Malware Analysis Report

2025-01-18 21:24

Sample ID 240322-asz9esdf23
Target cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab
SHA256 cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab

Threat Level: Known bad

The file cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

Modifies system executable filetype association

UPX packed file

Installs/modifies Browser Helper Object

Adds Run key to start application

Modifies WinLogon

Enumerates connected drives

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-22 00:29

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 00:29

Reported

2024-03-22 00:31

Platform

win7-20240220-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2200 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2200 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2200 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 2200 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2344 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2644 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2644 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2644 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2644 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2604 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2604 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2604 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2604 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2956 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2956 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2956 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2956 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2840 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2840 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2840 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2840 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1912 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1920 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1920 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1920 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1920 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1532 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1532 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1532 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1532 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 384 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 384 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 384 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 384 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1904 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 324 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 324 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 324 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 324 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 816 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 816 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 816 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 816 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1092 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1092 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1092 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1092 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

"C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

Network

N/A

Files

memory/2200-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9dc59e9866714ac289b6435cffa80a0e
SHA1 1d91a7fd2a03cb0171df54c46a4a3cac5bd36299
SHA256 03607f55ae10492c72463a78f38a173b8e4703a3dea8348c3b293625cd3cdab0
SHA512 6661985086023521c479b80c52b6386daabbb14a0d88175549ba1279b06b5d59d53456600c3ee2ece63fecd3bb0a784b051c0f6c3b56eb38ba0d6287021e2b2c

memory/2344-7-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2200-9-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 56c4add09c56ac916492ce8f52db6617
SHA1 21f903f9df63cfe3c62785d52e750ded26fe03be
SHA256 f18055c51ed5ce5eb6ffebc36cc86933de6a5ec0ae18c0af39c902145f107288
SHA512 967deea3070b67f5450f552f6c4f81a31912e97be62d5e16ed17bcd8491e1753381c376c5f5b6add56c9cbd15a4baad2d1c349589ef2b82b13cc6248c08346b5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 58f869134337b6a0a05b2cfab0af4cff
SHA1 4821b806420030aaf144c579f6720bd5c4c83f23
SHA256 62c83481a0bd67cb4a6211e54e27e1d3135f913f89975722eb44a7c3ac7730d7
SHA512 f7e9489895fa3ea706d057855216bba6e32de5359cc2f1974757f9e0fb5fd315a9a3691ff0abc73e5ecb653a6cc24e478920a60e4123308968fc040141ab40c0

memory/2624-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2344-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2344-15-0x0000000000320000-0x0000000000350000-memory.dmp

memory/2624-28-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2644-26-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2624-25-0x0000000000330000-0x0000000000360000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a3085795aba5364ba21588e80b31b087
SHA1 a497bfc68722fe7e53af92c95991232196de8aec
SHA256 75b0b5ae9f0c062ed270e593999fddab28deef9c16a487d9dd4f2ebeb8344d11
SHA512 ccd182830f90a281057c95abd1a34220876541978c9bf71bdcdca9850625d2439dcc6dbe2999433b33fcd229cfd1d6406ec6d909e4e1a852546e20007fdb82c5

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 380aa8e85a10b57e758fbca38add3b1f
SHA1 32030f4c975020b6d4ddb2759ebf75f157c6669c
SHA256 22fea07f08fabbf1c31a2cc6213595ed516e26d1668358f6f11910fb81216ef2
SHA512 f82d1910a7a1522dfb8329050a013836dfac93d1ffa5d296641d0c7dff4f3235c461b9a4df14007559fe870865dc27cbe33d5bcc15ec34546146d7347beaf0c8

C:\Windows\SysWOW64\drivers\spools.exe

MD5 25daa1665f349d3262288b7e5d7962f1
SHA1 efb340f28213a15623fc2131d1338d732b23b7a6
SHA256 57a4dd8dd56ca097f6f60e4aa4d276d439114981689a75c65dbd6b18601bb36d
SHA512 abae270ca25ba965beb75f5f336ddc3a0b392edc4489c4e87a7171a93079ce93dd6dfe1bfd7d58c5d5642cea0ecc71f5890d4e6dfb9585a7c2e763523d621d0f

memory/2604-35-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2644-32-0x0000000001E20000-0x0000000001E50000-memory.dmp

memory/2644-37-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2956-45-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2604-44-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2604-47-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b0cb3327765be2f4dbc2f0795eb84b55
SHA1 e9b80d71315ca474f1536153d64fbe17e10d954b
SHA256 d414d45f8fb52d73e56c25934442a2689b99f00cb5ec79318fd47ff906e9d037
SHA512 66f5fe686687e0e40b10de0ecbfcec8df7fe5b24dd0def0ef7c9330f4353f10d2f8a46ce8cbbde10986af801ec8fd3c8267f2f086dfbe94cd8381d649e005c07

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3da599f0012fd649298b530c4729cbaa
SHA1 dcd825c4b3be6fbff57bb56d3fe50915f9655473
SHA256 e759777916ee9cc3fb44863dc4a6601dbbb7f7d3be8f58ef24f7f2171e46f60b
SHA512 807033ef6941435d10a4e76bcb60849020ad307d205eb01b80e28e0aba13bd9737127c093fb7491a0ae93393c7337695e0068ff702daf64dfa7b21c7288b1d33

memory/2840-54-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2956-53-0x00000000004B0000-0x00000000004E0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1458218f08c6beccc8bbd8b8542aecf8
SHA1 1de092b70b290a953d1516a2594eb27043bd9c41
SHA256 30721bff74bea997bd105c87e5761bee298293eaf7528b4dc003aad3e37ddcb3
SHA512 c94827d505dc0f716d033f1b0f75b75011ae6c7e33e641a5a298034baf200d3902fae6c0eb5f4de0569eff730884fe722b0a33cd28201adef66972a09290505d

