Analysis Overview
SHA256
cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab
Threat Level: Known bad
The file cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Sets service image path in registry
Drops file in Drivers directory
Modifies system executable filetype association
UPX packed file
Installs/modifies Browser Helper Object
Adds Run key to start application
Modifies WinLogon
Enumerates connected drives
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-22 00:29
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-22 00:29
Reported
2024-03-22 00:31
Platform
win7-20240220-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
"C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
Network
Files
memory/2200-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9dc59e9866714ac289b6435cffa80a0e |
| SHA1 | 1d91a7fd2a03cb0171df54c46a4a3cac5bd36299 |
| SHA256 | 03607f55ae10492c72463a78f38a173b8e4703a3dea8348c3b293625cd3cdab0 |
| SHA512 | 6661985086023521c479b80c52b6386daabbb14a0d88175549ba1279b06b5d59d53456600c3ee2ece63fecd3bb0a784b051c0f6c3b56eb38ba0d6287021e2b2c |
memory/2344-7-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2200-9-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 56c4add09c56ac916492ce8f52db6617 |
| SHA1 | 21f903f9df63cfe3c62785d52e750ded26fe03be |
| SHA256 | f18055c51ed5ce5eb6ffebc36cc86933de6a5ec0ae18c0af39c902145f107288 |
| SHA512 | 967deea3070b67f5450f552f6c4f81a31912e97be62d5e16ed17bcd8491e1753381c376c5f5b6add56c9cbd15a4baad2d1c349589ef2b82b13cc6248c08346b5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 58f869134337b6a0a05b2cfab0af4cff |
| SHA1 | 4821b806420030aaf144c579f6720bd5c4c83f23 |
| SHA256 | 62c83481a0bd67cb4a6211e54e27e1d3135f913f89975722eb44a7c3ac7730d7 |
| SHA512 | f7e9489895fa3ea706d057855216bba6e32de5359cc2f1974757f9e0fb5fd315a9a3691ff0abc73e5ecb653a6cc24e478920a60e4123308968fc040141ab40c0 |
memory/2624-16-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2344-18-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2344-15-0x0000000000320000-0x0000000000350000-memory.dmp
memory/2624-28-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2644-26-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2624-25-0x0000000000330000-0x0000000000360000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a3085795aba5364ba21588e80b31b087 |
| SHA1 | a497bfc68722fe7e53af92c95991232196de8aec |
| SHA256 | 75b0b5ae9f0c062ed270e593999fddab28deef9c16a487d9dd4f2ebeb8344d11 |
| SHA512 | ccd182830f90a281057c95abd1a34220876541978c9bf71bdcdca9850625d2439dcc6dbe2999433b33fcd229cfd1d6406ec6d909e4e1a852546e20007fdb82c5 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 380aa8e85a10b57e758fbca38add3b1f |
| SHA1 | 32030f4c975020b6d4ddb2759ebf75f157c6669c |
| SHA256 | 22fea07f08fabbf1c31a2cc6213595ed516e26d1668358f6f11910fb81216ef2 |
| SHA512 | f82d1910a7a1522dfb8329050a013836dfac93d1ffa5d296641d0c7dff4f3235c461b9a4df14007559fe870865dc27cbe33d5bcc15ec34546146d7347beaf0c8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 25daa1665f349d3262288b7e5d7962f1 |
| SHA1 | efb340f28213a15623fc2131d1338d732b23b7a6 |
| SHA256 | 57a4dd8dd56ca097f6f60e4aa4d276d439114981689a75c65dbd6b18601bb36d |
| SHA512 | abae270ca25ba965beb75f5f336ddc3a0b392edc4489c4e87a7171a93079ce93dd6dfe1bfd7d58c5d5642cea0ecc71f5890d4e6dfb9585a7c2e763523d621d0f |
memory/2604-35-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2644-32-0x0000000001E20000-0x0000000001E50000-memory.dmp
memory/2644-37-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2956-45-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2604-44-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2604-47-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b0cb3327765be2f4dbc2f0795eb84b55 |
| SHA1 | e9b80d71315ca474f1536153d64fbe17e10d954b |
| SHA256 | d414d45f8fb52d73e56c25934442a2689b99f00cb5ec79318fd47ff906e9d037 |
| SHA512 | 66f5fe686687e0e40b10de0ecbfcec8df7fe5b24dd0def0ef7c9330f4353f10d2f8a46ce8cbbde10986af801ec8fd3c8267f2f086dfbe94cd8381d649e005c07 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3da599f0012fd649298b530c4729cbaa |
| SHA1 | dcd825c4b3be6fbff57bb56d3fe50915f9655473 |
| SHA256 | e759777916ee9cc3fb44863dc4a6601dbbb7f7d3be8f58ef24f7f2171e46f60b |
| SHA512 | 807033ef6941435d10a4e76bcb60849020ad307d205eb01b80e28e0aba13bd9737127c093fb7491a0ae93393c7337695e0068ff702daf64dfa7b21c7288b1d33 |
memory/2840-54-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2956-53-0x00000000004B0000-0x00000000004E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1458218f08c6beccc8bbd8b8542aecf8 |
| SHA1 | 1de092b70b290a953d1516a2594eb27043bd9c41 |
| SHA256 | 30721bff74bea997bd105c87e5761bee298293eaf7528b4dc003aad3e37ddcb3 |
