f44c2e096d8974ff66011402a47f894194805c94216bc |
memory/624-85-0x00000000003B0000-0x00000000003E4000-memory.dmp
memory/2732-86-0x0000000000400000-0x0000000000434000-memory.dmp
memory/624-88-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 194cbb182df2876b8c9a26cf5b00d564 |
| SHA1 | accaf35824d6a3fa7e24f0258c2f5990bdd11610 |
| SHA256 | 4093f8a8cf32316275b9b5e56c9899799ca7d95cd743afa761633f4408234a6c |
| SHA512 | 85ab30b08b868bbc975dda2195535dc64da85ec975a408f43c4c274e080d05c593249ee111bda8cf4638cadcb1d0191e2d941fee8a1d3b6e5498b215e6993b23 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e8a530b4fbcaa9496c88a8eab49fd3f2 |
| SHA1 | 489ce6203b5aad4f3e9e30b8912bdeda9baa2b14 |
| SHA256 | 7dbee7f6dc778d210db9e1a2ca09d9c2d13aeba58a82915b6a066f3116351732 |
| SHA512 | 720573f08b25973321bc3dae3e657d4b3df258ab53cd3d66fd2f5ee2682d92c9b69077a37ff622fc2f8131d9d3bcee550f2e60e72616bf63464e715a73f3fb6a |
memory/2732-95-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 14fe95efd1178a09d74288caa7e93c6b |
| SHA1 | bbe5d503723531c7e24f5392604bb70c9b42445e |
| SHA256 | 04e0cf8b99e90f87d3039782e4860bca785f7f91f3f66c7c1a400718cbcaf20f |
| SHA512 | dccd292a65fcdeff3e8d6678fabc4862db176a1c1db2ffc008b6666ab3c5ce73f6de08e74be11fc337bcf71673d7ea97f046a25ecc0e05ab27ef2c84a4405320 |
memory/2316-102-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3052-104-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b190b767d6dac0fb2a46fcb9808b7fa3 |
| SHA1 | f2219236dcd4bcf0be3053d60731052e2a00cd25 |
| SHA256 | 7fd54729bd01077e70642edc2e4b6707069beeaa640f5f1525c0e75b6ac7878c |
| SHA512 | 4f5e01f121fd2e8299d58c786acd80b6baea1d498bc5b155a8fd33f5f07fa9c166ba2cc061c07502e78ffc7d1b3de7f8dd8a6d19a1293709043d35d2bdd800a0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3bd9784838fb022188cfbf40eaf09d1e |
| SHA1 | 062b53b4a6fee540deb7f1f39c388f481b57f57f |
| SHA256 | 3fecbc6aa059766579cb72707383b438a91bc44a1d3f773a63cf41c1ae6bc8b6 |
| SHA512 | ce4f38d7159993775d97e03f6aa63ba4637b41577cb4680fc5f8404b21f84759c22ffd1102324bd6884ce6f42a26ea7aa2ea3f95cfe634388a8e94cae3512aa1 |
memory/2316-111-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a81eda4caeb1dba821183ac9011a71bb |
| SHA1 | 0c3b0000e8e602da1cf068420942df67da222204 |
| SHA256 | 34f2d2c4dc3394bc8c202d805e0645c3396483722eb5f1198a175394322786e8 |
| SHA512 | a8cc7c0fea402e3352c4dbc7f5c34e93487f321d34f5a95917e760780532972eb1c5133161c44297bbb5a19970a63ea2f65e16a6a43f7d864fc2e460e0acd504 |
memory/900-119-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4b83abd3c8346f147c79b9d7bb794071 |
| SHA1 | 303f8ea3adb1810a925e379e476638d0bba65617 |
| SHA256 | eebfb542b9056deb001268bcfb81b1b6ba60fea424fcd25866eca19215f9776b |
| SHA512 | 90d3888b747ad5cd13f63eae4ab17e746a48c348d460566d12e93f50cd52c4bc6c689bbb53822ce4c2b2672ab3a86bc3f7f115dffbdec1e8011e163a98fd6b7b |
memory/1148-123-0x0000000000360000-0x0000000000394000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | af93a1ad59038aa6dded53b264ea0c58 |
| SHA1 | 289512688bf15f6ce7a75e8c0d141f9e449aba21 |
| SHA256 | a5b84fdfd56b4a978ccb8cf88cd67515fb8fb3b7aee1e0886e55b15d1b0db184 |
| SHA512 | 818bdd47c8eae933d86914a7c82ffb8be9129a1ffc7f7346dd4703c483bf45125e0928225d5f377d87d90f9b068a8abfc176aaaaf93e354d6a51ea97f199cb30 |
memory/1376-124-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1148-128-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 03f848ebddc1dded65d2378384672425 |
| SHA1 | f8aca69a5b834a9f70ae174f74af52e539081a15 |
| SHA256 | 71946f96003ef37a5f6eff7131feb301b80cd3d35aff5b5545ee1433074086a8 |