memory/2956-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ec2b527b1b1ad72b61932d1497eb1998
SHA1 6669a75263554059ebbaab13c687aac811420596
SHA256 57f5f7f2fc6f2461f4df1e577aef08743adee9e2a63632c276b75706422af1a3
SHA512 17230de6e95254bad05dccc669a712fde63adcbfa28c639c5a66a3fb9d6735cdf5d0d5643d144382b95d5a15fc7f7c466248081ff920d438764dbc8b32b2e925

memory/2840-65-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2840-63-0x00000000002B0000-0x00000000002E0000-memory.dmp

memory/1912-66-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bfc66f8112faf4f101aab50d85625f4e
SHA1 48ee4cebca50c07e4406e15a59d3bdb7d7746d4a
SHA256 01fd536863b3288a225acf35e1b132b24bbc26a0dda0f4ff7e60ebeb736658ba
SHA512 13ba010df2fff397060fca0a797f9bc7f8b1ef76b75e6e7cd3a2878b6766705e34814e24d701ca06c551a2c57c4cbd8da55a215fd27db90ffc7bc755e1729f29

memory/1920-73-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1912-75-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1912-72-0x00000000002E0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 da151d6654453992878b74db1c0f4a79
SHA1 c0a18b3447a7672de40d9d01bf03d038464334ae
SHA256 a5354d531160a94587111be2d81b672bc052f7768dbc9c5e35fde8cfa2d9fac8
SHA512 42a22d78e1f1d286b99301bed93c300ca320c550853d051454f80a2e69f22f9ee5cf4231e13b23227fa5d32a9342ffa2390421bd846bb333d3603cb0b393a1b7

memory/1920-80-0x0000000000320000-0x0000000000350000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3790465e1d77a6c9308cd109d815f602
SHA1 55455bfffc3b94e938f9dbe1d1574c0c4ee40082
SHA256 676a34363283010ef2fe649381f355df79c01d7929625989a2820f9e237b9b23
SHA512 c296316d92dd79c0d97ba2366114e7c884689b30d890ea519d99560068ae95230245d22ace045b67a8898e5e5ffdea2b3843d13a6ef59f999fce55d2057e06a1

memory/1532-83-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1920-85-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a0b8b65670e754cd97c3afa31d57a272
SHA1 e18fdb5b72450a7a85863d66487216477994ae1b
SHA256 d763021359b0f8917bf864cc450151739c19589d92c59e7434186452bfba47f7
SHA512 66d90d50c73ba0ada0fa2b6fee301af38df96c8ecb8e751144ac83c039ca4b948f0584c181dd12e8ffb43e18cdf76d5387b01d1a3470ee221db26995b813a416

C:\Windows\SysWOW64\drivers\spools.exe

MD5 09d814d50edf0005c3ba02570048814b
SHA1 d71f57e09f8522694d82c58224f190c071989be1
SHA256 dae61cd4c8aabad01196a5c725150be7088746c74565dcd548cb79788c647280
SHA512 ad6351d7dd8cae4cd81ed4ce0055496edda99eb997fb4f67c4104f6eda7101286482f672adda7a1db0bd937270a5e4014972deba7c4f9ec3231ebd8e12903187

memory/384-92-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1532-91-0x0000000000510000-0x0000000000540000-memory.dmp

memory/1532-94-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2173d523e5632164967959b58cb9df70
SHA1 b3ba8ef5bf25f5cda9b9636077eb01abe432e989
SHA256 8f4dabaaaff3ccd69daed0304e598237d2ce5b1e3a9792b9ec243c834c310b9b
SHA512 375d950ada4e8d72d8d578469ad474882bdd961935c875833872c323ccb974eebe735bf205c867d136c650b354429716c9d1c5c75d89501740f779addd2a558d

memory/384-103-0x0000000000360000-0x0000000000390000-memory.dmp

memory/384-102-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1904-104-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 511593db11648378de1cc901c370e581
SHA1 7fdce5f6dd8bfdeb9f3751161926ef668b8c9060
SHA256 72922f8710eebb09a8b87473f8a57e08c8856248edf8aab8de985a33c4d6b1cd
SHA512 8f216d5bcaa9ce8b7647ec2b331001ed1ae6a16b9983abc9d0d7d2c3063b06cebbf4960f3091cc2b940ab86aafd1839c6c34f70a49c54cf7a6202176a1c1af13

memory/324-110-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 eccdcfabe8e9dde47c40dbba9e75c061
SHA1 6422bea66332a50ce7119743a54d0c6a79b39f17
SHA256 aa1c443b01faf2f5be1bc01409c33bfd22ba55397ec61cb74a421ee16bf1a02e
SHA512 b844d7a66afd8219de3eae53d7da3110066c843d18e46c20852ea8cb4fa41a365141a4713d58bd9113e90dba862e2b6ab8586e57573dbe3d622b59a8b1b8aa3e

memory/1904-112-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 03c01c889902705958531d66464016e1
SHA1 ef255cdbbddb8d232c7472174e8e53745f3f37a3
SHA256 dcf9924246167b6200f17c0200e4386525be0abc587aeff60642601072f64f95
SHA512 18189c048014e546e5317f3985a630a1c3650d3a806d7876370818ca3216ebd36a07ded9b9374be6731cb465c7038fc9a7ebe8949ce60c9333ecd48eae65c2f1

memory/324-119-0x0000000000390000-0x00000000003C0000-memory.dmp

memory/816-120-0x0000000000400000-0x0000000000430000-memory.dmp

memory/324-122-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7925006e3f391ccb7cbc8956664d8af1
SHA1 735df9454c159de237b7d5ebb55885a9486acfca
SHA256 e9a52e6e13af8793bf91f1a97bddf841b7faceaab68994587e5e4746711bc9a2
SHA512 6b99b239cdeda4275ae1c5c9bb24a9e4315586c439ebce3fd245bee4b1c9bfe49e5470a2074de66bc8a4bd649d6df15bdc0de13fe8756ce65ca71f13d26b3e60