| SHA512 | c94827d505dc0f716d033f1b0f75b75011ae6c7e33e641a5a298034baf200d3902fae6c0eb5f4de0569eff730884fe722b0a33cd28201adef66972a09290505d |
memory/2956-56-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ec2b527b1b1ad72b61932d1497eb1998 |
| SHA1 | 6669a75263554059ebbaab13c687aac811420596 |
| SHA256 | 57f5f7f2fc6f2461f4df1e577aef08743adee9e2a63632c276b75706422af1a3 |
| SHA512 | 17230de6e95254bad05dccc669a712fde63adcbfa28c639c5a66a3fb9d6735cdf5d0d5643d144382b95d5a15fc7f7c466248081ff920d438764dbc8b32b2e925 |
memory/2840-65-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2840-63-0x00000000002B0000-0x00000000002E0000-memory.dmp
memory/1912-66-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bfc66f8112faf4f101aab50d85625f4e |
| SHA1 | 48ee4cebca50c07e4406e15a59d3bdb7d7746d4a |
| SHA256 | 01fd536863b3288a225acf35e1b132b24bbc26a0dda0f4ff7e60ebeb736658ba |
| SHA512 | 13ba010df2fff397060fca0a797f9bc7f8b1ef76b75e6e7cd3a2878b6766705e34814e24d701ca06c551a2c57c4cbd8da55a215fd27db90ffc7bc755e1729f29 |
memory/1920-73-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1912-75-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1912-72-0x00000000002E0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | da151d6654453992878b74db1c0f4a79 |
| SHA1 | c0a18b3447a7672de40d9d01bf03d038464334ae |
| SHA256 | a5354d531160a94587111be2d81b672bc052f7768dbc9c5e35fde8cfa2d9fac8 |
| SHA512 | 42a22d78e1f1d286b99301bed93c300ca320c550853d051454f80a2e69f22f9ee5cf4231e13b23227fa5d32a9342ffa2390421bd846bb333d3603cb0b393a1b7 |
memory/1920-80-0x0000000000320000-0x0000000000350000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3790465e1d77a6c9308cd109d815f602 |
| SHA1 | 55455bfffc3b94e938f9dbe1d1574c0c4ee40082 |
| SHA256 | 676a34363283010ef2fe649381f355df79c01d7929625989a2820f9e237b9b23 |
| SHA512 | c296316d92dd79c0d97ba2366114e7c884689b30d890ea519d99560068ae95230245d22ace045b67a8898e5e5ffdea2b3843d13a6ef59f999fce55d2057e06a1 |
memory/1532-83-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1920-85-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a0b8b65670e754cd97c3afa31d57a272 |
| SHA1 | e18fdb5b72450a7a85863d66487216477994ae1b |
| SHA256 | d763021359b0f8917bf864cc450151739c19589d92c59e7434186452bfba47f7 |
| SHA512 | 66d90d50c73ba0ada0fa2b6fee301af38df96c8ecb8e751144ac83c039ca4b948f0584c181dd12e8ffb43e18cdf76d5387b01d1a3470ee221db26995b813a416 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 09d814d50edf0005c3ba02570048814b |
| SHA1 | d71f57e09f8522694d82c58224f190c071989be1 |
| SHA256 | dae61cd4c8aabad01196a5c725150be7088746c74565dcd548cb79788c647280 |
| SHA512 | ad6351d7dd8cae4cd81ed4ce0055496edda99eb997fb4f67c4104f6eda7101286482f672adda7a1db0bd937270a5e4014972deba7c4f9ec3231ebd8e12903187 |
memory/384-92-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1532-91-0x0000000000510000-0x0000000000540000-memory.dmp
memory/1532-94-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2173d523e5632164967959b58cb9df70 |
| SHA1 | b3ba8ef5bf25f5cda9b9636077eb01abe432e989 |
| SHA256 | 8f4dabaaaff3ccd69daed0304e598237d2ce5b1e3a9792b9ec243c834c310b9b |
| SHA512 | 375d950ada4e8d72d8d578469ad474882bdd961935c875833872c323ccb974eebe735bf205c867d136c650b354429716c9d1c5c75d89501740f779addd2a558d |
memory/384-103-0x0000000000360000-0x0000000000390000-memory.dmp
memory/384-102-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1904-104-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 511593db11648378de1cc901c370e581 |
| SHA1 | 7fdce5f6dd8bfdeb9f3751161926ef668b8c9060 |
| SHA256 | 72922f8710eebb09a8b87473f8a57e08c8856248edf8aab8de985a33c4d6b1cd |
| SHA512 | 8f216d5bcaa9ce8b7647ec2b331001ed1ae6a16b9983abc9d0d7d2c3063b06cebbf4960f3091cc2b940ab86aafd1839c6c34f70a49c54cf7a6202176a1c1af13 |
memory/324-110-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | eccdcfabe8e9dde47c40dbba9e75c061 |
| SHA1 | 6422bea66332a50ce7119743a54d0c6a79b39f17 |
| SHA256 | aa1c443b01faf2f5be1bc01409c33bfd22ba55397ec61cb74a421ee16bf1a02e |
| SHA512 | b844d7a66afd8219de3eae53d7da3110066c843d18e46c20852ea8cb4fa41a365141a4713d58bd9113e90dba862e2b6ab8586e57573dbe3d622b59a8b1b8aa3e |
memory/1904-112-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 03c01c889902705958531d66464016e1 |
| SHA1 | ef255cdbbddb8d232c7472174e8e53745f3f37a3 |
| SHA256 | dcf9924246167b6200f17c0200e4386525be0abc587aeff60642601072f64f95 |
| SHA512 | 18189c048014e546e5317f3985a630a1c3650d3a806d7876370818ca3216ebd36a07ded9b9374be6731cb465c7038fc9a7ebe8949ce60c9333ecd48eae65c2f1 |
memory/324-119-0x0000000000390000-0x00000000003C0000-memory.dmp
memory/816-120-0x0000000000400000-0x0000000000430000-memory.dmp