| SHA512 | 6370564089ddba55782bd88fe928e633c951e280ce266f130c28088ed5f6437caeb5ee0accdb2c34528fad9db1785ed416c0eb374fabc3644b1256e993dc4f26 |
memory/1376-135-0x00000000004C0000-0x00000000004F4000-memory.dmp
memory/1036-136-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1376-138-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d833cbcbecc66f9805e4d0bc0bc0d385 |
| SHA1 | 2c90eaabcd285607261a37cb80ce55ca95e3da66 |
| SHA256 | 8d5558d2def4e9789f23eb7d336b3a2192262b11cc3fc6fb0da109097da32118 |
| SHA512 | a50f4d2dc2d985711fbe145a739dcc6aeffd61dcd7aef90c15af01332dbe7f8de7a869a5f95835f0f3d7a02543c081cb1295082c7a39def9aaac3a5936f8e882 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 45f082da13c0c081e14507232999d6db |
| SHA1 | 5ca2e5f731e3cf80a8a87e9056d8f35afa97dc6f |
| SHA256 | c4426ea18b1f9073562b36acfa0014f52dad5081be8fb841cd9250ca840cb83e |
| SHA512 | 7bd99346376ff03edfe72eecc02dd087d7c0f109b868d4473039e1fcc048afc97ba8787235ba13efd9d913c374f121834b19f5d75902bf4e2b905f6a70085bbb |
memory/1036-142-0x00000000003A0000-0x00000000003D4000-memory.dmp
memory/1960-145-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1036-147-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a4410bbb6870efd3f573c3fa320a8449 |
| SHA1 | 0a0f53e2ddd350127f8d639b06b97d33307c1c0f |
| SHA256 | b5e29045b3c337db236847e07636b67b1b5f5de1fd112cf5915f67c9bd2bdca4 |
| SHA512 | de0f08872278e4837093a46129630a1c063cbcedd2189fab569ab2ab1223e78496aacfc318d50c3406870e67441e95b6514fe16bb0c9e989a8870fcebfd58c38 |
memory/108-154-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1960-156-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ebe0cf61bb7682fd0384fc30cbf29229 |
| SHA1 | ddafdf322ddf32fdaa245112f4c7c72526dc5c7c |
| SHA256 | 26053e1b375b5f4ec8c7902d80e2791ba6c27bc84e0ce9ca01f0a83cfb825290 |
| SHA512 | 18657f94a46275b4007652d271a7001c940757975ace16288e67aa5af3a5a438c7963d2ec501a614f853fe0db03f5c461c0b94298021f0cdc48fd653c1c20b62 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c7787b8ddd6a9a795428e7ef3fa1cbbe |
| SHA1 | b160a56618a2afc96c40b7b4ca6bfa746122dd37 |
| SHA256 | 3bfc15b223864c735289fac3e1659faaf1233c115a25476ee29d84b2c101e255 |
| SHA512 | 00f51b6b480eab51f57074237b0a0e6a4caa3afcd9ef98faaf30c21b6277e69460c510dbd6c87e843b542c3a0f3680b1ec26f60df707c0c563a6b194d4758601 |
memory/108-165-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6c67e816acbd7d5bd160e3206ab00fc5 |
| SHA1 | e64457dc0e82ca28c1091330102bc449200ee9ed |
| SHA256 | 684b1f679e4673ae7753956a1293cbd6cda9b1586d44821f32d60b3b59874ffc |
| SHA512 | 741304589a7533d3b8a2cfea63eade2eb6236916cbce79404edf89f18ec4ead607b8bf2cad3aeca8da43b767a7fc790ca6ae2fb536d81b193e8018f77fc45f93 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1ab6d31c90f579a8bfb2afab8ff244bd |
| SHA1 | 94aa27bd4a6e3578c8c0c6b13697a6eec4a1a482 |
| SHA256 | 2662e09877f315b850a42e1d69fcd5a15d6310d346227276ab36767f317c5c88 |
| SHA512 | eb4b04dcee4da11ebb4b17d9bd93511cbaf22d490b37676082d788f68a35c205b6d3b9be525d48c82ae10a4afcfa4d060b68a458fc9df221bdd6acf3545739c8 |
memory/2132-171-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1748-173-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 568b2130f7ec8aa1dfdce3020253859b |
| SHA1 | 894dc7a996b004bbcb4b8955cdde77e4ac1f1136 |
| SHA256 | 386ddde173d27d1914460979c3b4a7cdefd7adde990e5f826f4089cedcc70e69 |
| SHA512 | 182c18b236a3659e2bdbed83ad8f02b69657a8434e15ac74dd18464cbdfad761c64f6054f410bc33cf5d78af412a818f3a5b1e47e113fcaa22472e6dd69b10f8 |
memory/2132-181-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 76fcc20eabe5235b29174a7e4ea67148 |