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0735a30c03df7d5d9391fbb9402174b9
SHA1 774406d1d11924c33386e354164fcd2c4c21f34f
SHA256 273663fe2e935f30dd705c73a40a33911d8a0e205e905e3bae4eb12b5da4605f
SHA512 6dd1fc36a90ef9087def73407122711d29b0ece1afeb52b31201d09546a8d9f90e9802b292fc31aa474cda9746d6099e92aaff75d674de38a57fdc263962bb25

memory/816-129-0x0000000000400000-0x0000000000430000-memory.dmp

memory/816-130-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/1092-131-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 062c0b34b01c705f13b27cae6919cbd5
SHA1 91c7e289a46bea53d9f9fac61e4d08c782992c0e
SHA256 f28839175890ccf95f8e6107d52d0d40fde045b1d09466293874b68d2bbc805a
SHA512 077e1ab3c3c33f8059dd1fd3a0036cbd55a3ae46fb51db7ef70ff8ae94e45168970ad3f424ddc38ffc134110c195eb259bf222c1bd067aabe0e7e5fbbfe3fd27

memory/1092-136-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1304-139-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1092-141-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 217ec501905cebe8a0ff3e0cb4116dcb
SHA1 b56ff73e7527d6442dad3d1910e4550714c49aad
SHA256 b6688078a850fbf5e14bb5029eb62728c3d406e0045b108867b36c8243dab4d5
SHA512 c936fa16fa7ff3a0fcf839ac3aaf174df7c9c625cbab188799caa8ba7b5f1a5194326fb8f5331f267185a1f629e416fb4b16a6ddf99eb222e750a9866eb2efc0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 31c027ff257dd0ff093763d513fa6c40
SHA1 60b35db6879b33e4f0ce59edcdeef57772e8b604
SHA256 75b89f1f7fb12cadde107a4f11c7372cb4e3593328d56b9e7c108afae6d91907
SHA512 ce1f97266b8cd58b9b76cfcd5c5d1819b23c92f13c653adefd3574b751b137a9c2df538725e63a237c475811efb0e0ee556188cb8a7e75118320bed006ba6214

memory/1304-149-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1304-145-0x0000000000470000-0x00000000004A0000-memory.dmp

memory/780-150-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 85b09b460ae093ec6300cfaa7049f47a
SHA1 270da9c78d41425f1bf74e73408a1cb435f70f9c
SHA256 b019986098f8cb5fd5cc9d2be62acab095e2a3e75ba15c66dc60044b61fe0453
SHA512 880a4e36fd17087011acabbc3fb14443658a15bb4ceeef87eee30ab9a28fbba88bb8a53993c54c705bad93c3eaffbbb709de9b6b2d2928f1a57c3a1de2496991

memory/780-159-0x0000000000400000-0x0000000000430000-memory.dmp

memory/916-160-0x0000000000400000-0x0000000000430000-memory.dmp

memory/780-157-0x00000000003D0000-0x0000000000400000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 73bc14a6e28f2d9147d8d16df9d64d4a
SHA1 28038274d1b5367c6b1e91a993cb0249c2d3734e
SHA256 32ce533171d4921034a0fbc982e9f714bd53469565f9a9a03ede19e365f49f6f
SHA512 6db6f61e276b2b27685e25ebc2c28c4e13e6ccfe94ca57bfff4d2ae5ec49dc11367e43ca31c7aa87765ccb08ae9e5395105b256fcb458d695f324c4edf642032

C:\Windows\SysWOW64\drivers\spools.exe

MD5 75a032d25f03daddf8548e245e31489b
SHA1 d440a11f13a2aa1cb92cd8513c0f3feb6a995245
SHA256 9790fdb039aade34f6693f7ad4915da3fb7a3775a0103e3f137e0b657f96414d
SHA512 7c4fe6e2c56c118c2cadd0fd4a1fe6474f19046d6847741db1842dbd3651f11be742b05966087317aad318bce06e7e94b0a4056953a88ea2768c85e63072fc09

memory/916-168-0x0000000000400000-0x0000000000430000-memory.dmp

memory/792-169-0x0000000000400000-0x0000000000430000-memory.dmp

memory/916-164-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/896-179-0x0000000000400000-0x0000000000430000-memory.dmp

memory/792-178-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1a041b46c3f6a88c08000c1e9d1385a8
SHA1 5344d990cd15e2ca49b7592dca532b50a2910a6d
SHA256 685a868b922b1a48fb81650daa77dd6f055b866cc6bf5c39eef719b463086f28
SHA512 f20419cbe7d7fb25a01ac10a221cf678aaa0a7fcfa00de62ce85fc90599da0c0ce75f2e83edf396a31c0548d65abde98b0fade8930fd6a7923e83e25b47f008d