memory/324-122-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7925006e3f391ccb7cbc8956664d8af1 |
| SHA1 | 735df9454c159de237b7d5ebb55885a9486acfca |
| SHA256 | e9a52e6e13af8793bf91f1a97bddf841b7faceaab68994587e5e4746711bc9a2 |
| SHA512 | 6b99b239cdeda4275ae1c5c9bb24a9e4315586c439ebce3fd245bee4b1c9bfe49e5470a2074de66bc8a4bd649d6df15bdc0de13fe8756ce65ca71f13d26b3e60 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0735a30c03df7d5d9391fbb9402174b9 |
| SHA1 | 774406d1d11924c33386e354164fcd2c4c21f34f |
| SHA256 | 273663fe2e935f30dd705c73a40a33911d8a0e205e905e3bae4eb12b5da4605f |
| SHA512 | 6dd1fc36a90ef9087def73407122711d29b0ece1afeb52b31201d09546a8d9f90e9802b292fc31aa474cda9746d6099e92aaff75d674de38a57fdc263962bb25 |
memory/816-129-0x0000000000400000-0x0000000000430000-memory.dmp
memory/816-130-0x00000000003D0000-0x0000000000400000-memory.dmp
memory/1092-131-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 062c0b34b01c705f13b27cae6919cbd5 |
| SHA1 | 91c7e289a46bea53d9f9fac61e4d08c782992c0e |
| SHA256 | f28839175890ccf95f8e6107d52d0d40fde045b1d09466293874b68d2bbc805a |
| SHA512 | 077e1ab3c3c33f8059dd1fd3a0036cbd55a3ae46fb51db7ef70ff8ae94e45168970ad3f424ddc38ffc134110c195eb259bf222c1bd067aabe0e7e5fbbfe3fd27 |
memory/1092-136-0x0000000000260000-0x0000000000290000-memory.dmp
memory/1304-139-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1092-141-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 217ec501905cebe8a0ff3e0cb4116dcb |
| SHA1 | b56ff73e7527d6442dad3d1910e4550714c49aad |
| SHA256 | b6688078a850fbf5e14bb5029eb62728c3d406e0045b108867b36c8243dab4d5 |
| SHA512 | c936fa16fa7ff3a0fcf839ac3aaf174df7c9c625cbab188799caa8ba7b5f1a5194326fb8f5331f267185a1f629e416fb4b16a6ddf99eb222e750a9866eb2efc0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 31c027ff257dd0ff093763d513fa6c40 |
| SHA1 | 60b35db6879b33e4f0ce59edcdeef57772e8b604 |
| SHA256 | 75b89f1f7fb12cadde107a4f11c7372cb4e3593328d56b9e7c108afae6d91907 |
| SHA512 | ce1f97266b8cd58b9b76cfcd5c5d1819b23c92f13c653adefd3574b751b137a9c2df538725e63a237c475811efb0e0ee556188cb8a7e75118320bed006ba6214 |
memory/1304-149-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1304-145-0x0000000000470000-0x00000000004A0000-memory.dmp
memory/780-150-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 85b09b460ae093ec6300cfaa7049f47a |
| SHA1 | 270da9c78d41425f1bf74e73408a1cb435f70f9c |
| SHA256 | b019986098f8cb5fd5cc9d2be62acab095e2a3e75ba15c66dc60044b61fe0453 |
| SHA512 | 880a4e36fd17087011acabbc3fb14443658a15bb4ceeef87eee30ab9a28fbba88bb8a53993c54c705bad93c3eaffbbb709de9b6b2d2928f1a57c3a1de2496991 |
memory/780-159-0x0000000000400000-0x0000000000430000-memory.dmp
memory/916-160-0x0000000000400000-0x0000000000430000-memory.dmp
memory/780-157-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 73bc14a6e28f2d9147d8d16df9d64d4a |
| SHA1 | 28038274d1b5367c6b1e91a993cb0249c2d3734e |
| SHA256 | 32ce533171d4921034a0fbc982e9f714bd53469565f9a9a03ede19e365f49f6f |
| SHA512 | 6db6f61e276b2b27685e25ebc2c28c4e13e6ccfe94ca57bfff4d2ae5ec49dc11367e43ca31c7aa87765ccb08ae9e5395105b256fcb458d695f324c4edf642032 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 75a032d25f03daddf8548e245e31489b |
| SHA1 | d440a11f13a2aa1cb92cd8513c0f3feb6a995245 |
| SHA256 | 9790fdb039aade34f6693f7ad4915da3fb7a3775a0103e3f137e0b657f96414d |
| SHA512 | 7c4fe6e2c56c118c2cadd0fd4a1fe6474f19046d6847741db1842dbd3651f11be742b05966087317aad318bce06e7e94b0a4056953a88ea2768c85e63072fc09 |
memory/916-168-0x0000000000400000-0x0000000000430000-memory.dmp
memory/792-169-0x0000000000400000-0x0000000000430000-memory.dmp
memory/916-164-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/896-179-0x0000000000400000-0x0000000000430000-memory.dmp
memory/792-178-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1a041b46c3f6a88c08000c1e9d1385a8 |
| SHA1 | 5344d990cd15e2ca49b7592dca532b50a2910a6d |
| SHA256 | 685a868b922b1a48fb81650daa77dd6f055b866cc6bf5c39eef719b463086f28 |
| SHA512 | f20419cbe7d7fb25a01ac10a221cf678aaa0a7fcfa00de62ce85fc90599da0c0ce75f2e83edf396a31c0548d65abde98b0fade8930fd6a7923e83e25b47f008d |
memory/792-174-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 342d4edcd07e011515bc6a2aaff7fdca |
| SHA1 | 45c50f497e4eff9c6eb532926114fa83fa528e65 |
| SHA256 | 6e8e391903b9c3934333cea2855fe97b72edc37578094b8a1fe9f9058c6c52d6 |
| SHA512 | b078dc7f4be635aec2f18318106c8804e25a00f82f22ee788924304dc5b90c3e6c0dd653447b7906d6fc595587efc15b9e7f4a71146ee6f622be81b431f0712e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4c69912a7b680f3093002ba075d385bb |
| SHA1 | e1fa18d7cbd426cd6622b6a6bc1859a1130fb9e0 |
| SHA256 | 5f5149edb4c2e2ef75493df5f252363cdecb2d7020df689bc39dae174c00e111 |