| SHA1 | 05c0c3036b02a4cde7954e37021162710c949bd3 |
| SHA256 | b2abaa0c04edc697a7525cb406c4fe7f5cde151c1da5e46447b0f8c541868075 |
| SHA512 | 6056d6786d5096acdfa84557ff8e39333cf925e231e69039b5351a194793e6c80354fe97510df5d9b713d3cb2f71f4715cf52b0119326c1c896c728d18dd9cca |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | be5e43657e21d992bd68d6312f6e6c2f |
| SHA1 | 198c1bd105863459c6553b5ede16a6f1e54ec479 |
| SHA256 | 924883f035a4b5e9a6f96a1b1194f239d157c8650e730d5dc25f04be5fa6542b |
| SHA512 | 4393229fcd1eeedd2f382bef32cf4c3d54aa2a9c2d9738c923825bfc5e4f6713b42ce0e6779c44b2b60885de70b73ef95c288a8c46f3324dc4a1c0a73ce6e17c |
memory/2648-188-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b61aa565a3355e6877ec12ba64213d3f |
| SHA1 | dfff0d4e8146cf472ff8a801c60d347320292b24 |
| SHA256 | 7b57ecf5ae02b9eda0c4351639b183c69e2dc83a38ef34b4ffe6f8e23f82219d |
| SHA512 | 6fbd8014e8994102addfd94712e5e901ce3c884c20ed377993949290f203a66bf969c824c5302eb87229f735d03ed7bbed691521d30c5f703cb28ea8fb189fc5 |
memory/1700-196-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f02122717faac5d4be9263744fc7eda4 |
| SHA1 | c63ca64349c4defc996c0fcb29956f79cc63b189 |
| SHA256 | e9f67ae8b994b28edb1ebc5b06020637fff3e2e942de878a5e0ba1cc43082ce3 |
| SHA512 | 3b5372f64560fae3c23a41e1a1e7100e11e8170ff8bbca6647f8e7d032b658b0e4e433b9e2c704264d8ecf20e304aeda29dd76e197ab79f3cb050d279d8950ff |
memory/1796-200-0x0000000000760000-0x0000000000794000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6b34c9720a15edd530b1a205f2a24629 |
| SHA1 | 9e69d5b8dee3ced8ed39a889912d01962c8d42f1 |
| SHA256 | 353caa088984764df01b9435d369858f2b7ec7f2e02d8cdef53577ac48a6ee1d |
| SHA512 | 8c0c3beec052a3b71480bea53438993e2c97084daff4a49bd8bf1b5b1ddf147bf3ee117d0cea3aa395c9c276bf88c0fafe41ec35dd964d32e713994779b0d026 |
memory/1796-204-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2496-209-0x0000000000390000-0x00000000003C4000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5262f57065f7d2e031f2981da40bcc14 |
| SHA1 | c9e93e45dbe5e9d5337a8d39a93f47ff46ccfb08 |
| SHA256 | 9b7dc2241c2d8732d807cf9a47faee57329d066b026db1f11706f3ee67b2c926 |
| SHA512 | fc5f98ba795b3ce6c3e8228d3712e1324a763d4535bdc6ea2dda3aad1044a249cffc795fb4a8bfbaf00653b41b89b3185878a1d84a2fb2b5ddb3691b96a14143 |
memory/2496-213-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f977b79ef58d0aed3fe0219d8a9cdb80 |
| SHA1 | 086a1695b4ac4b16e873ae9dc6af74fa1f76047f |
| SHA256 | 3e5b2b31ad046eb8f2038bf3fca5a1b2cbc76760c57fd5a98a86e563ba9176c4 |
| SHA512 | 83271c78aae24f03bf27f61dd8d4be2a8f4c6a159a3a741330b37008cb4b939bc7457b45a169df1826aa9d1c542ba821081ea92ec36696f3bad192c7048a3a41 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 08eba77a478cfacc061765b124d08c5f |
| SHA1 | b12e697d1f1c74aa8d93a4bdf346461df16ff59f |
| SHA256 | 8d24578e8165f7588ff508c4f6bd5ee7f86adaa448bea9117bf792c9ad0e7bc4 |
| SHA512 | e3a4356bbff8f532c2058167545fd247a52aaa48528512eeeefbf7c47b20bca866cc44f77ae01a6188b728de0888e9f4893127793c35b50b36fe68e7e23a9825 |
memory/1920-219-0x0000000001E40000-0x0000000001E74000-memory.dmp
memory/1920-224-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2776-223-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1580-229-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2776-231-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1580-237-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2388-242-0x0000000000500000-0x0000000000534000-memory.dmp
memory/2388-244-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2200-245-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2200-252-0x0000000000400000-0x0000000000434000-memory.dmp
