Malware Analysis Report

2025-01-18 21:24

Sample ID 240321-zh8kgsbf8s
Target 649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7
SHA256 649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7

Threat Level: Known bad

The file 649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7 was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Detects executables built or packed with MPress PE compressor

Drops file in Drivers directory

Sets service image path in registry

Modifies system executable filetype association

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 20:44

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 20:44

Reported

2024-03-21 20:46

Platform

win7-20240221-en

Max time kernel

158s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2728 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2728 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 3020 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3020 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3020 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3020 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2848 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2848 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2848 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2848 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2448 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2448 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2448 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2448 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1160 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1160 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1160 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1160 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2752 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2752 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2752 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2752 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1812 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1812 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1812 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1812 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 804 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 804 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 804 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 804 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1684 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1684 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1684 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1684 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2732 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2732 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2732 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2732 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3052 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3052 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3052 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3052 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2316 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2316 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2316 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2316 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 900 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 900 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 900 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 900 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1148 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1148 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1148 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1148 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

"C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe"

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp

Files

memory/2728-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3020-1-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a52bec6b3adf339f218227dea61c00ec
SHA1 3928a3ad5fe842da5591759f2d18f44527281cb0
SHA256 4486f6e10989138ec3f9410c3a6a19ba1d3c294adc7eef6e806ddc8a66081d5b
SHA512 9f4669159115122e12c4a7fd05a18c3a5688d7ceb68ae64881cc34a6d1db8b843fdf13bc3ab58baee8ae7c94b8234657a5272351eb4d561d76a0663bbc41e5cb

memory/2848-8-0x0000000000400000-0x0000000000434000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2728-10-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3020-11-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 71436464e4acb95f739abd0e07fb7f75
SHA1 06fe54d408f12c056b9dbc40559f1c7293924094
SHA256 06fc5bc35afa048390d9bcf395050ad7f3d9367bf200239b9944ab2221a29bfa
SHA512 fda31230f9253932aa2f7f6f9ce45e7ffd77ae8f5bfda028218760b39dd846f48ab587b22e20410a24d878c095da6fcda0255fb62f3872e53ece4acdc200eee1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6010efe69c26475ff49ac5c8fa89ea92
SHA1 06d374289aefc888c6ad4a1e5b3784fe1c3a5456
SHA256 487ecfe780e8614d691012f00ce61ed94783a3417e6e8b6cb209a751978fe293
SHA512 307e6cbd45ac60e26d0b37a68b7cd5a40b25febe61129e2c3f19869161c8b91839c8e2a97f97c308ad1f840731faeafa9153b0b2eb9b1c38c9a04d17415cc1ad

memory/2848-19-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2848-15-0x0000000000370000-0x00000000003A4000-memory.dmp

memory/2448-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2448-29-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1160-30-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2448-27-0x0000000000310000-0x0000000000344000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1a058fe2193e2fa4bf8d0bebee02cad8
SHA1 0dac0bf040eaeefd50ce55dd44e11a52b68073ae
SHA256 e408f84f7526c7c1b97706dc24629c74b44dcf103b5167874c7e9dd9fbbbe4e2
SHA512 af0dd8deb2419e67498087f8b50d12dc37f48c44506151370e7ca6fb737a5dbf40dfb42303edbaffccab64d452606b2beb06c1f22f15836c76a6af684974f404

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 87507576587cccfff38663ef74d79130
SHA1 714f8256a725f65c57c8611e541ab2a691014456
SHA256 1cb7ff24e927648928c7ad5ad0505f203c134f7e284212df17fd64b11c5dcbc0
SHA512 4928c565b4a23bd579a98284da6056e97224a46282572b9990fbe121d14d545217076bb7781c5aeec26d06f1b7df5914cc632cd60c5bfd3df95e813f0b5aa2d4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 020004e203d366e5df49dc78f584f646
SHA1 1a5dacf9da5b319713cf23b7d13d77965943e735
SHA256 706e4ef0c1441af4d4cf96a7497c341c6260046765ecc1a56cdfd3f06037914f
SHA512 a0b7182711caa85a8cd55d0ca96462ebc270d85a838db3f23efa70d1d6cc3576798a83c09c1cd9881e7949cb748fa4e13d6fd650365da85554fc4a139771f472

memory/1160-40-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1160-36-0x0000000000380000-0x00000000003B4000-memory.dmp

memory/2752-41-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ecd7ec6a3642bad963d906bdb7c9de23
SHA1 c0b5a4bb8e59821477999e6d43d0bfc145dd6308
SHA256 b9d8f817561060c2df9536e1f82a239f07885725ce490e8495f5f2ec3c4d4fa9
SHA512 e370a58de1fa361b6920c898eacb3c7317018f2c97d0bda74dc3edaede6332f1c8540f6d4c3c48b499094c16c8c2d5b0bb64f5ccb8a1b0c05b01223acc1c0ead

memory/2752-45-0x00000000003B0000-0x00000000003E4000-memory.dmp

memory/1812-46-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ac7d71d48927043003361affe8bd0a7b
SHA1 c357f6ef3b5aaac305cfef9424e32345573594c7
SHA256 d643fa611ba66d676a5025f583c8f8e4137d727cdad395e2c68a88ecf2b69d11
SHA512 082bb337e4dd475622363c8d5d48d66bbb519d8ce8b8e4561d6a1d4ec1f31d5c7883a8ab09a36bf71691080577b472ee2791dc65274f8773b362316670279619