| SHA512 | 55a845103282a4852bc0ef6a8a2ad99936f6febdeb46d269753eaa861db4ef4cf85232eb1a2dbed36d2e9b17075e048d78c23557368f9f57f266b33b46db0f1c |
memory/896-187-0x0000000000400000-0x0000000000430000-memory.dmp
memory/896-183-0x00000000003D0000-0x0000000000400000-memory.dmp
memory/1716-188-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 91a2b6c44699409c67786ec64b0e6604 |
| SHA1 | 6627720c1ba00d0d404f5bab99dcccd4a35fb284 |
| SHA256 | dd2c02d4f39bba6f1da3e0c21c5867c47e513e1bfb2ce97df065ddb0a9f0971e |
| SHA512 | 5f10a01b78a685b11e356ca95cd51bab1df4d73d8487b804c11297eb839058e2276835f39e21106b2b9f94123520c16c42107b95d8cab49ab2c009e48b973bd0 |
memory/1716-197-0x0000000000430000-0x0000000000460000-memory.dmp
memory/1716-196-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2196-198-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 790d46556cc5bd9be03422c401329e92 |
| SHA1 | 8455a527ef537547f7943ef6158f5882005b889e |
| SHA256 | 2d1ed961d23d7f5a39af436c77cf26630c1c2c369c0bdd3555fe30cce73cda0d |
| SHA512 | a3610520a379d1398a5ecb42801ac9e9464e20fb6433a635483239096a022ea2ca2ca1a9a203b55548415471339f840862ef6250a87fc7cb7c00f5e567bda2b1 |
memory/2196-205-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2708-206-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 11bae7f4d196453c34d8d487332ad73b |
| SHA1 | 51de8861b4e6c1bdd7a66c9f6f4e8e669027b131 |
| SHA256 | 77b37df41058a557ad4d3a102e31753178ad2d71817d5645c4d16aa89848b908 |
| SHA512 | c0b2eb451e86024065d7f94ab3d8294cf643ae0553d47cd88a8f0000cc68a2ab05b5f8d86a386b10b5a1a383dd12ad26b996b0ea30467566ae0d46a94acdc92c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e6f2a06477e7af2ee197cbd72eb7c9b1 |
| SHA1 | 11897fccab0bec755f7f5d40eeeacf79f7c0365b |
| SHA256 | 32984866b84b1c6b5bc948c348430e0d9080ddd8315d844efad5d04da2a26974 |
| SHA512 | d690dc0643692ad2e178d6135833e1e7cf141b7fe4af8ca3cd7299ebed96cef389d103c339cd39f75aef89c65d014af79007e913d55fcc71bbbfd417f36b9f1a |
memory/2708-215-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/2708-214-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2368-216-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0d4cfcdf52aee64277771f3615f2810d |
| SHA1 | 3bed3b9c3322f6e1920f2ce89f484f8f7cf42236 |
| SHA256 | 3184134f3cf27fec5cbd5abc2bdbc6188253ee8f035ad7bd11b188374769e3eb |
| SHA512 | c9f9e9c4c39c004486637da56bc54da826b13d4fe15a472b5e9df816ab1374647ab842ecbad8eac6d23482f506abe1a175c93c9b07752f7d75d8babd67bcc334 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0b2931f0801bf719f16c2ff6dea1cee2 |
| SHA1 | 4b3e4ff0be19a17ad8f7666e40b992ccd72804f5 |
| SHA256 | bd294057416e55f054367a610873db0e3b8966b12e2d42e0acb3244402e5f21d |
| SHA512 | a10d9678f6f4b849da3d7f1ac0823b72658c5e86188bc45894ea67ce58d5a85073b957955f3a815ba97d0317ea7a25033094c900d09ae35f4bf8eb8270489406 |
memory/2584-220-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2368-224-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5d7e1325c61cadaf2a624f2a92197dba |
| SHA1 | ac8ac5ce751f16016c495576a1d6b24c5973b208 |
| SHA256 | 462a4f916d80b5267804a6230faab620d9067ac134c7ee2a706f0ea7b9907a6a |
| SHA512 | 7e03770248f3b766281b45f2abbf79cc6e9b29d03dae29a03e9ed3ee13bc94ab7031c10ac999ef892fb091f9afaca5f96f4120a7387dfd10097a991d2c44c257 |
memory/2584-232-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/2584-233-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-234-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6c7d6d75dcc95a415fd2490a00cfbdbe |
| SHA1 | 4fff2c1c4d653ac52388b2df2981997fb6f0a85f |
| SHA256 | fb49ecb901fa98df8fd4bd07cd3a09fea4fb7c52dd9445ad5c4ff56ec3928fd5 |
| SHA512 | 31a93d8e27b3d068d4d0e6c7bc1f0f7e3cb8d14a009e505bb7441bdf433398de3c07406e172b9e4bf9b8cf92749684fc6cd2da422f7ba41d87d6a81ab1a4c20e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 503f23c38d92d6a5b930218586506951 |
| SHA1 | d23b37ea5a39ea6fa8eb6382d9fc7fa70544ff84 |
| SHA256 | 4498a17ead509603018624622931c90ba5c6902a5cf675a8e32ede8554cda950 |
| SHA512 | c672d31badf09f1cc0cd338764dc6a13e6616be00827a90ded6f21c56aafb0e8dc1c9bb0c1308d802c761547c4a8159b4083643e0f5b3a7b5ab36fb06579dae2 |
memory/2800-241-0x00000000002B0000-0x00000000002E0000-memory.dmp
memory/2948-242-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2800-240-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2948-248-0x0000000000300000-0x0000000000330000-memory.dmp