memory/692-253-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2200-250-0x0000000001F20000-0x0000000001F54000-memory.dmp
memory/692-259-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1464-266-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1768-267-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1464-264-0x0000000000440000-0x0000000000474000-memory.dmp
memory/1768-274-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1768-272-0x00000000003C0000-0x00000000003F4000-memory.dmp
memory/572-275-0x0000000000400000-0x0000000000434000-memory.dmp
memory/572-281-0x0000000000400000-0x0000000000434000-memory.dmp
memory/528-286-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2400-288-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 20:44
Reported
2024-03-21 20:46
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
163s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Modifies system executable filetype association
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
"C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.230.140.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.179.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 55.179.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.179.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 77.179.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 83.179.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| GB | 96.17.179.83:80 | tcp |
Files
memory/4488-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3120-5-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f6fb0391d67c914c0cc42c40471bf6a4 |
| SHA1 | 2db4b779a516241450c66c22fbf000a8dfedca86 |
| SHA256 | ebf795947580894f8a4a961411b8a27cdff1e7db38ecc8c94ba713cd14bd9660 |
| SHA512 | 72680bb31338bbd25ffaa7cddb2ceae3425e05fb5b99038343e532cf397b392d6942d2ec8ac875e914147e39c44e7262f932bca131be0869975d4767496bd00c |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4488-9-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 91f491638fd03d599009c41865c2b261 |
| SHA1 | 12361d42f7d996b69023c42102d6eb71049dae95 |
| SHA256 | 07d7e8d12abf72dd32ff2419d50f26dac9400a03affec82b7378838cb5fde051 |
| SHA512 | be6ff68ab8446aa968d5b05ff11e8d4235b8bc8b50d8c33df3d1bfe9dfefc2dfd5252a524464656fe87f9027f0c7c465245e491b8941ee7d40e70f179ced619f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 638422f0d9ba3b5ef5734f91bf7333a3 |
| SHA1 | 85185e0835b464377848a369c8400be6a54f4abb |
| SHA256 | 19911a01f509a9377786af59427144c87e0eb82d684399857cf8265651f7497f |
| SHA512 | 49ef0aac1664801bc2788f7b9d447f3003d05b49db0681edc771d101ab3c8d66688e914011dcb89d031c59c490ecf49f557aa76b89e187337c32e95ed4cca661 |
memory/3120-21-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f34ebd95db4a1068053a58ed690a8626 |
| SHA1 | 5c851f680c004ce2f0ea24c8d08ba0008c53accd |
| SHA256 | b916bf95f3e3fe5eb67a1ba22e9f5e1bcb18d7a6bbb70ad9e7d2b3e499d9e799 |
| SHA512 | 72dd2bf9ed20129d5442c779bffedcd4111eff6b7f5e0bc4865d32ec4566c31b57627f8e70be5d419ec37736f6d8ecf5c0447104c50d7ff77f4b7176d290c8ae |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a0630366a9008736da756dbf5bdb5e23 |
| SHA1 | 09e9411c95cea76eb73e1f0b7eff9b2d544f10fc |
| SHA256 | f4622cdd20e6122cddb63e6d2be6ab0436685b985c6dee0eb27d47c6c59c67ca |
| SHA512 | 2bd05e9d6edb45f317f9d3f11178f7dbabe398d2ef17787dba5f3958be203e42942e738aed7bab686b0923ca4348be32cfe89c836a71dd104e533995cebd60c5 |
memory/4764-30-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3568-34-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ea461a6d6dabf06c6928905fa1891868 |