memory/2752-50-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c193477ff9b8b9950a3cd0236fb218ff
SHA1 08f7bef1c3c390f5e9d689e0ccb9362818430f65
SHA256 472bb4cd309c993e20836f510dd914f5baa60bdfd0ce35f49821f38985dd2a94
SHA512 347e0080464ef33e7c20b8c30ac6f4ea4164d5990a77e5bf8e3d5d975283ac75e3544628e4a0a71ad8f7984ca80fe9f68730a1929b4b7de1f3210adce29123b3

memory/1812-59-0x0000000000400000-0x0000000000434000-memory.dmp

memory/804-57-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 31e41e4c26ebd4111e94944c1c5ef619
SHA1 a3ff1dbfacd5a38ee2c4caa2d926b74b0d58699f
SHA256 23c37f7905d6adc483a2e82f99a08e9e370d4f90d77e42ea55edb91425ea417f
SHA512 545c2fb57f8e51384f1c8b35c7ebb1b232a1eb8773dd52a01775aeeea7001947ae3a4e2d0153b6058cc4747157b35ceb0d832dc84b9b4676f702754e4933b034

C:\Windows\SysWOW64\drivers\spools.exe

MD5 47f28f6884618077240c6ea331e3bed5
SHA1 edeb9439f16e92de7c25e12d4026bc8b1648d4f0
SHA256 a3f91cf0f40c8d5bf56c3c1988163fb67582e97bca4171289f56008bd2ed9fd5
SHA512 ef6517951010d95f0515e629bc9f4f79c4bc853d3c8f1d5c9e01cacd95e78bc1ba354816ffe2583b5b285ac50b113daf881cb62d22dc0b6f7ed82ad7a8d9d140

memory/1684-65-0x0000000000400000-0x0000000000434000-memory.dmp

memory/804-69-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 caf050c7e9d7560f3506fe2811778e37
SHA1 43bd61a4411fcdff7eb58050e386f8d8acfaac71
SHA256 c63dfd7504d2e3632f9f4096ba6bf28c9b856d766fad1d8e086224e877f4d1d7
SHA512 7ee7a3f63c6a84e6093676b14fe332dbab1ed36d2c06bce9cf5a9edf3e4b020bd2fbc3716041cf19ac1a001ef9693a9beeed40faa12403960d648ce0efe74ae5

memory/1684-73-0x0000000000540000-0x0000000000574000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1229d3901582cce6da781850d3e544da
SHA1 95d5cd55bbe674ca433a4f1247a4c6cef3786005
SHA256 88b6d8b806bf1a7c8a8dc7099cff280fc150e79f959918b5a984136bc40d42fd
SHA512 46217b5570faa1eb11e2905936c7eaba8c8c12424bd106b436eea6f9f846060ad87962105947b98652ef17eb2dd80801e01b10fa4c32715440f495f703aa7dd4

memory/1684-78-0x0000000000400000-0x0000000000434000-memory.dmp

memory/624-76-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4bd6f0537d5d428f46fd52433d2679dc
SHA1 e00534a461cdd97ec832069b30b4555115122e79
SHA256 a8a27d16f7c70efbf8b1ecbfee9b67235fd7d8a63b1b2e609c02357330b68f3d
SHA512 63fddd56d4c9d4cebfa61f6c3465e30b5d396288ca27788756a79229534c1c6f544438da20bca2a62d5f44c2e096d8974ff66011402a47f894194805c94216bc

memory/624-85-0x00000000003B0000-0x00000000003E4000-memory.dmp

memory/2732-86-0x0000000000400000-0x0000000000434000-memory.dmp

memory/624-88-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 194cbb182df2876b8c9a26cf5b00d564
SHA1 accaf35824d6a3fa7e24f0258c2f5990bdd11610
SHA256 4093f8a8cf32316275b9b5e56c9899799ca7d95cd743afa761633f4408234a6c
SHA512 85ab30b08b868bbc975dda2195535dc64da85ec975a408f43c4c274e080d05c593249ee111bda8cf4638cadcb1d0191e2d941fee8a1d3b6e5498b215e6993b23

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e8a530b4fbcaa9496c88a8eab49fd3f2
SHA1 489ce6203b5aad4f3e9e30b8912bdeda9baa2b14
SHA256 7dbee7f6dc778d210db9e1a2ca09d9c2d13aeba58a82915b6a066f3116351732
SHA512 720573f08b25973321bc3dae3e657d4b3df258ab53cd3d66fd2f5ee2682d92c9b69077a37ff622fc2f8131d9d3bcee550f2e60e72616bf63464e715a73f3fb6a

memory/2732-95-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 14fe95efd1178a09d74288caa7e93c6b
SHA1 bbe5d503723531c7e24f5392604bb70c9b42445e
SHA256 04e0cf8b99e90f87d3039782e4860bca785f7f91f3f66c7c1a400718cbcaf20f
SHA512 dccd292a65fcdeff3e8d6678fabc4862db176a1c1db2ffc008b6666ab3c5ce73f6de08e74be11fc337bcf71673d7ea97f046a25ecc0e05ab27ef2c84a4405320

memory/2316-102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3052-104-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b190b767d6dac0fb2a46fcb9808b7fa3
SHA1 f2219236dcd4bcf0be3053d60731052e2a00cd25
SHA256 7fd54729bd01077e70642edc2e4b6707069beeaa640f5f1525c0e75b6ac7878c
SHA512 4f5e01f121fd2e8299d58c786acd80b6baea1d498bc5b155a8fd33f5f07fa9c166ba2cc061c07502e78ffc7d1b3de7f8dd8a6d19a1293709043d35d2bdd800a0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3bd9784838fb022188cfbf40eaf09d1e
SHA1 062b53b4a6fee540deb7f1f39c388f481b57f57f
SHA256 3fecbc6aa059766579cb72707383b438a91bc44a1d3f773a63cf41c1ae6bc8b6
SHA512 ce4f38d7159993775d97e03f6aa63ba4637b41577cb4680fc5f8404b21f84759c22ffd1102324bd6884ce6f42a26ea7aa2ea3f95cfe634388a8e94cae3512aa1