memory/792-174-0x0000000000370000-0x00000000003A0000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 342d4edcd07e011515bc6a2aaff7fdca
SHA1 45c50f497e4eff9c6eb532926114fa83fa528e65
SHA256 6e8e391903b9c3934333cea2855fe97b72edc37578094b8a1fe9f9058c6c52d6
SHA512 b078dc7f4be635aec2f18318106c8804e25a00f82f22ee788924304dc5b90c3e6c0dd653447b7906d6fc595587efc15b9e7f4a71146ee6f622be81b431f0712e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4c69912a7b680f3093002ba075d385bb
SHA1 e1fa18d7cbd426cd6622b6a6bc1859a1130fb9e0
SHA256 5f5149edb4c2e2ef75493df5f252363cdecb2d7020df689bc39dae174c00e111
SHA512 55a845103282a4852bc0ef6a8a2ad99936f6febdeb46d269753eaa861db4ef4cf85232eb1a2dbed36d2e9b17075e048d78c23557368f9f57f266b33b46db0f1c

memory/896-187-0x0000000000400000-0x0000000000430000-memory.dmp

memory/896-183-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/1716-188-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 91a2b6c44699409c67786ec64b0e6604
SHA1 6627720c1ba00d0d404f5bab99dcccd4a35fb284
SHA256 dd2c02d4f39bba6f1da3e0c21c5867c47e513e1bfb2ce97df065ddb0a9f0971e
SHA512 5f10a01b78a685b11e356ca95cd51bab1df4d73d8487b804c11297eb839058e2276835f39e21106b2b9f94123520c16c42107b95d8cab49ab2c009e48b973bd0

memory/1716-197-0x0000000000430000-0x0000000000460000-memory.dmp

memory/1716-196-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2196-198-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 790d46556cc5bd9be03422c401329e92
SHA1 8455a527ef537547f7943ef6158f5882005b889e
SHA256 2d1ed961d23d7f5a39af436c77cf26630c1c2c369c0bdd3555fe30cce73cda0d
SHA512 a3610520a379d1398a5ecb42801ac9e9464e20fb6433a635483239096a022ea2ca2ca1a9a203b55548415471339f840862ef6250a87fc7cb7c00f5e567bda2b1

memory/2196-205-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2708-206-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 11bae7f4d196453c34d8d487332ad73b
SHA1 51de8861b4e6c1bdd7a66c9f6f4e8e669027b131
SHA256 77b37df41058a557ad4d3a102e31753178ad2d71817d5645c4d16aa89848b908
SHA512 c0b2eb451e86024065d7f94ab3d8294cf643ae0553d47cd88a8f0000cc68a2ab05b5f8d86a386b10b5a1a383dd12ad26b996b0ea30467566ae0d46a94acdc92c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e6f2a06477e7af2ee197cbd72eb7c9b1
SHA1 11897fccab0bec755f7f5d40eeeacf79f7c0365b
SHA256 32984866b84b1c6b5bc948c348430e0d9080ddd8315d844efad5d04da2a26974
SHA512 d690dc0643692ad2e178d6135833e1e7cf141b7fe4af8ca3cd7299ebed96cef389d103c339cd39f75aef89c65d014af79007e913d55fcc71bbbfd417f36b9f1a

memory/2708-215-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2708-214-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2368-216-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0d4cfcdf52aee64277771f3615f2810d
SHA1 3bed3b9c3322f6e1920f2ce89f484f8f7cf42236
SHA256 3184134f3cf27fec5cbd5abc2bdbc6188253ee8f035ad7bd11b188374769e3eb
SHA512 c9f9e9c4c39c004486637da56bc54da826b13d4fe15a472b5e9df816ab1374647ab842ecbad8eac6d23482f506abe1a175c93c9b07752f7d75d8babd67bcc334

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0b2931f0801bf719f16c2ff6dea1cee2
SHA1 4b3e4ff0be19a17ad8f7666e40b992ccd72804f5
SHA256 bd294057416e55f054367a610873db0e3b8966b12e2d42e0acb3244402e5f21d
SHA512 a10d9678f6f4b849da3d7f1ac0823b72658c5e86188bc45894ea67ce58d5a85073b957955f3a815ba97d0317ea7a25033094c900d09ae35f4bf8eb8270489406

memory/2584-220-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2368-224-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5d7e1325c61cadaf2a624f2a92197dba
SHA1 ac8ac5ce751f16016c495576a1d6b24c5973b208
SHA256 462a4f916d80b5267804a6230faab620d9067ac134c7ee2a706f0ea7b9907a6a
SHA512 7e03770248f3b766281b45f2abbf79cc6e9b29d03dae29a03e9ed3ee13bc94ab7031c10ac999ef892fb091f9afaca5f96f4120a7387dfd10097a991d2c44c257

memory/2584-232-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/2584-233-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-234-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6c7d6d75dcc95a415fd2490a00cfbdbe
SHA1 4fff2c1c4d653ac52388b2df2981997fb6f0a85f
SHA256 fb49ecb901fa98df8fd4bd07cd3a09fea4fb7c52dd9445ad5c4ff56ec3928fd5
SHA512 31a93d8e27b3d068d4d0e6c7bc1f0f7e3cb8d14a009e505bb7441bdf433398de3c07406e172b9e4bf9b8cf92749684fc6cd2da422f7ba41d87d6a81ab1a4c20e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 503f23c38d92d6a5b930218586506951
SHA1 d23b37ea5a39ea6fa8eb6382d9fc7fa70544ff84
SHA256 4498a17ead509603018624622931c90ba5c6902a5cf675a8e32ede8554cda950
SHA512 c672d31badf09f1cc0cd338764dc6a13e6616be00827a90ded6f21c56aafb0e8dc1c9bb0c1308d802c761547c4a8159b4083643e0f5b3a7b5ab36fb06579dae2

memory/2800-241-0x00000000002B0000-0x00000000002E0000-memory.dmp

memory/2948-242-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2800-240-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2948-248-0x0000000000300000-0x0000000000330000-memory.dmp

memory/2836-249-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2948-250-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2044-257-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-256-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/2836-258-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1036-265-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2044-264-0x00000000004B0000-0x00000000004E0000-memory.dmp

memory/2044-266-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1676-273-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1036-272-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/1036-274-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-281-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1676-280-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/1676-282-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1444-288-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2780-289-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1444-296-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2088-295-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2088-302-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 00:29