| SHA1 | 6ea8ace9efe56d7695785cac4722a404a3e14b3e |
| SHA256 | 5f517accb26461280412623c12a3a8ece897e32325734b3527c8b1119ac88e89 |
| SHA512 | f941ec156979a3aa7b07472da3cda522115e0133c6d82d2698f4736dc83774bf12490f149516874bf07dbd807d23dce64ae3beae72c2819759b2815b7f2d40f0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0e27e086348a4d056833b216d631568d |
| SHA1 | 11c84525159238d52ad32d0765e0ee8503803c1b |
| SHA256 | c217c210aaa32da8a64265b775fa3bcb54e0b53da46afc0e2f5ceabb2587b057 |
| SHA512 | 02aca7efa6768900f462afdca69f95839b2c3fba54a7b796f612bb395a58d50785c1a3473e2ced8a68d6565aad98f7421bee48e31e8492ab42962a48a25e4b63 |
memory/4764-46-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8802d9034f4e9782ee0e334a213b06ff |
| SHA1 | 67f6883c72c1c1aa75eed5ccd3c0034663c1f40b |
| SHA256 | 6d5106f734858faf4b0e5200662cffbe60b9d94d23603c804ea086ef90d3becb |
| SHA512 | 41909fef76ce5cd8d871b81356af3f25a1170134b8e45b0681552191d6ef76e43c1d8504fba52c71e9ca80ca1fddf3b519c829bf39dffc05648ebe721b60fef7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 90a055d4b02986e53c36b81be680b001 |
| SHA1 | 1a0b95e0d13a91fe2ddb096b9ff2993b56946db7 |
| SHA256 | d3feab078672d352ae64f366c7dfbdc5e1d57eb26f16ca139046b8fce2b120b6 |
| SHA512 | 9287f56c30b42d98ef7eb8a50f90a160d5b7f3b34452855f4356614083a1c1ee1ef291d7f272115d1306847642c923f1b62c3696e84d9ebfe67c443982c45157 |
memory/2076-58-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 433f75f94ae03b2a63dbc7fa2f69e507 |
| SHA1 | e7c4b132f84cc3f37107ab913259fc6580efe939 |
| SHA256 | f07441d1b5d2e0fefee763ba911719b0238b77e71be2d2b0693fc0f3344d22f7 |
| SHA512 | 8a1a4ac5c833d1781a414740309184c7df33f3a1efda4a2b3213e87e93e90ab22e801c9ef7763fc5092cb4aaa03a48ef48c5f00720ba072ab0d1ada1ee1982e4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a614971f55ce309657bc1fbeaac35598 |
| SHA1 | 0c83c4b79cbb3a6ae6c40ddfec390f2026664f19 |
| SHA256 | 5e90f2619343208b8ca1250cd716fbe68009d36814e3058195a90c997f7a8ff2 |
| SHA512 | 48c98c76d1f71120704a73a9fe97840ace2e7cf53188e9daf5fd235e01a2ef98219f267aeed6c3297da54b4f758a120fb450bba4ca62cf941c7774ffc09190da |
memory/1708-70-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 31ef1a665dae81a8f16c8f439938e8a9 |
| SHA1 | e777d3a4a486e70f6a38d4467af644d6d25a491e |
| SHA256 | 735eb88a73542c52375fc3e7b26da45b9a8d67df5ec7d04d62c0db7bb3270530 |
| SHA512 | 268dede40f87c80b1ea6766db2f107ed953501e994561940f1fd7a6a6b2e05d67bb0107e8358c1be6a929902fcc69ee84952d2f05133ec48373ef99ff9055a27 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a77ff5ed6b36c7183a1b303f5101bbaf |
| SHA1 | 772e60b20c7c42b1f2ad2231280489063d2f788e |
| SHA256 | 8e0997da0497655c7854dd901d7af2f9fd6c557ecd592372cdc1efa7053a06e7 |
| SHA512 | 3d8f3dc3312c90476065d929e326b2b1468b09ee0ba21670730472d038397dd06c12fadd04452e0539727721d1b518e2bd884b10cc77fe073d9f8d7405dc7448 |
memory/4924-82-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f305fd76a0680eb34742101c2a480a38 |
| SHA1 | 639dffc1ca907c4397176f5dca6c8c24100d321b |
| SHA256 | af7e853a3cf215ca0e8c7da5f2f445b84e17dfcaa4a92bc49d179f0f71dbcdcf |
| SHA512 | 59cde264cc5de3a91cf5bada77ae2445410e2d2b3fca940401f6011d8bd69c195aea075b4616b9f8e475be7d2ffad8d4a5d3118519af9a7587050ca5153ad80e |
memory/4292-95-0x0000000000400000-0x0000000000434000-memory.dmp
memory/400-94-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2fe1536fe946eec6f4c0edd0e1297bae |
| SHA1 | 1601b8d2e7cda37b96104ec65d592fccdfcbc57c |
| SHA256 | 32f4806f27cff99cbb9681d5cc6e9e1134256d2559918933e9c4be1d990d5fbd |