memory/2316-111-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a81eda4caeb1dba821183ac9011a71bb
SHA1 0c3b0000e8e602da1cf068420942df67da222204
SHA256 34f2d2c4dc3394bc8c202d805e0645c3396483722eb5f1198a175394322786e8
SHA512 a8cc7c0fea402e3352c4dbc7f5c34e93487f321d34f5a95917e760780532972eb1c5133161c44297bbb5a19970a63ea2f65e16a6a43f7d864fc2e460e0acd504

memory/900-119-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4b83abd3c8346f147c79b9d7bb794071
SHA1 303f8ea3adb1810a925e379e476638d0bba65617
SHA256 eebfb542b9056deb001268bcfb81b1b6ba60fea424fcd25866eca19215f9776b
SHA512 90d3888b747ad5cd13f63eae4ab17e746a48c348d460566d12e93f50cd52c4bc6c689bbb53822ce4c2b2672ab3a86bc3f7f115dffbdec1e8011e163a98fd6b7b

memory/1148-123-0x0000000000360000-0x0000000000394000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 af93a1ad59038aa6dded53b264ea0c58
SHA1 289512688bf15f6ce7a75e8c0d141f9e449aba21
SHA256 a5b84fdfd56b4a978ccb8cf88cd67515fb8fb3b7aee1e0886e55b15d1b0db184
SHA512 818bdd47c8eae933d86914a7c82ffb8be9129a1ffc7f7346dd4703c483bf45125e0928225d5f377d87d90f9b068a8abfc176aaaaf93e354d6a51ea97f199cb30

memory/1376-124-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1148-128-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 03f848ebddc1dded65d2378384672425
SHA1 f8aca69a5b834a9f70ae174f74af52e539081a15
SHA256 71946f96003ef37a5f6eff7131feb301b80cd3d35aff5b5545ee1433074086a8
SHA512 6370564089ddba55782bd88fe928e633c951e280ce266f130c28088ed5f6437caeb5ee0accdb2c34528fad9db1785ed416c0eb374fabc3644b1256e993dc4f26

memory/1376-135-0x00000000004C0000-0x00000000004F4000-memory.dmp

memory/1036-136-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1376-138-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d833cbcbecc66f9805e4d0bc0bc0d385
SHA1 2c90eaabcd285607261a37cb80ce55ca95e3da66
SHA256 8d5558d2def4e9789f23eb7d336b3a2192262b11cc3fc6fb0da109097da32118
SHA512 a50f4d2dc2d985711fbe145a739dcc6aeffd61dcd7aef90c15af01332dbe7f8de7a869a5f95835f0f3d7a02543c081cb1295082c7a39def9aaac3a5936f8e882

C:\Windows\SysWOW64\drivers\spools.exe

MD5 45f082da13c0c081e14507232999d6db
SHA1 5ca2e5f731e3cf80a8a87e9056d8f35afa97dc6f
SHA256 c4426ea18b1f9073562b36acfa0014f52dad5081be8fb841cd9250ca840cb83e
SHA512 7bd99346376ff03edfe72eecc02dd087d7c0f109b868d4473039e1fcc048afc97ba8787235ba13efd9d913c374f121834b19f5d75902bf4e2b905f6a70085bbb

memory/1036-142-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/1960-145-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1036-147-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a4410bbb6870efd3f573c3fa320a8449
SHA1 0a0f53e2ddd350127f8d639b06b97d33307c1c0f
SHA256 b5e29045b3c337db236847e07636b67b1b5f5de1fd112cf5915f67c9bd2bdca4
SHA512 de0f08872278e4837093a46129630a1c063cbcedd2189fab569ab2ab1223e78496aacfc318d50c3406870e67441e95b6514fe16bb0c9e989a8870fcebfd58c38

memory/108-154-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1960-156-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ebe0cf61bb7682fd0384fc30cbf29229
SHA1 ddafdf322ddf32fdaa245112f4c7c72526dc5c7c
SHA256 26053e1b375b5f4ec8c7902d80e2791ba6c27bc84e0ce9ca01f0a83cfb825290
SHA512 18657f94a46275b4007652d271a7001c940757975ace16288e67aa5af3a5a438c7963d2ec501a614f853fe0db03f5c461c0b94298021f0cdc48fd653c1c20b62

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c7787b8ddd6a9a795428e7ef3fa1cbbe
SHA1 b160a56618a2afc96c40b7b4ca6bfa746122dd37
SHA256 3bfc15b223864c735289fac3e1659faaf1233c115a25476ee29d84b2c101e255
SHA512 00f51b6b480eab51f57074237b0a0e6a4caa3afcd9ef98faaf30c21b6277e69460c510dbd6c87e843b542c3a0f3680b1ec26f60df707c0c563a6b194d4758601

memory/108-165-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6c67e816acbd7d5bd160e3206ab00fc5
SHA1 e64457dc0e82ca28c1091330102bc449200ee9ed
SHA256 684b1f679e4673ae7753956a1293cbd6cda9b1586d44821f32d60b3b59874ffc
SHA512 741304589a7533d3b8a2cfea63eade2eb6236916cbce79404edf89f18ec4ead607b8bf2cad3aeca8da43b767a7fc790ca6ae2fb536d81b193e8018f77fc45f93