Reported

2024-03-22 00:31

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 3724 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 3724 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Windows\SysWOW64\reg.exe
PID 3724 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3724 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3724 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4772 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4772 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4772 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3628 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3628 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3628 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4840 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4840 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4840 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1636 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1636 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1636 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1312 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1312 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1312 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1100 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1100 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1100 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4532 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4532 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4532 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4248 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4248 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4248 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1572 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1572 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1572 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4396 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4396 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4396 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 364 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 364 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 364 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1284 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1284 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1284 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 508 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 508 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 508 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3604 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3604 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 3604 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 920 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 920 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 920 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2032 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2032 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 2032 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1224 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1224 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 1224 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 756 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 756 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 756 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4584 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4584 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4584 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
PID 4508 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

"C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 171.255.166.193.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/3724-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4772-5-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a78c25a70e7189c79905c02655fc56c1
SHA1 078dc7ffa52797c9e2a8e404ceec0c53f5bdeaca
SHA256 85d4de183194832d3411104931bde5ee19d6b59cd8f80923e1e816ecad057ac3
SHA512 74f7c4c0c52493706081cf1436bc4af5bc3799ae6655d40cf49d854518d7e34e4049f5a0d666bbaa7c919980a8daa54cba470cb9ec6e02306f063282e7b58fbc

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3724-9-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 088153ae643a531df4f561dee5b5f1fc
SHA1 66c9d2613e794147b42a4e786938316e2e90b59d
SHA256 eb7028be342a3eddf527089ff38417b2d7eb058c8e44dd77a26c38c9fdc266d1
SHA512 d9d98586cb42cda2b6371e873975987a568bd576963a159b804de7c5703140cc1b49489e4fb09fa997fec559301167f7fad0f1278abf062864b87d7812077b05

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 dd82e6cb46b188575c435989d71752e3
SHA1 fe94950459da82584f8e79647514769f69db665b
SHA256 aac78eb9c7168f0ee08a79d777ac15971685353a50f3c1e3ad41a1e95d384b2d
SHA512 183d9859d7cfb8052cc31dda9483b6f6dc0ad1cc881922f23f2ca2ec6c5693be54e7472de1f6eefb17b7ba0c2488f7b1fcc1e8a42c10feb8f650366784f8205b

memory/3628-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4772-22-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c9ce743ce32cd071c60389f1e8502025
SHA1 86f23b4012e43b155faf79e4dd0fdccf5de095c3
SHA256 eae17889026fbbda8422e6d62b14fac71141645feccb0a0864fbef14235bb4f2
SHA512 5e6a4e5f281c28ac09e273b3a8292f9b09fbb8b892fda52a1c9373ae65e08b89733bf8b39d5cf2aa7c9b3815c04aa013437abeab5596b55dae14ca83be95104a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6d7021f2ad0ce72a960f7c08cafb456d
SHA1 c91f255e3094944d43e4a0636f278bef2c9f3fb2
SHA256 eeb1d97e4a2c96389b22bbe11287541ff24165843e43df1ff3f49b46522ce974
SHA512 6d5d6329f0f56c80eb7327c5254976817748450e2355357dc272c27d8f35d18771b78013b8194534abc2e671f078fc2961147478dba0872c9fea97fe41aaea10

memory/4840-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3628-35-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bf69d5c91bc6b846198e931e7b5f9149
SHA1 2a607f08b1a4106c6820d6e002909e976bb61a9c
SHA256 1939c06add2f9948367253c02d075a99da3b05e778b20157c589661c9d12400c
SHA512 4d8dd87da0266846d874bb4b7c3d3f7fbe9692bef992292388f0ffc89133e929a35e00ebc57b76f5788c76cbf769bd56365b9bfea53f58b311445e5623d56969

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2bf3985fd214dae6faae65fde8a617bf
SHA1 bc2d7c53f13d23061edf1ae59dc5b3aa8bbf928d
SHA256 ac2a53a614ebc531f0446c2f71ae770a2e1c6a6c37089000b954f653f6edfbca
SHA512 30b9ef66acefea5507ffff5e399f1626738193575dc2c21383b79c89f0d7e62af5a4e217b50847b43965879d2a4b7a2c98c9460ac8bd7165ac2928645a9a4370

memory/1636-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4840-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2541c59bce8287c25a38984040bc0b8f
SHA1 c361efe954edba0acce6ae4239ad94623ee9947c
SHA256 415f51b5c1996429e9290dfb63896a9ec49b5dbb907d30b0f505e2bec00422cc
SHA512 8b8701f501685382ce0c0234912400d1bb06a7a85f29eec6708628ab53230a6ff8c0aef6fa4844f90bd4140c4c86680ff978d1565664f0d21c6502c86259f019

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bb79f7b8ba5cfada7234917a502a813f
SHA1 402c0f2b092def4f05175bb197036948a408f835
SHA256 1bfa036d0b11498c45d303a905f37be931df450559fc362d6a7a60296021bca3
SHA512 ad6c299d432f6670148afa9ef6888fc8284cef50deaa447f3875d9602a00e2433e719c62c7067ac19b1f42fca7ba0218124f676dc01bb1bee80984c7c172e653

memory/1312-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1636-61-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bfc6c8bcc8737139701f278fc52bb4d7
SHA1 9d5b64c237d92ec3716bdaa7b6b083f78c5d7f3b
SHA256 b5375e694413b22e2e2d5c6a0bc916036a19dcb0c5f26d07f407e601e7675e24
SHA512 3e801a03e2d4148b9de872fa19c1be1fc20c86d8e3fbd611904242c862d6cfe2538b615c56b26cdfbb1c065c62284cb252ee84bfce1d49237ac2a26ab5ebbbb3