| SHA512 | 1b992528c78003d49a412f3895464de1294f7a49757e0b3e0ea05d346cb5d0c21443c616b8235740cb68a67b858f6b7e9e5d3e0f1674405de4dd6a719adb5c63 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 381127e80cd1106b5f95a847f44ef601 |
| SHA1 | b2b71b905010a706e24591c2d3ae8ca29e761472 |
| SHA256 | 166c80435cada06feed57909ee3c76c8c0be11a8f5f2f9585c7b1f8f8b4b66b0 |
| SHA512 | aef6403cefbbca0fd6ee308ff7b7073c7e1df17679498715c98647ed0f0fe9f6d6835b5a7ac1aa885061c5746815be6d9186776688b169f8b58065d5ec1007ae |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e6c46ba96f5b01345342e28e34a4cdb3 |
| SHA1 | 8b546a66a13e9007d698cbda318a905490a8de54 |
| SHA256 | 179cbbf7a477fe2c945e3c4ec23d18cde2c0599ecdea88e68048ad3e62a62168 |
| SHA512 | e69529eecede1ae1d415475d65c61bc7461dae36c04e435d11a6dd971fd47b6945f45399401e2e3b53151006c88933a9249a7267a1110892b69a22d29e7eee9e |
memory/4292-107-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 37235e7a007eab4aad03375b5a2246f3 |
| SHA1 | 677c5d0305d3085d0b76ea993634c1223685b7b7 |
| SHA256 | d4bb6dcf316193d55f117fd0aa95a35f346d073eaed25f3e2652681fd2d3b57c |
| SHA512 | 15ac7d9bcedcb9739465818050766bb637ed8d878c77ad1593e036eb9761ac31500f8afd143343175df32f39688edb90dab8097591d267d0e4e86d8fcd80eb58 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 857facd268dbb4d8ac521345a8bbf839 |
| SHA1 | 6b8433491029d7fc70c508951c9182f5a283b215 |
| SHA256 | 4b3b417ea871dfb453453122164eeca2c53e0d90d418e3952873e4cbf43decc8 |
| SHA512 | ff96401c447f358e3e59593300ffc8769841466a1e779bf9c879e64611b350ea6094ff0e48a7aadf88380416d1b90510669ec84869385da99ee8e97e50b27a72 |
memory/3908-119-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b7fd324fab1ebed940fa30874d441cf8 |
| SHA1 | d9cdd912ed87dcaab1710977a76bd84d8b510c66 |
| SHA256 | 776f1cdfb129d80ff51683f9281ea78f16e86337024d0439340051a38b7c0100 |
| SHA512 | d5c04cb34565c1eb9aa01e11631677c6372deb234c3d78c2e7f7acd0bc348380d96d1a038530af57b9c283f63375911ae0436d547c03bc4a9d53c2a37564c7cf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c0f093e03a41103af293a640e853b25e |
| SHA1 | 9b9cb4e7a184f27543db219b6e53feec96b2601c |
| SHA256 | 7d53bde9743a13d9def0513f7c307b2c9a38515b45107a49988dbcc9c89559e8 |
| SHA512 | 006099745b8c24d19d75dea3b27c2750e60158fa6c5c7946ccded0d718ff5c838b6dafee848f4fbb24626e2ceccbac5a2c12eccc32c7aaab66bf6175d135fcda |
memory/624-131-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8486998bce95201cea7449c030f012da |
| SHA1 | 7e3bfdedbc9ff1815c50dbfd859128d961b2d4ec |
| SHA256 | e95caf2da9d4235a98a66b05037d26a826d5210e71e0ef65ce2f42d23bb32744 |
| SHA512 | bba7cb5f1435991a13145fc48ac7ba78c2584b29715271c68ba8dd746358f701c54f5485750ddfd55f88d8f020bf10b4cb45325c1b6aa11341ca3c167a893e41 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c809e7d1d71ea097f4abe02ae4f84341 |
| SHA1 | 797c26fe8ac924c260118370827d051b368b474f |
| SHA256 | 2af78fff9614db230e2570d281362ee50aabfdc4c9c5247c90a45d58b601219e |
| SHA512 | ec789d68f55fa3bef08d506a3b85b945d34512865d3eb8d94fc084dbc6728811c91d896d1432abd88ba735251bc013ad6649491804e3772a73ea5bea41345582 |
memory/1152-143-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b5863dbed059175e38659f9b1e0cfac8 |
| SHA1 | 5b971f8ac9e5394021a86f332ebabdfd46a2fc26 |
| SHA256 | e1c7435a650a24ea50192f5c2434e2142e431f1727074a7cdb18d4af6116c16d |
| SHA512 | 4b4442fd589abcee8b121f6b44a1a42970625ca865f4e5923417f5e250f9d308195bb52b478c54777e44e096bf50d3866b699241991469b4ec274b0d4bce0081 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d8269f146deabc27afa79c72f304e90c |
| SHA1 | 0c94b5115e0d87a0e26c77ed901d3b7c81fd96d1 |