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1ab6d31c90f579a8bfb2afab8ff244bd
SHA1 94aa27bd4a6e3578c8c0c6b13697a6eec4a1a482
SHA256 2662e09877f315b850a42e1d69fcd5a15d6310d346227276ab36767f317c5c88
SHA512 eb4b04dcee4da11ebb4b17d9bd93511cbaf22d490b37676082d788f68a35c205b6d3b9be525d48c82ae10a4afcfa4d060b68a458fc9df221bdd6acf3545739c8

memory/2132-171-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1748-173-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 568b2130f7ec8aa1dfdce3020253859b
SHA1 894dc7a996b004bbcb4b8955cdde77e4ac1f1136
SHA256 386ddde173d27d1914460979c3b4a7cdefd7adde990e5f826f4089cedcc70e69
SHA512 182c18b236a3659e2bdbed83ad8f02b69657a8434e15ac74dd18464cbdfad761c64f6054f410bc33cf5d78af412a818f3a5b1e47e113fcaa22472e6dd69b10f8

memory/2132-181-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 76fcc20eabe5235b29174a7e4ea67148
SHA1 05c0c3036b02a4cde7954e37021162710c949bd3
SHA256 b2abaa0c04edc697a7525cb406c4fe7f5cde151c1da5e46447b0f8c541868075
SHA512 6056d6786d5096acdfa84557ff8e39333cf925e231e69039b5351a194793e6c80354fe97510df5d9b713d3cb2f71f4715cf52b0119326c1c896c728d18dd9cca

C:\Windows\SysWOW64\drivers\spools.exe

MD5 be5e43657e21d992bd68d6312f6e6c2f
SHA1 198c1bd105863459c6553b5ede16a6f1e54ec479
SHA256 924883f035a4b5e9a6f96a1b1194f239d157c8650e730d5dc25f04be5fa6542b
SHA512 4393229fcd1eeedd2f382bef32cf4c3d54aa2a9c2d9738c923825bfc5e4f6713b42ce0e6779c44b2b60885de70b73ef95c288a8c46f3324dc4a1c0a73ce6e17c

memory/2648-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b61aa565a3355e6877ec12ba64213d3f
SHA1 dfff0d4e8146cf472ff8a801c60d347320292b24
SHA256 7b57ecf5ae02b9eda0c4351639b183c69e2dc83a38ef34b4ffe6f8e23f82219d
SHA512 6fbd8014e8994102addfd94712e5e901ce3c884c20ed377993949290f203a66bf969c824c5302eb87229f735d03ed7bbed691521d30c5f703cb28ea8fb189fc5

memory/1700-196-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f02122717faac5d4be9263744fc7eda4
SHA1 c63ca64349c4defc996c0fcb29956f79cc63b189
SHA256 e9f67ae8b994b28edb1ebc5b06020637fff3e2e942de878a5e0ba1cc43082ce3
SHA512 3b5372f64560fae3c23a41e1a1e7100e11e8170ff8bbca6647f8e7d032b658b0e4e433b9e2c704264d8ecf20e304aeda29dd76e197ab79f3cb050d279d8950ff

memory/1796-200-0x0000000000760000-0x0000000000794000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6b34c9720a15edd530b1a205f2a24629
SHA1 9e69d5b8dee3ced8ed39a889912d01962c8d42f1
SHA256 353caa088984764df01b9435d369858f2b7ec7f2e02d8cdef53577ac48a6ee1d
SHA512 8c0c3beec052a3b71480bea53438993e2c97084daff4a49bd8bf1b5b1ddf147bf3ee117d0cea3aa395c9c276bf88c0fafe41ec35dd964d32e713994779b0d026

memory/1796-204-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2496-209-0x0000000000390000-0x00000000003C4000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5262f57065f7d2e031f2981da40bcc14
SHA1 c9e93e45dbe5e9d5337a8d39a93f47ff46ccfb08
SHA256 9b7dc2241c2d8732d807cf9a47faee57329d066b026db1f11706f3ee67b2c926
SHA512 fc5f98ba795b3ce6c3e8228d3712e1324a763d4535bdc6ea2dda3aad1044a249cffc795fb4a8bfbaf00653b41b89b3185878a1d84a2fb2b5ddb3691b96a14143

memory/2496-213-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f977b79ef58d0aed3fe0219d8a9cdb80
SHA1 086a1695b4ac4b16e873ae9dc6af74fa1f76047f
SHA256 3e5b2b31ad046eb8f2038bf3fca5a1b2cbc76760c57fd5a98a86e563ba9176c4
SHA512 83271c78aae24f03bf27f61dd8d4be2a8f4c6a159a3a741330b37008cb4b939bc7457b45a169df1826aa9d1c542ba821081ea92ec36696f3bad192c7048a3a41

C:\Windows\SysWOW64\drivers\spools.exe

MD5 08eba77a478cfacc061765b124d08c5f
SHA1 b12e697d1f1c74aa8d93a4bdf346461df16ff59f
SHA256 8d24578e8165f7588ff508c4f6bd5ee7f86adaa448bea9117bf792c9ad0e7bc4
SHA512 e3a4356bbff8f532c2058167545fd247a52aaa48528512eeeefbf7c47b20bca866cc44f77ae01a6188b728de0888e9f4893127793c35b50b36fe68e7e23a9825

memory/1920-219-0x0000000001E40000-0x0000000001E74000-memory.dmp

memory/1920-224-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2776-223-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1580-229-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2776-231-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1580-237-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-242-0x0000000000500000-0x0000000000534000-memory.dmp

memory/2388-244-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2200-245-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2200-252-0x0000000000400000-0x0000000000434000-memory.dmp

memory/692-253-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2200-250-0x0000000001F20000-0x0000000001F54000-memory.dmp

memory/692-259-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1464-266-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1768-267-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1464-264-0x0000000000440000-0x0000000000474000-memory.dmp

memory/1768-274-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1768-272-0x00000000003C0000-0x00000000003F4000-memory.dmp

memory/572-275-0x0000000000400000-0x0000000000434000-memory.dmp

memory/572-281-0x0000000000400000-0x0000000000434000-memory.dmp

memory/528-286-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2400-288-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 20:44