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a4a0a0bccb0bc19e3140f18ba5347cf9
SHA1 1452f44c43b1147a8ab2f8f9d3dacd6ce0edf9fd
SHA256 c3db484b8130b32a8e28be6ba407136c13940129c55c6733607a0e95afdbdbaa
SHA512 6830297479eb1265c3adbf1d99b65d9d4ab9cfdab8ae7862854a912c95974ad003f50395a30dd940cae70cfab8efb62380221b8b63e33664ab6012912902d928

memory/1100-70-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1312-74-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 511fe47f51ca181c3ef7a898953b1d47
SHA1 47bc4009396cd583afea617f4ea45b7cf1178aee
SHA256 42a7f9080527819f66728aa8b280b455d4fa0b5349da828ce38ffaa6721102b4
SHA512 e56c4c458c2d1885e33faac80ac79b1e216006c7a23eb544fe5835173a3b953591f0b4ea7557f0247615ed8ce2d0421d772d410652bc787b48b28cae6e8a5e8f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3e718956a766389c9945106a726a0357
SHA1 ed74fd8433c7af247b206277ffffa5230da1929f
SHA256 bb5ca0f1fce46b5d7e190189a00355d3736c01f048edf6eb69933fe2ddff98f7
SHA512 55fc0e15a1be1af92d5444aaf871da3a6446b42a6937545fc75e2d067aaacd44a75cae62fbbdfbbe3310e09e706545e8855f28188e1faa5f7a39eae1014709fc

memory/4532-85-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1100-87-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ceea49c4cbf255aded506a41ef449805
SHA1 bbe6d82e50c0aac5b00d178f84501d08bc9aa8a1
SHA256 c060cdc534dd403e7d545ae5cb7700b5cf34039f719fbc087dd419cb1114a6e8
SHA512 993814973272172cd0a5343c6f92c739dbe12a7544c042b64686bbfe34980dad2750927e330a3d6c48795ee2bc9499497239e9f93847f575abfe69d826e4a206

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2a5513f720c6cddcd0b5592d1644fca8
SHA1 8f3805803e99bdf796fce5dec4f95cfaecfbfcae
SHA256 8f973e010078314e07dfcb381501b08dd24d5015cddc0e8eb9327dc15c3dea4e
SHA512 502dba394abd9effba9e3932da9d530a20d36fe2eb20337f0de6a33633a60429c8c9e02c30740feae9281684322a14d84bc0f302aa9d0d4b834106c2367494c7

memory/4248-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4532-100-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 11ac86f1971412069f74d77a25e5e379
SHA1 619a5e25829312175017d209fb7078ffed2c2911
SHA256 4f03fbcc86d653167b8b323bec12d05a4570098ec21c32b7e141db9e48192c30
SHA512 d4a1e9fe80de5efdc929f8fb5b33ceb11059689af1505c1134214e89b4015a734efb468c176d14ecdb50fcc382f542a92c2656392448a59f054f114354724a57

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bc357d2e5ff744c3e6a09847b70a51fd
SHA1 9dcc2024b0c2e7fffeb6194674ec022c4c22bde1
SHA256 7689b8bae0a547319fcc157ebf5b81643ae7d1e6db6e02323855c89b14f8e8f3
SHA512 1c9bb07adc8fb81b650cceead7047214e5cb199e81b4f1eeb4ab0086b19982cc2c471a02de6a8719521b34f279c3af8b4d28dc2d3027f057ac4724ff846bcf45

memory/1572-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4248-113-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 85fc9418892e08e0ee2ddcdd268b7794
SHA1 d33a9bee1a1ee1e6ed1bf8e38f63ac9e6916cdca
SHA256 4e398f057eaa404991b6a1cfc2f81ae8253804e2dd2e339146973640f1957e1d
SHA512 0583d212d03d5796267f9a793fb0905d702def731d18aabe2bb0c5e050dbcc77c09b974eb3f1bf9219f14c48486ab86b1c2d47f1516262e1807ac6ddd3ac82a6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d81460ee099e95198b92ba4233619103
SHA1 12cda43c34a0c688deca8ab5e67c64b8e59337da
SHA256 6b634de06c62257e801094c723eacd4dc237d4c21a43711ac8302a4590724afe
SHA512 1cd42489cb1410da4f87aadbaf659a9cc63b1676ba915e93bbab858883d5132183da9e6c048437afad3e7f04a3731e031d7316d002dc496488078df154b709a7

memory/4396-124-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1572-126-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0cb14d18502f060e84e2fcbfa1780d9a
SHA1 69fc31b5295e4c2e153d0b57dc8f456eb6925b1a
SHA256 122ef626066c0c10067858bb7cab72875dd2a9f318b4fac220efc354aa8c7359
SHA512 aceeca05a39bc9e5d12e39e68e79ba40090f605204d9091d4a3ee6b44d0c2c8e99dcea1f19eaaa7ddc615adaf64f2421359e37ae5b61cf3621780919d3a52956