| SHA256 | d7f36f389d59724b828aa77fe083214e1c8cf653c821c89d0909c9a003d8999f |
| SHA512 | 262919f5c722b4726ea6134035b6785690099279a56e31483fc49fb04706a097a270365a70d97ad6e08239fcfbc5ea0a02e0afeb3ea4d9d149cc42cf6e067260 |
memory/2012-155-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 18b28f48db5b00a094d9474ede6e9a14 |
| SHA1 | 59f7fe98881b8620ccc0ac01b4cdf218f3f5435f |
| SHA256 | e59c5f57bda8e9a8ef6f3f1dde7d2f0bcd18747f60a435cc0afd65f27391e358 |
| SHA512 | 1c5855dcc4ae8483b6401a98679ee1cb9f2b4c81f074a19583a5a2bd88e4b2bb0c780e6a134913829cf011d06e3860c81709b10e633bc05cbfaf5a6a3e925cd8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3cfd638a31843443cf159671fd08e33c |
| SHA1 | f5489f10a037ee0b50c32ff6f0cbce241032b850 |
| SHA256 | 1e24461e11e3c5a8f9c0b8abee9613f8f49e964a792d27a3b663cf261bf76666 |
| SHA512 | 0de4dabf84906fac96b5756b0fc8c0456d1d318c06a686259e0c3a3226dce147bc83b52fdb84ede293801725a5ce7c22f5d0923173a1f956ae7dc883d2093a7c |
memory/932-167-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7c7c85a44b6208a819bd4380f93e75f4 |
| SHA1 | 434a7cf28d17b2c57436b5f1b0e1b4d64a6b2618 |
| SHA256 | 1e4c7f47e88cf5d011e1867e32c2cf75436da4a5ba352e5d9755a0e99a27ca24 |
| SHA512 | 29d7f35f2efb9c5c1ef28d7bbef69fd9c8f69ccd52f403f7a55bfd059d4aa11fedf3ac010b7aa7d78fa95653c702c25c5c9897a36c65f153ccf818bd0298d648 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8f968fa0ade11bad67acd5a6266502ba |
| SHA1 | 9b2d151338bfbd5ad290e2c13f673baf7c824bee |
| SHA256 | 3467d1c7587912e53ce19933be50aa0e77fd4a5c7e5e36c83ae3ed0eb29bfe44 |
| SHA512 | 89a2dd72a26523e7e382e2e64c50cf62037fd7193636ad228402a95e951f382ca5c8a0b6e7bd4e63d20c64e88881aed66ddb7e3c5f4ac4c1bfc0139f6bf3e441 |
memory/4488-179-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 10c737b069ec872497fc8331fb758196 |
| SHA1 | 1c77a1d8ae354befce31cf77cfe143605d5ff2d6 |
| SHA256 | 33e726c70aa7711e2f50e598b3713b25aa748f3b59ec4eb2d1676d58c54fdc95 |
| SHA512 | 77bb6c826c9ce579023aceb0cdc6f499d5a1c27248d7c89fb26104141875e4bd5cdc7082d432aee990dcab055d14274301b18735f7e6c934f3856783025562b7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4757d2049b5e4bbc19df3fc3536890a4 |
| SHA1 | bd8cfeff111461d998d8c78619cb7827a65824c0 |
| SHA256 | 0a46581a5726ba78f7df05e0190d98a9ec737dda4b7c7d94fab9f460f7f91565 |
| SHA512 | 2164add19df5cb3c888a8b739adb5ea8faf44a4fdedc377acd581ad8fdd009630be7921c11ec11fbaa9671d5c1aefdba386e530b840490e5ec64ea711de58eca |
memory/988-191-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8227d7c15f3624f39f799074f541a7e2 |
| SHA1 | 805d73535a0ec894940f16cca44636ac54da8dc9 |
| SHA256 | 4826965ff140e36fc17ba6619a22830b18c1bb6932135a987b8416ce573082ac |
| SHA512 | 04f4dc21b8052ebb107558dd8b599b527ee765470c56f5f3eb35e52bd5ccabf368a35145b9339f7899d608d06cdcc729da94a0ec98f617ac76603aad9f581beb |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e1dd9deb80996de18dd3871638265c62 |
| SHA1 | 42cfb3d5b2a9ef3520fdd3e612d1113bf7d77e4c |
| SHA256 | 34a3a9f35c789931766ea62aba7900a54336f82fb0a8887752c37d60c83fc73f |
| SHA512 | 99593fdb4cef22eb0bbdad8c38131a9775f1a2a8bc26b0f7ed44d3ed24ce72cf203c963966f5b000aa1a1e5f15a818704a9d8dcbac064433b04648585fd7d64b |
memory/3116-203-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e576cb8ac0e3aa0a3bb046acac14deed |
| SHA1 | b2de106dd762be72e46ec044959d6ef87efdb8e6 |
| SHA256 | b7c711adf7a49e65c75954acf0b9f37d2460b9c5c4363cacdc25bd751c03cc2c |
| SHA512 | 701abb9e12088b12e5afea41f3614008eda59715f1691af04959353d55d870fbfb0bc4b1dcc58e4b7e7783adaf8d93f4a89ff27007ddb15e616f462b594483d1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 84644c2cc077352b7cefe79023876b55 |