memory/2836-249-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2948-250-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2044-257-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2836-256-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/2836-258-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1036-265-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2044-264-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/2044-266-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1676-273-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1036-272-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/1036-274-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2780-281-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1676-280-0x00000000003D0000-0x0000000000400000-memory.dmp
memory/1676-282-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1444-288-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2780-289-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1444-296-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2088-295-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2088-302-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-22 00:29
Reported
2024-03-22 00:31
Platform
win10v2004-20231215-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
"C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
C:\Users\Admin\AppData\Local\Temp\cce15977bd2f07afc6203cf7686e6c49ed7f20603a2ba6a0bb4269b2a1d1f2ab.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/3724-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4772-5-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a78c25a70e7189c79905c02655fc56c1 |
| SHA1 | 078dc7ffa52797c9e2a8e404ceec0c53f5bdeaca |
| SHA256 | 85d4de183194832d3411104931bde5ee19d6b59cd8f80923e1e816ecad057ac3 |
| SHA512 | 74f7c4c0c52493706081cf1436bc4af5bc3799ae6655d40cf49d854518d7e34e4049f5a0d666bbaa7c919980a8daa54cba470cb9ec6e02306f063282e7b58fbc |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3724-9-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 088153ae643a531df4f561dee5b5f1fc |
| SHA1 | 66c9d2613e794147b42a4e786938316e2e90b59d |
| SHA256 | eb7028be342a3eddf527089ff38417b2d7eb058c8e44dd77a26c38c9fdc266d1 |
| SHA512 | d9d98586cb42cda2b6371e873975987a568bd576963a159b804de7c5703140cc1b49489e4fb09fa997fec559301167f7fad0f1278abf062864b87d7812077b05 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | dd82e6cb46b188575c435989d71752e3 |
| SHA1 | fe94950459da82584f8e79647514769f69db665b |
| SHA256 | aac78eb9c7168f0ee08a79d777ac15971685353a50f3c1e3ad41a1e95d384b2d |
| SHA512 | 183d9859d7cfb8052cc31dda9483b6f6dc0ad1cc881922f23f2ca2ec6c5693be54e7472de1f6eefb17b7ba0c2488f7b1fcc1e8a42c10feb8f650366784f8205b |
memory/3628-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4772-22-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c9ce743ce32cd071c60389f1e8502025 |
| SHA1 | 86f23b4012e43b155faf79e4dd0fdccf5de095c3 |
| SHA256 | eae17889026fbbda8422e6d62b14fac71141645feccb0a0864fbef14235bb4f2 |
| SHA512 | 5e6a4e5f281c28ac09e273b3a8292f9b09fbb8b892fda52a1c9373ae65e08b89733bf8b39d5cf2aa7c9b3815c04aa013437abeab5596b55dae14ca83be95104a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6d7021f2ad0ce72a960f7c08cafb456d |
| SHA1 | c91f255e3094944d43e4a0636f278bef2c9f3fb2 |
| SHA256 | eeb1d97e4a2c96389b22bbe11287541ff24165843e43df1ff3f49b46522ce974 |
| SHA512 | 6d5d6329f0f56c80eb7327c5254976817748450e2355357dc272c27d8f35d18771b78013b8194534abc2e671f078fc2961147478dba0872c9fea97fe41aaea10 |
memory/4840-33-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3628-35-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bf69d5c91bc6b846198e931e7b5f9149 |
| SHA1 | 2a607f08b1a4106c6820d6e002909e976bb61a9c |
| SHA256 | 1939c06add2f9948367253c02d075a99da3b05e778b20157c589661c9d12400c |
| SHA512 | 4d8dd87da0266846d874bb4b7c3d3f7fbe9692bef992292388f0ffc89133e929a35e00ebc57b76f5788c76cbf769bd56365b9bfea53f58b311445e5623d56969 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2bf3985fd214dae6faae65fde8a617bf |
| SHA1 | bc2d7c53f13d23061edf1ae59dc5b3aa8bbf928d |
| SHA256 | ac2a53a614ebc531f0446c2f71ae770a2e1c6a6c37089000b954f653f6edfbca |
| SHA512 | 30b9ef66acefea5507ffff5e399f1626738193575dc2c21383b79c89f0d7e62af5a4e217b50847b43965879d2a4b7a2c98c9460ac8bd7165ac2928645a9a4370 |
memory/1636-46-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4840-48-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2541c59bce8287c25a38984040bc0b8f |
| SHA1 | c361efe954edba0acce6ae4239ad94623ee9947c |
| SHA256 | 415f51b5c1996429e9290dfb63896a9ec49b5dbb907d30b0f505e2bec00422cc |
| SHA512 | 8b8701f501685382ce0c0234912400d1bb06a7a85f29eec6708628ab53230a6ff8c0aef6fa4844f90bd4140c4c86680ff978d1565664f0d21c6502c86259f019 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bb79f7b8ba5cfada7234917a502a813f |
| SHA1 | 402c0f2b092def4f05175bb197036948a408f835 |
| SHA256 | 1bfa036d0b11498c45d303a905f37be931df450559fc362d6a7a60296021bca3 |
| SHA512 | ad6c299d432f6670148afa9ef6888fc8284cef50deaa447f3875d9602a00e2433e719c62c7067ac19b1f42fca7ba0218124f676dc01bb1bee80984c7c172e653 |