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0e6c2b1c33398218cc7f6d6f5308964b
SHA1 3accaeeedc3a11085a3f4557e9d387eb9a8311fc
SHA256 32df770d084543345699bd6f41a734a59fc087282794d46a7982d85058ebb686
SHA512 04c7462a055fbd54fa5b1f5630c8f16541f355ae7393db6d8873c515c1f146234c526e294b27a060260e82b9f338777de8e4405c5f51372f2769df9452dc7504

memory/364-136-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4396-139-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5be4b05669cf764dd52219619fd1b2ae
SHA1 24ca3066ae814eee63575975a74efeb66923e8e2
SHA256 49f0ff7f1c740652a79d7408f65ebf0def67d634ba421eb5090d5cc77c83e08d
SHA512 e5c16574a48e9e018e19559a0a14f3153261588589ed479fb07f0217c3401774a0c6a9dad0fcd01c546f2026b603410313412b2e3869499a7172cdeaea2f7dae

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5523daa767aa6d194f76012c5cb50d1c
SHA1 50af9268e00da1a90b377314e84dc8ad5d23f618
SHA256 930476084feccd34bf05d990073700668827ca08b5883467c582931eb6c78fad
SHA512 22c9e85653bb5d4639c609cfae3fd84293ed49be19ac158d95abd5a90623e8ac9bc1ed75ba477a674ff86aded0dbb974b1791f150cce906c08a030c43840dac0

memory/1284-150-0x0000000000400000-0x0000000000430000-memory.dmp

memory/364-152-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ff471e30ce7ba043c66b2fab55687d3a
SHA1 f1908179ec546f0596c794b82f96ac11a98c3de1
SHA256 ddf3246d0f059f4e49f1f09bfe85dbf88720c3580fdce03d4e0c031b5905e7d7
SHA512 68cf870e77cd3412b3234e34d48c11f20578878a78103d2bff3c907c854847ad8a47b26ae0d751e95aac65fafbbde225b910d7d0592d72042aaa484a83ea953f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9a6538e279b9ec51599ea0fa5f1961a7
SHA1 fcec2345e09b07c804d31ec9c3df604d9a8086de
SHA256 7849e9d56f177082029a9e176adb7abba5a61a2ced33e344d17c897be81719b2
SHA512 fcb00431afbcb2878329cb258da3879c6906e4dd1b260055ef00fcdc3a57c73e3c837fdfff6b9be11c21d465af6d4939d96820ef7a608653f8e83de4852b2ba1

memory/508-163-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1284-165-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 60ff978f3e7a6a43aeb3b3e1fcfcac0e
SHA1 08a9cacbfc78911694600d2950874d0d14492db5
SHA256 2bb902ca3877960b9540c25495b855370b09df9da90487b0e73f32b015b796e5
SHA512 57ae68f5b8381c93b456265a5059f7aa5fab70f567fbf6b7284f3e05280c186106b2ae98c9a9371aa611ddcfdb078eb97d1728724af0369dce2278dc6bcca14b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8a1c521199ea9f0c3169f165b2311104
SHA1 e64298264f729a1d280df3f10f5ddd628eba9f70
SHA256 5da6116ba3b1a65b1154409e9525697329ddb1dbdcce9de33ed1b13d68c4d9ee
SHA512 83c9c184588d286a4dddc5832c0f26ba9421897e7026fc65871b7cec932c8bbfc700d0de9ab42fed6cd06d03f743f0ef10c11992e4e1e03b78aa44f49784cf45

memory/3604-176-0x0000000000400000-0x0000000000430000-memory.dmp

memory/508-178-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 74de9eb192fbb0596799b86e931b520f
SHA1 c474ffed76dc7321a69b1ce3bf9893ac6d49201f
SHA256 dadffb908658cc69c37fba210dfde652b040207fa661ff2966476ee996b6a934
SHA512 e2af645383ae7942fdd08918f4b7653b6096e58ef93a1bbfd606da7862cfea59870c8e65dbb78ebc2910315b4390828ac3e21aa52ba7891c529531203ce802e2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 de999a85997c219b1918039ffa79e547
SHA1 ba0e5f74440177827abf0411df4e0e207d99a0c9
SHA256 a8f8684fe125380537bdd337f8b7ccb6f35be930436f7a14a8181398d1e03109
SHA512 2afbf2a383fa5f29a8aac15d037c8556add628cdf3ae2e5b60b1138d079236a646b0c85227f5f4f36fa50d226fd3141289d7e20222d64f95fbc2d72f3dc09cc1

memory/3604-190-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7116fada6f2e87ab8539ac2f7949a6d8
SHA1 31a73a620c3757330e7cb7749a938a0c841ee161
SHA256 457c900925c2bd19232cb8b411de2bd1782191f7320c5e48109d1154d5e809e8
SHA512 b5d5599f90c517bd6cb6107afc91c2ac2ecb7a2be94ecd02c77c2a4f955550be942911cf393ece05ec5676bc029bca3874b35a18e7312de3f27d907162d58dd4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d16d0c338dec1355d0241cbc74a6001d
SHA1 f2b26abb00971a9b8789024fcab5ffebb61261b2
SHA256 386986afbdb8904a07a08c245ad179a4f02566e367c3c31b294774db52a6ecbd
SHA512 68ee94fb7769c42ba16a61b8ead48835392bcc5b84d57fb6e0a1a259b794836fe672642f9a1a83c9a341f91f06be7f2adbce5dd423e356c9c8893c8d67a5fb85

memory/920-202-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 edc7b6a6307a852b974e34a24f10ec58
SHA1 d7993fd64f4f99fe56fb903151a7f8602703e95a
SHA256 461d5722a6bf75c5e291a0000058a67c74ec08abb5e0aaa27bd3f9dcb1c2baf3
SHA512 81101115def8125857b21d616a1ff969b7a9e3bf6b4d8fafccf839851404b4e3635a9a67532de708c2bd19606839daa543ebe79ea4a16d3b4cc7eddfe963e5ee

memory/1224-213-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d560091eea7dac90f7854919204c43a6
SHA1 3e8060005c0115646d48a284734bdb7404bc4f20
SHA256 43eed176fd0066110da21ddaa9f0ff934660d7da4967866843720bd33f89886f
SHA512 5531cd8293989ac4ca73aa04120b803e624a0b246fdbd738e18162ef157373a033407b2c2f80a613409fdcec4c7a21f2fac24b575670cb74abb7d6cbc416702e

memory/2032-215-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 232a7ee551c80c64d079507144c67d24
SHA1 6cc08525799839df963baa7417d0ad1afd534d17
SHA256 5f52ab791f38fbb0c487a2ab5ece845e1f15e7fa45eccff36ed1692b25c83fd8
SHA512 84c281bf59d3669de73a17be88329302d3bedfadae88fd4b478f2e9819542c87405633f514e0e0f58e94d24c7855ad0a85a6662fd206843b3449b9f0eb9863bc