| SHA1 | 5cccfd051a696316388a64c5dabb44bc35026a66 |
| SHA256 | 675dd9a816881200e8e4fa0b31c9a2f7382dec730eef695a3bf1cb6035e4eead |
| SHA512 | 6cdae181c2f6c1340f9d69a0c79e9d99ed2a537c3cb68856cbb2dcda43b2d8764a8c711df4de20c4af017bb6479c8cc7034b84aa9bd02e211f6b3ce4a425c793 |
memory/3928-215-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3508f9997c446992fa432a9decb5ecc9 |
| SHA1 | b2c4f05588934412042e1a7b1864f79ba50f4209 |
| SHA256 | 0cb3290acbff457c6dc4b1eb5da1ba7fbf775bb157d96b431b80de0d333fe2be |
| SHA512 | 8363b46ba5413f56a4ce690e256d2bfd1cfe965b350ee4f1515cc88e990fa6654492e5c5ad5aec257a49d3a81a71a21d35274f872b73f0833798b67b369ef615 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a5f720682d803b909189ed32f189e628 |
| SHA1 | 51fcf99b76ae64a694d2e88154001a89bfca6cf8 |
| SHA256 | db23d769a5f34fde2839e927be7d5386e45d27075f26d2c297b2962c230d70ad |
| SHA512 | e9d1f0561c2d6f358493b672c7d3ec7fc10e34af6885cfd479e2a2a985c1c082e74e96f046059e8651507c7c6aed710ccc617010a7ad591654e1e2ff032b6c5c |
memory/2372-227-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 188b8b1c9d16280b2cd390e778350305 |
| SHA1 | cdb971adfcc6bfdf80abb62c5d6032bfba5394db |
| SHA256 | 6f4387fb6d92648a994324f4be301b1e288e3ab3d484122fa5cab6f67125ec3d |
| SHA512 | 10a662c0ae8613e8ea590af51eb58ed7ddce91a76980e9895573584952b95405350f18559e1b84b1d8459aab662a4960a9b5872081ec39991bcd361654b52db1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 08e88df967b499e9f31436389cac9dc4 |
| SHA1 | 7c7d1d6b14090e22fa998bb4bb19511521ceedc5 |
| SHA256 | fb2fdf8949e308c4aed30c3ec628b6d45959019aa39ba8dde0fc8f923dc1dccf |
| SHA512 | 22d98fb0edb84cd95060767961635b7a6c4765412620fac3bd012317db74a7c4f8b0f05074f447302384bc9da28f0a89301bb58f50c21b97d65c7a5ca92189e7 |
memory/4968-239-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2335ad708b65034aab97ad78494806e6 |
| SHA1 | cfa338b83061001c28f4654bb48956a133671b95 |
| SHA256 | 4bb0c6ac8ad090e39dca11a06181c53f4c0b12011368a555648cafeecdc0500b |
| SHA512 | 34da12417796e6282693dc35557877c6db5bd81403fdc7924909b7b72ba8ef63efeb0febeaba0431e275950b815fe03c41373e64c1a537dc66655fe087fc82b5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | df6b197e48e3092fe545d6be0cfd5c0a |
| SHA1 | f0c82f20595ee5a3cfd6c7e1ba42e4361afbf801 |
| SHA256 | 76149affbb93d04e10717dc5514d2c33d59517695c0411509a705ea0f3827b63 |
| SHA512 | febd9244645b929ddf7d10e82625b633950081f556c9b224e5e40854b3bd464b490b1e808890ad23c6afe71b6accc0cf86b48d0e399a05249af021cacdf1252f |
memory/4140-251-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | eacd631be0d7a7b8114f71005d410472 |
| SHA1 | f122b4781707811cbab143b101859a9bd757feda |
| SHA256 | fb24fa06258947ba4582f84a10cf3497f048492a5a49baac67532cccd21e8bff |
| SHA512 | cae6b0b4b35b7ea8d435387dc52a0001326fb3e737b35aaecca8640614e8307672605d1cb4891539c1e83c887d1fd6fbb4292eb72bf4c5bc857bbea658b29a17 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7ebbb22f70a1799754a7be08cf289eb6 |
| SHA1 | 53f5b89ff96aa0edcacad4c0a76da45d216338b8 |
| SHA256 | 287d2f374548f53b488f763951d538ccbd984d503e80c0be6802226f686b3f78 |
| SHA512 | 37a4ac0a3c6610e2bfa5ff7643b719db0c820240fb84cb7c27b133e99cfff853e2f32b37b41223442c39bc9bded66b69363eae2a235d317b1c4123eaa3cb4e06 |
memory/2164-262-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4780-271-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3760-280-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3332-288-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1000-290-0x0000000000400000-0x0000000000434000-memory.dmp