Reported

2024-03-21 20:46

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

163s

Command Line

"C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Windows\SysWOW64\reg.exe
PID 4488 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4488 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4488 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3120 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3120 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3120 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3568 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4764 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2076 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2076 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2076 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1708 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1708 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1708 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4924 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4924 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4924 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 400 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 400 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 400 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4292 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4292 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4292 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3908 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3908 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3908 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 624 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1152 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1152 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 1152 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2012 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2012 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2012 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 932 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 932 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 932 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4488 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4488 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4488 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 988 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 988 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 988 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3116 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3116 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3116 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3928 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3928 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 3928 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2372 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2372 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 2372 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4968 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4968 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4968 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe
PID 4140 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

"C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

C:\Users\Admin\AppData\Local\Temp\649c5c136560da6627f8dc43aaa406a7fd59596c69cf9c58b7ce8cd6924323d7.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 192.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 184.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 65.179.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 55.179.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 77.179.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 28.160.77.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
GB 96.17.179.83:80 tcp

Files

memory/4488-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3120-5-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f6fb0391d67c914c0cc42c40471bf6a4
SHA1 2db4b779a516241450c66c22fbf000a8dfedca86
SHA256 ebf795947580894f8a4a961411b8a27cdff1e7db38ecc8c94ba713cd14bd9660
SHA512 72680bb31338bbd25ffaa7cddb2ceae3425e05fb5b99038343e532cf397b392d6942d2ec8ac875e914147e39c44e7262f932bca131be0869975d4767496bd00c

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4488-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 91f491638fd03d599009c41865c2b261
SHA1 12361d42f7d996b69023c42102d6eb71049dae95
SHA256 07d7e8d12abf72dd32ff2419d50f26dac9400a03affec82b7378838cb5fde051
SHA512 be6ff68ab8446aa968d5b05ff11e8d4235b8bc8b50d8c33df3d1bfe9dfefc2dfd5252a524464656fe87f9027f0c7c465245e491b8941ee7d40e70f179ced619f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 638422f0d9ba3b5ef5734f91bf7333a3
SHA1 85185e0835b464377848a369c8400be6a54f4abb
SHA256 19911a01f509a9377786af59427144c87e0eb82d684399857cf8265651f7497f
SHA512 49ef0aac1664801bc2788f7b9d447f3003d05b49db0681edc771d101ab3c8d66688e914011dcb89d031c59c490ecf49f557aa76b89e187337c32e95ed4cca661

memory/3120-21-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f34ebd95db4a1068053a58ed690a8626
SHA1 5c851f680c004ce2f0ea24c8d08ba0008c53accd
SHA256 b916bf95f3e3fe5eb67a1ba22e9f5e1bcb18d7a6bbb70ad9e7d2b3e499d9e799
SHA512 72dd2bf9ed20129d5442c779bffedcd4111eff6b7f5e0bc4865d32ec4566c31b57627f8e70be5d419ec37736f6d8ecf5c0447104c50d7ff77f4b7176d290c8ae

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a0630366a9008736da756dbf5bdb5e23
SHA1 09e9411c95cea76eb73e1f0b7eff9b2d544f10fc
SHA256 f4622cdd20e6122cddb63e6d2be6ab0436685b985c6dee0eb27d47c6c59c67ca
SHA512 2bd05e9d6edb45f317f9d3f11178f7dbabe398d2ef17787dba5f3958be203e42942e738aed7bab686b0923ca4348be32cfe89c836a71dd104e533995cebd60c5

memory/4764-30-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3568-34-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ea461a6d6dabf06c6928905fa1891868
SHA1 6ea8ace9efe56d7695785cac4722a404a3e14b3e
SHA256 5f517accb26461280412623c12a3a8ece897e32325734b3527c8b1119ac88e89
SHA512 f941ec156979a3aa7b07472da3cda522115e0133c6d82d2698f4736dc83774bf12490f149516874bf07dbd807d23dce64ae3beae72c2819759b2815b7f2d40f0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0e27e086348a4d056833b216d631568d
SHA1 11c84525159238d52ad32d0765e0ee8503803c1b
SHA256 c217c210aaa32da8a64265b775fa3bcb54e0b53da46afc0e2f5ceabb2587b057
SHA512 02aca7efa6768900f462afdca69f95839b2c3fba54a7b796f612bb395a58d50785c1a3473e2ced8a68d6565aad98f7421bee48e31e8492ab42962a48a25e4b63

memory/4764-46-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8802d9034f4e9782ee0e334a213b06ff
SHA1 67f6883c72c1c1aa75eed5ccd3c0034663c1f40b
SHA256 6d5106f734858faf4b0e5200662cffbe60b9d94d23603c804ea086ef90d3becb
SHA512 41909fef76ce5cd8d871b81356af3f25a1170134b8e45b0681552191d6ef76e43c1d8504fba52c71e9ca80ca1fddf3b519c829bf39dffc05648ebe721b60fef7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 90a055d4b02986e53c36b81be680b001
SHA1 1a0b95e0d13a91fe2ddb096b9ff2993b56946db7
SHA256 d3feab078672d352ae64f366c7dfbdc5e1d57eb26f16ca139046b8fce2b120b6
SHA512 9287f56c30b42d98ef7eb8a50f90a160d5b7f3b34452855f4356614083a1c1ee1ef291d7f272115d1306847642c923f1b62c3696e84d9ebfe67c443982c45157