memory/1312-59-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1636-61-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bfc6c8bcc8737139701f278fc52bb4d7 |
| SHA1 | 9d5b64c237d92ec3716bdaa7b6b083f78c5d7f3b |
| SHA256 | b5375e694413b22e2e2d5c6a0bc916036a19dcb0c5f26d07f407e601e7675e24 |
| SHA512 | 3e801a03e2d4148b9de872fa19c1be1fc20c86d8e3fbd611904242c862d6cfe2538b615c56b26cdfbb1c065c62284cb252ee84bfce1d49237ac2a26ab5ebbbb3 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a4a0a0bccb0bc19e3140f18ba5347cf9 |
| SHA1 | 1452f44c43b1147a8ab2f8f9d3dacd6ce0edf9fd |
| SHA256 | c3db484b8130b32a8e28be6ba407136c13940129c55c6733607a0e95afdbdbaa |
| SHA512 | 6830297479eb1265c3adbf1d99b65d9d4ab9cfdab8ae7862854a912c95974ad003f50395a30dd940cae70cfab8efb62380221b8b63e33664ab6012912902d928 |
memory/1100-70-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1312-74-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 511fe47f51ca181c3ef7a898953b1d47 |
| SHA1 | 47bc4009396cd583afea617f4ea45b7cf1178aee |
| SHA256 | 42a7f9080527819f66728aa8b280b455d4fa0b5349da828ce38ffaa6721102b4 |
| SHA512 | e56c4c458c2d1885e33faac80ac79b1e216006c7a23eb544fe5835173a3b953591f0b4ea7557f0247615ed8ce2d0421d772d410652bc787b48b28cae6e8a5e8f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3e718956a766389c9945106a726a0357 |
| SHA1 | ed74fd8433c7af247b206277ffffa5230da1929f |
| SHA256 | bb5ca0f1fce46b5d7e190189a00355d3736c01f048edf6eb69933fe2ddff98f7 |
| SHA512 | 55fc0e15a1be1af92d5444aaf871da3a6446b42a6937545fc75e2d067aaacd44a75cae62fbbdfbbe3310e09e706545e8855f28188e1faa5f7a39eae1014709fc |
memory/4532-85-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1100-87-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ceea49c4cbf255aded506a41ef449805 |
| SHA1 | bbe6d82e50c0aac5b00d178f84501d08bc9aa8a1 |
| SHA256 | c060cdc534dd403e7d545ae5cb7700b5cf34039f719fbc087dd419cb1114a6e8 |
| SHA512 | 993814973272172cd0a5343c6f92c739dbe12a7544c042b64686bbfe34980dad2750927e330a3d6c48795ee2bc9499497239e9f93847f575abfe69d826e4a206 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2a5513f720c6cddcd0b5592d1644fca8 |
| SHA1 | 8f3805803e99bdf796fce5dec4f95cfaecfbfcae |
| SHA256 | 8f973e010078314e07dfcb381501b08dd24d5015cddc0e8eb9327dc15c3dea4e |
| SHA512 | 502dba394abd9effba9e3932da9d530a20d36fe2eb20337f0de6a33633a60429c8c9e02c30740feae9281684322a14d84bc0f302aa9d0d4b834106c2367494c7 |
memory/4248-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4532-100-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 11ac86f1971412069f74d77a25e5e379 |
| SHA1 | 619a5e25829312175017d209fb7078ffed2c2911 |
| SHA256 | 4f03fbcc86d653167b8b323bec12d05a4570098ec21c32b7e141db9e48192c30 |
| SHA512 | d4a1e9fe80de5efdc929f8fb5b33ceb11059689af1505c1134214e89b4015a734efb468c176d14ecdb50fcc382f542a92c2656392448a59f054f114354724a57 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bc357d2e5ff744c3e6a09847b70a51fd |
| SHA1 | 9dcc2024b0c2e7fffeb6194674ec022c4c22bde1 |
| SHA256 | 7689b8bae0a547319fcc157ebf5b81643ae7d1e6db6e02323855c89b14f8e8f3 |
| SHA512 | 1c9bb07adc8fb81b650cceead7047214e5cb199e81b4f1eeb4ab0086b19982cc2c471a02de6a8719521b34f279c3af8b4d28dc2d3027f057ac4724ff846bcf45 |
memory/1572-111-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4248-113-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 85fc9418892e08e0ee2ddcdd268b7794 |
| SHA1 | d33a9bee1a1ee1e6ed1bf8e38f63ac9e6916cdca |
| SHA256 | 4e398f057eaa404991b6a1cfc2f81ae8253804e2dd2e339146973640f1957e1d |
| SHA512 | 0583d212d03d5796267f9a793fb0905d702def731d18aabe2bb0c5e050dbcc77c09b974eb3f1bf9219f14c48486ab86b1c2d47f1516262e1807ac6ddd3ac82a6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d81460ee099e95198b92ba4233619103 |
| SHA1 | 12cda43c34a0c688deca8ab5e67c64b8e59337da |
| SHA256 | 6b634de06c62257e801094c723eacd4dc237d4c21a43711ac8302a4590724afe |
| SHA512 | 1cd42489cb1410da4f87aadbaf659a9cc63b1676ba915e93bbab858883d5132183da9e6c048437afad3e7f04a3731e031d7316d002dc496488078df154b709a7 |
memory/4396-124-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1572-126-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0cb14d18502f060e84e2fcbfa1780d9a |
| SHA1 | 69fc31b5295e4c2e153d0b57dc8f456eb6925b1a |
| SHA256 | 122ef626066c0c10067858bb7cab72875dd2a9f318b4fac220efc354aa8c7359 |
| SHA512 | aceeca05a39bc9e5d12e39e68e79ba40090f605204d9091d4a3ee6b44d0c2c8e99dcea1f19eaaa7ddc615adaf64f2421359e37ae5b61cf3621780919d3a52956 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0e6c2b1c33398218cc7f6d6f5308964b |
| SHA1 | 3accaeeedc3a11085a3f4557e9d387eb9a8311fc |
| SHA256 | 32df770d084543345699bd6f41a734a59fc087282794d46a7982d85058ebb686 |