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9dfadeefb864c332078ec09de0351fe8
SHA1 25b798b60d00ea387a0c3440b3055e1d74b07757
SHA256 3ec1387c17a5c0b22b382caaec97808bace64f3b5b169117801d055a41c302b1
SHA512 12d6f56bcf97085fff17e5b8a85f193dfb9cd5cc55ac37cca74c99da2babf6200f458a1e0c7c132b27b11bbced1901adf9102d38afc1e1e78adfb43fc41b53c5

memory/756-226-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1224-228-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ef1211445675706b40146c83706b6cfd
SHA1 f7fc270e2b060d4f6381200b45d6511ea802854e
SHA256 9c595a20622f983c8719f0b82babd1e39d1a3d03a587e6b637228b1428010510
SHA512 94ef32fc68b47d16a58487bef254b56662e6cf0aae4e54b50d3d04a0cc488cd5ca568cc0c30bad75782abe93c628960888819a030ce7e062611061043e7b7f45

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c45be19c7b1f4193639e81b51c3e391e
SHA1 bc68ce5f619a4e76b180f89c5e461e9635051eb3
SHA256 ea0d402af3c995f00e91e0734de45378c0b1bb9e4a8933a03a5a70ed3ff1084e
SHA512 11a6ba1500d69808a531208918b4085cfe3fc908614e014e4c9f3d1e093eafacf75ac69e3406cd17257555509c8bbd2109e5c1fa058fc64d19998d89cd9ed635

memory/4584-240-0x0000000000400000-0x0000000000430000-memory.dmp

memory/756-241-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c31d1070ed66de3a050ed45a244c79b0
SHA1 76508a627a6e97bbc4620d61d5fe69edbb377af9
SHA256 5ddfb133bf17f424d5cea17ef00019cd5fdbd8c594a5204263cce93c663a5391
SHA512 2e3bfc04a88dfe941712f22fd302efb09d46d21ba2c1c621d0c2d23cbe093d3e36d9e2c0fb006bfec6d043e38460b65d0e58518ae38823d9f8ccf4b5229c06e9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 95a1992929892c85269d12401dd3f58a
SHA1 7cfde1864108941f7c94f5796e921fc89df87640
SHA256 1f87e1cdecdaac5bb4b5ac9f5f9a0c19b6d24cbd940e3a189b41e9bdb271454f
SHA512 0ec9fd85e9ba8ac3c44731eb4a62721c69e85379df57bfe682bc56f0462beae6911c09157180451f4bf5720d7c15c40e741c56707ba1f9e90e2983ae91fb88c0

memory/4584-253-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1ca8448381ae0cfa70b2b7da6b64524f
SHA1 7c13f706ae525df3a0471b5230817999c3803650
SHA256 e8c15cfcec3f1690855ec95d1d0ad5f0ed9e733cfcf249b5a07590625e49da40
SHA512 904fc0bbdb9155ba3d825b4e8529ec6749a9835e1204617612e674672978af8966fc99226684be4279c2a2e396edd11baaaeb6ce26f43882c2ef4e587b90e15e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 19da8cf97786d947b20dc6791f2093c1
SHA1 21123517017822118a74a83c6e26a2b776bf6353
SHA256 6e69f9d9819eb7d956e0046206b4c8af6ed468b4a20f622d3bd5fcd79c260e2e
SHA512 f82f7902cd1e2b4cd0c056dcc176f8c427d490f0e65585773c2cf20b0e281e6e33a1441019dc2766abd5b5d2ac1a3a69e1750298cad649127f9ef679e2ff7d9d

memory/4508-265-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b87a72b9bdba3a70e3e71be31c0f9bf2
SHA1 15e38318ca626127d207aa4719f999e10795923d
SHA256 c698f038b6707d51e8b9ebd6ab7139adf13443b551373d33dc2524008b00962d
SHA512 8f3c5a10a27d57dea5185e4c3d65ba35ce0b611b27d42772fbbb9c87374e02e957296e2db344417351d73092cc39531f609828ce5dd412b304d87d41f9c32dbf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4f6772749324ad1ee998f25260392a4e
SHA1 4814c5614a9cac27bf0eb9cf7c520b3e5704a5fe
SHA256 22f94b4a3652cefc54886857e79830d00d2087594d7b65432d2fe6995ff7ddfa
SHA512 6a3cf394e7b278c8fff63dcc61b0e139b7f4785b0e94316613088a02864b59fe138e56f4212fd663bf02a8959290404dd5c1e1138fce2e5e6233e54f884d384b

memory/3624-276-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3292-285-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4784-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4712-295-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3292-296-0x0000000000400000-0x0000000000430000-memory.dmp

memory/724-305-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4712-306-0x0000000000400000-0x0000000000430000-memory.dmp

memory/724-315-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2764-324-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5108-325-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4484-334-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2764-335-0x0000000000400000-0x0000000000430000-memory.dmp