memory/2076-58-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 433f75f94ae03b2a63dbc7fa2f69e507
SHA1 e7c4b132f84cc3f37107ab913259fc6580efe939
SHA256 f07441d1b5d2e0fefee763ba911719b0238b77e71be2d2b0693fc0f3344d22f7
SHA512 8a1a4ac5c833d1781a414740309184c7df33f3a1efda4a2b3213e87e93e90ab22e801c9ef7763fc5092cb4aaa03a48ef48c5f00720ba072ab0d1ada1ee1982e4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a614971f55ce309657bc1fbeaac35598
SHA1 0c83c4b79cbb3a6ae6c40ddfec390f2026664f19
SHA256 5e90f2619343208b8ca1250cd716fbe68009d36814e3058195a90c997f7a8ff2
SHA512 48c98c76d1f71120704a73a9fe97840ace2e7cf53188e9daf5fd235e01a2ef98219f267aeed6c3297da54b4f758a120fb450bba4ca62cf941c7774ffc09190da

memory/1708-70-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 31ef1a665dae81a8f16c8f439938e8a9
SHA1 e777d3a4a486e70f6a38d4467af644d6d25a491e
SHA256 735eb88a73542c52375fc3e7b26da45b9a8d67df5ec7d04d62c0db7bb3270530
SHA512 268dede40f87c80b1ea6766db2f107ed953501e994561940f1fd7a6a6b2e05d67bb0107e8358c1be6a929902fcc69ee84952d2f05133ec48373ef99ff9055a27

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a77ff5ed6b36c7183a1b303f5101bbaf
SHA1 772e60b20c7c42b1f2ad2231280489063d2f788e
SHA256 8e0997da0497655c7854dd901d7af2f9fd6c557ecd592372cdc1efa7053a06e7
SHA512 3d8f3dc3312c90476065d929e326b2b1468b09ee0ba21670730472d038397dd06c12fadd04452e0539727721d1b518e2bd884b10cc77fe073d9f8d7405dc7448

memory/4924-82-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f305fd76a0680eb34742101c2a480a38
SHA1 639dffc1ca907c4397176f5dca6c8c24100d321b
SHA256 af7e853a3cf215ca0e8c7da5f2f445b84e17dfcaa4a92bc49d179f0f71dbcdcf
SHA512 59cde264cc5de3a91cf5bada77ae2445410e2d2b3fca940401f6011d8bd69c195aea075b4616b9f8e475be7d2ffad8d4a5d3118519af9a7587050ca5153ad80e

memory/4292-95-0x0000000000400000-0x0000000000434000-memory.dmp

memory/400-94-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2fe1536fe946eec6f4c0edd0e1297bae
SHA1 1601b8d2e7cda37b96104ec65d592fccdfcbc57c
SHA256 32f4806f27cff99cbb9681d5cc6e9e1134256d2559918933e9c4be1d990d5fbd
SHA512 1b992528c78003d49a412f3895464de1294f7a49757e0b3e0ea05d346cb5d0c21443c616b8235740cb68a67b858f6b7e9e5d3e0f1674405de4dd6a719adb5c63

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 381127e80cd1106b5f95a847f44ef601
SHA1 b2b71b905010a706e24591c2d3ae8ca29e761472
SHA256 166c80435cada06feed57909ee3c76c8c0be11a8f5f2f9585c7b1f8f8b4b66b0
SHA512 aef6403cefbbca0fd6ee308ff7b7073c7e1df17679498715c98647ed0f0fe9f6d6835b5a7ac1aa885061c5746815be6d9186776688b169f8b58065d5ec1007ae

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e6c46ba96f5b01345342e28e34a4cdb3
SHA1 8b546a66a13e9007d698cbda318a905490a8de54
SHA256 179cbbf7a477fe2c945e3c4ec23d18cde2c0599ecdea88e68048ad3e62a62168
SHA512 e69529eecede1ae1d415475d65c61bc7461dae36c04e435d11a6dd971fd47b6945f45399401e2e3b53151006c88933a9249a7267a1110892b69a22d29e7eee9e

memory/4292-107-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 37235e7a007eab4aad03375b5a2246f3
SHA1 677c5d0305d3085d0b76ea993634c1223685b7b7
SHA256 d4bb6dcf316193d55f117fd0aa95a35f346d073eaed25f3e2652681fd2d3b57c
SHA512 15ac7d9bcedcb9739465818050766bb637ed8d878c77ad1593e036eb9761ac31500f8afd143343175df32f39688edb90dab8097591d267d0e4e86d8fcd80eb58

C:\Windows\SysWOW64\drivers\spools.exe

MD5 857facd268dbb4d8ac521345a8bbf839
SHA1 6b8433491029d7fc70c508951c9182f5a283b215
SHA256 4b3b417ea871dfb453453122164eeca2c53e0d90d418e3952873e4cbf43decc8
SHA512 ff96401c447f358e3e59593300ffc8769841466a1e779bf9c879e64611b350ea6094ff0e48a7aadf88380416d1b90510669ec84869385da99ee8e97e50b27a72

memory/3908-119-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b7fd324fab1ebed940fa30874d441cf8
SHA1 d9cdd912ed87dcaab1710977a76bd84d8b510c66
SHA256 776f1cdfb129d80ff51683f9281ea78f16e86337024d0439340051a38b7c0100
SHA512 d5c04cb34565c1eb9aa01e11631677c6372deb234c3d78c2e7f7acd0bc348380d96d1a038530af57b9c283f63375911ae0436d547c03bc4a9d53c2a37564c7cf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c0f093e03a41103af293a640e853b25e
SHA1 9b9cb4e7a184f27543db219b6e53feec96b2601c
SHA256 7d53bde9743a13d9def0513f7c307b2c9a38515b45107a49988dbcc9c89559e8
SHA512 006099745b8c24d19d75dea3b27c2750e60158fa6c5c7946ccded0d718ff5c838b6dafee848f4fbb24626e2ceccbac5a2c12eccc32c7aaab66bf6175d135fcda