| SHA512 | 04c7462a055fbd54fa5b1f5630c8f16541f355ae7393db6d8873c515c1f146234c526e294b27a060260e82b9f338777de8e4405c5f51372f2769df9452dc7504 |
memory/364-136-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4396-139-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5be4b05669cf764dd52219619fd1b2ae |
| SHA1 | 24ca3066ae814eee63575975a74efeb66923e8e2 |
| SHA256 | 49f0ff7f1c740652a79d7408f65ebf0def67d634ba421eb5090d5cc77c83e08d |
| SHA512 | e5c16574a48e9e018e19559a0a14f3153261588589ed479fb07f0217c3401774a0c6a9dad0fcd01c546f2026b603410313412b2e3869499a7172cdeaea2f7dae |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5523daa767aa6d194f76012c5cb50d1c |
| SHA1 | 50af9268e00da1a90b377314e84dc8ad5d23f618 |
| SHA256 | 930476084feccd34bf05d990073700668827ca08b5883467c582931eb6c78fad |
| SHA512 | 22c9e85653bb5d4639c609cfae3fd84293ed49be19ac158d95abd5a90623e8ac9bc1ed75ba477a674ff86aded0dbb974b1791f150cce906c08a030c43840dac0 |
memory/1284-150-0x0000000000400000-0x0000000000430000-memory.dmp
memory/364-152-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ff471e30ce7ba043c66b2fab55687d3a |
| SHA1 | f1908179ec546f0596c794b82f96ac11a98c3de1 |
| SHA256 | ddf3246d0f059f4e49f1f09bfe85dbf88720c3580fdce03d4e0c031b5905e7d7 |
| SHA512 | 68cf870e77cd3412b3234e34d48c11f20578878a78103d2bff3c907c854847ad8a47b26ae0d751e95aac65fafbbde225b910d7d0592d72042aaa484a83ea953f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9a6538e279b9ec51599ea0fa5f1961a7 |
| SHA1 | fcec2345e09b07c804d31ec9c3df604d9a8086de |
| SHA256 | 7849e9d56f177082029a9e176adb7abba5a61a2ced33e344d17c897be81719b2 |
| SHA512 | fcb00431afbcb2878329cb258da3879c6906e4dd1b260055ef00fcdc3a57c73e3c837fdfff6b9be11c21d465af6d4939d96820ef7a608653f8e83de4852b2ba1 |
memory/508-163-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1284-165-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 60ff978f3e7a6a43aeb3b3e1fcfcac0e |
| SHA1 | 08a9cacbfc78911694600d2950874d0d14492db5 |
| SHA256 | 2bb902ca3877960b9540c25495b855370b09df9da90487b0e73f32b015b796e5 |
| SHA512 | 57ae68f5b8381c93b456265a5059f7aa5fab70f567fbf6b7284f3e05280c186106b2ae98c9a9371aa611ddcfdb078eb97d1728724af0369dce2278dc6bcca14b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8a1c521199ea9f0c3169f165b2311104 |
| SHA1 | e64298264f729a1d280df3f10f5ddd628eba9f70 |
| SHA256 | 5da6116ba3b1a65b1154409e9525697329ddb1dbdcce9de33ed1b13d68c4d9ee |
| SHA512 | 83c9c184588d286a4dddc5832c0f26ba9421897e7026fc65871b7cec932c8bbfc700d0de9ab42fed6cd06d03f743f0ef10c11992e4e1e03b78aa44f49784cf45 |
memory/3604-176-0x0000000000400000-0x0000000000430000-memory.dmp
memory/508-178-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 74de9eb192fbb0596799b86e931b520f |
| SHA1 | c474ffed76dc7321a69b1ce3bf9893ac6d49201f |
| SHA256 | dadffb908658cc69c37fba210dfde652b040207fa661ff2966476ee996b6a934 |
| SHA512 | e2af645383ae7942fdd08918f4b7653b6096e58ef93a1bbfd606da7862cfea59870c8e65dbb78ebc2910315b4390828ac3e21aa52ba7891c529531203ce802e2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | de999a85997c219b1918039ffa79e547 |
| SHA1 | ba0e5f74440177827abf0411df4e0e207d99a0c9 |
| SHA256 | a8f8684fe125380537bdd337f8b7ccb6f35be930436f7a14a8181398d1e03109 |
| SHA512 | 2afbf2a383fa5f29a8aac15d037c8556add628cdf3ae2e5b60b1138d079236a646b0c85227f5f4f36fa50d226fd3141289d7e20222d64f95fbc2d72f3dc09cc1 |
memory/3604-190-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7116fada6f2e87ab8539ac2f7949a6d8 |
| SHA1 | 31a73a620c3757330e7cb7749a938a0c841ee161 |
| SHA256 | 457c900925c2bd19232cb8b411de2bd1782191f7320c5e48109d1154d5e809e8 |
| SHA512 | b5d5599f90c517bd6cb6107afc91c2ac2ecb7a2be94ecd02c77c2a4f955550be942911cf393ece05ec5676bc029bca3874b35a18e7312de3f27d907162d58dd4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d16d0c338dec1355d0241cbc74a6001d |
| SHA1 | f2b26abb00971a9b8789024fcab5ffebb61261b2 |
| SHA256 | 386986afbdb8904a07a08c245ad179a4f02566e367c3c31b294774db52a6ecbd |
| SHA512 | 68ee94fb7769c42ba16a61b8ead48835392bcc5b84d57fb6e0a1a259b794836fe672642f9a1a83c9a341f91f06be7f2adbce5dd423e356c9c8893c8d67a5fb85 |
memory/920-202-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | edc7b6a6307a852b974e34a24f10ec58 |
| SHA1 | d7993fd64f4f99fe56fb903151a7f8602703e95a |
| SHA256 | 461d5722a6bf75c5e291a0000058a67c74ec08abb5e0aaa27bd3f9dcb1c2baf3 |
| SHA512 | 81101115def8125857b21d616a1ff969b7a9e3bf6b4d8fafccf839851404b4e3635a9a67532de708c2bd19606839daa543ebe79ea4a16d3b4cc7eddfe963e5ee |
memory/1224-213-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d560091eea7dac90f7854919204c43a6 |
| SHA1 | 3e8060005c0115646d48a284734bdb7404bc4f20 |
| SHA256 | 43eed176fd0066110da21ddaa9f0ff934660d7da4967866843720bd33f89886f |
| SHA512 | 5531cd8293989ac4ca73aa04120b803e624a0b246fdbd738e18162ef157373a033407b2c2f80a613409fdcec4c7a21f2fac24b575670cb74abb7d6cbc416702e |
memory/2032-215-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 232a7ee551c80c64d079507144c67d24 |
| SHA1 | 6cc08525799839df963baa7417d0ad1afd534d17 |
| SHA256 | 5f52ab791f38fbb0c487a2ab5ece845e1f15e7fa45eccff36ed1692b25c83fd8 |
| SHA512 | 84c281bf59d3669de73a17be88329302d3bedfadae88fd4b478f2e9819542c87405633f514e0e0f58e94d24c7855ad0a85a6662fd206843b3449b9f0eb9863bc |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9dfadeefb864c332078ec09de0351fe8 |
| SHA1 | 25b798b60d00ea387a0c3440b3055e1d74b07757 |
| SHA256 | 3ec1387c17a5c0b22b382caaec97808bace64f3b5b169117801d055a41c302b1 |
| SHA512 | 12d6f56bcf97085fff17e5b8a85f193dfb9cd5cc55ac37cca74c99da2babf6200f458a1e0c7c132b27b11bbced1901adf9102d38afc1e1e78adfb43fc41b53c5 |
memory/756-226-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1224-228-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ef1211445675706b40146c83706b6cfd |
| SHA1 | f7fc270e2b060d4f6381200b45d6511ea802854e |
| SHA256 | 9c595a20622f983c8719f0b82babd1e39d1a3d03a587e6b637228b1428010510 |
| SHA512 | 94ef32fc68b47d16a58487bef254b56662e6cf0aae4e54b50d3d04a0cc488cd5ca568cc0c30bad75782abe93c628960888819a030ce7e062611061043e7b7f45 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c45be19c7b1f4193639e81b51c3e391e |
| SHA1 | bc68ce5f619a4e76b180f89c5e461e9635051eb3 |
| SHA256 | ea0d402af3c995f00e91e0734de45378c0b1bb9e4a8933a03a5a70ed3ff1084e |
| SHA512 | 11a6ba1500d69808a531208918b4085cfe3fc908614e014e4c9f3d1e093eafacf75ac69e3406cd17257555509c8bbd2109e5c1fa058fc64d19998d89cd9ed635 |
memory/4584-240-0x0000000000400000-0x0000000000430000-memory.dmp
memory/756-241-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c31d1070ed66de3a050ed45a244c79b0 |
| SHA1 | 76508a627a6e97bbc4620d61d5fe69edbb377af9 |
| SHA256 | 5ddfb133bf17f424d5cea17ef00019cd5fdbd8c594a5204263cce93c663a5391 |
| SHA512 | 2e3bfc04a88dfe941712f22fd302efb09d46d21ba2c1c621d0c2d23cbe093d3e36d9e2c0fb006bfec6d043e38460b65d0e58518ae38823d9f8ccf4b5229c06e9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 95a1992929892c85269d12401dd3f58a |
| SHA1 | 7cfde1864108941f7c94f5796e921fc89df87640 |
| SHA256 | 1f87e1cdecdaac5bb4b5ac9f5f9a0c19b6d24cbd940e3a189b41e9bdb271454f |
| SHA512 | 0ec9fd85e9ba8ac3c44731eb4a62721c69e85379df57bfe682bc56f0462beae6911c09157180451f4bf5720d7c15c40e741c56707ba1f9e90e2983ae91fb88c0 |
memory/4584-253-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1ca8448381ae0cfa70b2b7da6b64524f |
| SHA1 | 7c13f706ae525df3a0471b5230817999c3803650 |
| SHA256 | e8c15cfcec3f1690855ec95d1d0ad5f0ed9e733cfcf249b5a07590625e49da40 |
| SHA512 | 904fc0bbdb9155ba3d825b4e8529ec6749a9835e1204617612e674672978af8966fc99226684be4279c2a2e396edd11baaaeb6ce26f43882c2ef4e587b90e15e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 19da8cf97786d947b20dc6791f2093c1 |
| SHA1 | 21123517017822118a74a83c6e26a2b776bf6353 |
| SHA256 | 6e69f9d9819eb7d956e0046206b4c8af6ed468b4a20f622d3bd5fcd79c260e2e |
| SHA512 | f82f7902cd1e2b4cd0c056dcc176f8c427d490f0e65585773c2cf20b0e281e6e33a1441019dc2766abd5b5d2ac1a3a69e1750298cad649127f9ef679e2ff7d9d |
memory/4508-265-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b87a72b9bdba3a70e3e71be31c0f9bf2 |
| SHA1 | 15e38318ca626127d207aa4719f999e10795923d |
| SHA256 | c698f038b6707d51e8b9ebd6ab7139adf13443b551373d33dc2524008b00962d |
| SHA512 | 8f3c5a10a27d57dea5185e4c3d65ba35ce0b611b27d42772fbbb9c87374e02e957296e2db344417351d73092cc39531f609828ce5dd412b304d87d41f9c32dbf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4f6772749324ad1ee998f25260392a4e |
| SHA1 | 4814c5614a9cac27bf0eb9cf7c520b3e5704a5fe |
| SHA256 | 22f94b4a3652cefc54886857e79830d00d2087594d7b65432d2fe6995ff7ddfa |
| SHA512 | 6a3cf394e7b278c8fff63dcc61b0e139b7f4785b0e94316613088a02864b59fe138e56f4212fd663bf02a8959290404dd5c1e1138fce2e5e6233e54f884d384b |
memory/3624-276-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3292-285-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4784-286-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4712-295-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3292-296-0x0000000000400000-0x0000000000430000-memory.dmp
memory/724-305-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4712-306-0x0000000000400000-0x0000000000430000-memory.dmp
memory/724-315-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2764-324-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5108-325-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4484-334-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2764-335-0x0000000000400000-0x0000000000430000-memory.dmp