memory/624-131-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8486998bce95201cea7449c030f012da
SHA1 7e3bfdedbc9ff1815c50dbfd859128d961b2d4ec
SHA256 e95caf2da9d4235a98a66b05037d26a826d5210e71e0ef65ce2f42d23bb32744
SHA512 bba7cb5f1435991a13145fc48ac7ba78c2584b29715271c68ba8dd746358f701c54f5485750ddfd55f88d8f020bf10b4cb45325c1b6aa11341ca3c167a893e41

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c809e7d1d71ea097f4abe02ae4f84341
SHA1 797c26fe8ac924c260118370827d051b368b474f
SHA256 2af78fff9614db230e2570d281362ee50aabfdc4c9c5247c90a45d58b601219e
SHA512 ec789d68f55fa3bef08d506a3b85b945d34512865d3eb8d94fc084dbc6728811c91d896d1432abd88ba735251bc013ad6649491804e3772a73ea5bea41345582

memory/1152-143-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b5863dbed059175e38659f9b1e0cfac8
SHA1 5b971f8ac9e5394021a86f332ebabdfd46a2fc26
SHA256 e1c7435a650a24ea50192f5c2434e2142e431f1727074a7cdb18d4af6116c16d
SHA512 4b4442fd589abcee8b121f6b44a1a42970625ca865f4e5923417f5e250f9d308195bb52b478c54777e44e096bf50d3866b699241991469b4ec274b0d4bce0081

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d8269f146deabc27afa79c72f304e90c
SHA1 0c94b5115e0d87a0e26c77ed901d3b7c81fd96d1
SHA256 d7f36f389d59724b828aa77fe083214e1c8cf653c821c89d0909c9a003d8999f
SHA512 262919f5c722b4726ea6134035b6785690099279a56e31483fc49fb04706a097a270365a70d97ad6e08239fcfbc5ea0a02e0afeb3ea4d9d149cc42cf6e067260

memory/2012-155-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 18b28f48db5b00a094d9474ede6e9a14
SHA1 59f7fe98881b8620ccc0ac01b4cdf218f3f5435f
SHA256 e59c5f57bda8e9a8ef6f3f1dde7d2f0bcd18747f60a435cc0afd65f27391e358
SHA512 1c5855dcc4ae8483b6401a98679ee1cb9f2b4c81f074a19583a5a2bd88e4b2bb0c780e6a134913829cf011d06e3860c81709b10e633bc05cbfaf5a6a3e925cd8

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3cfd638a31843443cf159671fd08e33c
SHA1 f5489f10a037ee0b50c32ff6f0cbce241032b850
SHA256 1e24461e11e3c5a8f9c0b8abee9613f8f49e964a792d27a3b663cf261bf76666
SHA512 0de4dabf84906fac96b5756b0fc8c0456d1d318c06a686259e0c3a3226dce147bc83b52fdb84ede293801725a5ce7c22f5d0923173a1f956ae7dc883d2093a7c

memory/932-167-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7c7c85a44b6208a819bd4380f93e75f4
SHA1 434a7cf28d17b2c57436b5f1b0e1b4d64a6b2618
SHA256 1e4c7f47e88cf5d011e1867e32c2cf75436da4a5ba352e5d9755a0e99a27ca24
SHA512 29d7f35f2efb9c5c1ef28d7bbef69fd9c8f69ccd52f403f7a55bfd059d4aa11fedf3ac010b7aa7d78fa95653c702c25c5c9897a36c65f153ccf818bd0298d648

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8f968fa0ade11bad67acd5a6266502ba
SHA1 9b2d151338bfbd5ad290e2c13f673baf7c824bee
SHA256 3467d1c7587912e53ce19933be50aa0e77fd4a5c7e5e36c83ae3ed0eb29bfe44
SHA512 89a2dd72a26523e7e382e2e64c50cf62037fd7193636ad228402a95e951f382ca5c8a0b6e7bd4e63d20c64e88881aed66ddb7e3c5f4ac4c1bfc0139f6bf3e441

memory/4488-179-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 10c737b069ec872497fc8331fb758196
SHA1 1c77a1d8ae354befce31cf77cfe143605d5ff2d6
SHA256 33e726c70aa7711e2f50e598b3713b25aa748f3b59ec4eb2d1676d58c54fdc95
SHA512 77bb6c826c9ce579023aceb0cdc6f499d5a1c27248d7c89fb26104141875e4bd5cdc7082d432aee990dcab055d14274301b18735f7e6c934f3856783025562b7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4757d2049b5e4bbc19df3fc3536890a4
SHA1 bd8cfeff111461d998d8c78619cb7827a65824c0
SHA256 0a46581a5726ba78f7df05e0190d98a9ec737dda4b7c7d94fab9f460f7f91565
SHA512 2164add19df5cb3c888a8b739adb5ea8faf44a4fdedc377acd581ad8fdd009630be7921c11ec11fbaa9671d5c1aefdba386e530b840490e5ec64ea711de58eca

memory/988-191-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8227d7c15f3624f39f799074f541a7e2
SHA1 805d73535a0ec894940f16cca44636ac54da8dc9
SHA256 4826965ff140e36fc17ba6619a22830b18c1bb6932135a987b8416ce573082ac
SHA512 04f4dc21b8052ebb107558dd8b599b527ee765470c56f5f3eb35e52bd5ccabf368a35145b9339f7899d608d06cdcc729da94a0ec98f617ac76603aad9f581beb

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e1dd9deb80996de18dd3871638265c62
SHA1 42cfb3d5b2a9ef3520fdd3e612d1113bf7d77e4c
SHA256 34a3a9f35c789931766ea62aba7900a54336f82fb0a8887752c37d60c83fc73f
SHA512 99593fdb4cef22eb0bbdad8c38131a9775f1a2a8bc26b0f7ed44d3ed24ce72cf203c963966f5b000aa1a1e5f15a818704a9d8dcbac064433b04648585fd7d64b

memory/3116-203-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e576cb8ac0e3aa0a3bb046acac14deed
SHA1 b2de106dd762be72e46ec044959d6ef87efdb8e6
SHA256 b7c711adf7a49e65c75954acf0b9f37d2460b9c5c4363cacdc25bd751c03cc2c
SHA512 701abb9e12088b12e5afea41f3614008eda59715f1691af04959353d55d870fbfb0bc4b1dcc58e4b7e7783adaf8d93f4a89ff27007ddb15e616f462b594483d1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 84644c2cc077352b7cefe79023876b55
SHA1 5cccfd051a696316388a64c5dabb44bc35026a66
SHA256 675dd9a816881200e8e4fa0b31c9a2f7382dec730eef695a3bf1cb6035e4eead
SHA512 6cdae181c2f6c1340f9d69a0c79e9d99ed2a537c3cb68856cbb2dcda43b2d8764a8c711df4de20c4af017bb6479c8cc7034b84aa9bd02e211f6b3ce4a425c793

memory/3928-215-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3508f9997c446992fa432a9decb5ecc9
SHA1 b2c4f05588934412042e1a7b1864f79ba50f4209
SHA256 0cb3290acbff457c6dc4b1eb5da1ba7fbf775bb157d96b431b80de0d333fe2be
SHA512 8363b46ba5413f56a4ce690e256d2bfd1cfe965b350ee4f1515cc88e990fa6654492e5c5ad5aec257a49d3a81a71a21d35274f872b73f0833798b67b369ef615

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a5f720682d803b909189ed32f189e628
SHA1 51fcf99b76ae64a694d2e88154001a89bfca6cf8
SHA256 db23d769a5f34fde2839e927be7d5386e45d27075f26d2c297b2962c230d70ad
SHA512 e9d1f0561c2d6f358493b672c7d3ec7fc10e34af6885cfd479e2a2a985c1c082e74e96f046059e8651507c7c6aed710ccc617010a7ad591654e1e2ff032b6c5c

memory/2372-227-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 188b8b1c9d16280b2cd390e778350305
SHA1 cdb971adfcc6bfdf80abb62c5d6032bfba5394db
SHA256 6f4387fb6d92648a994324f4be301b1e288e3ab3d484122fa5cab6f67125ec3d
SHA512 10a662c0ae8613e8ea590af51eb58ed7ddce91a76980e9895573584952b95405350f18559e1b84b1d8459aab662a4960a9b5872081ec39991bcd361654b52db1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 08e88df967b499e9f31436389cac9dc4
SHA1 7c7d1d6b14090e22fa998bb4bb19511521ceedc5
SHA256 fb2fdf8949e308c4aed30c3ec628b6d45959019aa39ba8dde0fc8f923dc1dccf
SHA512 22d98fb0edb84cd95060767961635b7a6c4765412620fac3bd012317db74a7c4f8b0f05074f447302384bc9da28f0a89301bb58f50c21b97d65c7a5ca92189e7

memory/4968-239-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2335ad708b65034aab97ad78494806e6
SHA1 cfa338b83061001c28f4654bb48956a133671b95
SHA256 4bb0c6ac8ad090e39dca11a06181c53f4c0b12011368a555648cafeecdc0500b
SHA512 34da12417796e6282693dc35557877c6db5bd81403fdc7924909b7b72ba8ef63efeb0febeaba0431e275950b815fe03c41373e64c1a537dc66655fe087fc82b5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 df6b197e48e3092fe545d6be0cfd5c0a
SHA1 f0c82f20595ee5a3cfd6c7e1ba42e4361afbf801
SHA256 76149affbb93d04e10717dc5514d2c33d59517695c0411509a705ea0f3827b63
SHA512 febd9244645b929ddf7d10e82625b633950081f556c9b224e5e40854b3bd464b490b1e808890ad23c6afe71b6accc0cf86b48d0e399a05249af021cacdf1252f

memory/4140-251-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 eacd631be0d7a7b8114f71005d410472
SHA1 f122b4781707811cbab143b101859a9bd757feda
SHA256 fb24fa06258947ba4582f84a10cf3497f048492a5a49baac67532cccd21e8bff
SHA512 cae6b0b4b35b7ea8d435387dc52a0001326fb3e737b35aaecca8640614e8307672605d1cb4891539c1e83c887d1fd6fbb4292eb72bf4c5bc857bbea658b29a17

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7ebbb22f70a1799754a7be08cf289eb6
SHA1 53f5b89ff96aa0edcacad4c0a76da45d216338b8
SHA256 287d2f374548f53b488f763951d538ccbd984d503e80c0be6802226f686b3f78
SHA512 37a4ac0a3c6610e2bfa5ff7643b719db0c820240fb84cb7c27b133e99cfff853e2f32b37b41223442c39bc9bded66b69363eae2a235d317b1c4123eaa3cb4e06

memory/2164-262-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4780-271-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3760-280-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3332-288-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1000-290-0x0000000000400000-0x0000000000434000-memory.dmp