Analysis Overview
SHA256
ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa
Threat Level: Known bad
The file ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
Modifies system executable filetype association
UPX packed file
Modifies WinLogon
Adds Run key to start application
Installs/modifies Browser Helper Object
Enumerates connected drives
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-22 01:46
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-22 01:46
Reported
2024-03-22 01:48
Platform
win7-20240215-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
"C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe"
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | bublikimanager.com | udp |
Files
memory/2328-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/860-1-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ffc20bbf5c115d80f1c6e4f8d8ed9542 |
| SHA1 | 7db2d677f609abd4a4fa79e229218b5fd728a945 |
| SHA256 | e290fb46031ec018fae77f2d3063a2156e56012458aa105dc9f02581511042d3 |
| SHA512 | ba8f30e1cfa0859689a947a287217e2341567492fc392ea4cc8f885bdc71a064076cc79db8d63a1a1b1bf56fd2431c359ca4ce2fef76e2e751019ceeaee09917 |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2328-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/860-10-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f6de9814a371a7bbe9f32c054f4c933b |
| SHA1 | 04a2501540b2f4fe536fe97b1376cf558c3d26a3 |
| SHA256 | 3a9bff65adb134499e56816d7ef34a22243e61080801f3be623f148dd270dbbf |
| SHA512 | 77bef3ef7ca34c4f39513430f8ad654e0c04742ac4c7eda7dc3f936fed409ca08812445053a80bf8db2699960f7a22e9f6c64e5b2183ab0f53280f92145fe28d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4a8ac7c051f4f630af44c586f7ba8c68 |
| SHA1 | bb4e5b47513d43f63dee7b8f05e16ba9a1e7e4b5 |
| SHA256 | 041d40983cf916426c2a7513cfa72c2d1d39f8794ae9d17ef0f411db1b6a632d |
| SHA512 | 4ee7d5a5152dadcb771616894340f506e7c4cecff02753582a3235af72eee79d4961edfd20328693627a62555f819ed3ecfbcf43106d9e1c294ce6902212bbec |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 204903c69a7958703cfc12d8f7b17579 |
| SHA1 | 8d0d5656126868cc0e905009eeda4b12766cbde1 |
| SHA256 | 4bb78b2b76c3de88637c5b64c9317fca818b703bccfbe7054a6971703855e4ae |
| SHA512 | b0795e945487ad7b2b7108ec0070007a55083751ba0b9167f90bc2bd9918e247be2134b7d825808e71e32f2e2ce260297d1eabe49ff1e6752b6a1e286a3881a7 |
memory/2520-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2516-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2520-16-0x0000000000310000-0x0000000000340000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c44daa4510b494775f6a181c6b816c41 |
| SHA1 | e71e96ad0d36a3f6c2c92c2e7ac46cce6c59edb9 |
| SHA256 | acfb3bff4f278157e38ec64746ff62640c2fda4da4dea21b628e31abacb93347 |
| SHA512 | bed489a44c7f99acd3a3da86ec7acd321a2cc58b002784ebfa4752d59e962406a0015f2f5b0a921aa99596f8c9542d1d988530ad8027877fa9906acf64ff6bbd |
memory/2516-29-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e587ff1c531a5871ca3eb7d2a3184916 |
| SHA1 | 7e9496425762ad144659cd7d928ae49ca509c97e |
| SHA256 | 9473a40b3a56c5f4ca2c9ad577733fad8b0ca123aac1e002d3a3950846624ded |
| SHA512 | cd1f2ebc5159acadf544ef4a410c5680c31a75dc00f6c1f19815ba42274f86008f14ad7ddf5e3a21104ae83a915a6c66d38e60679aabc70d62165ba72dc13810 |
memory/2948-30-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2516-25-0x0000000000360000-0x0000000000390000-memory.dmp
memory/2948-39-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c60bcc04ae4e5443667a4c1a3a3bb59c |
| SHA1 | 43c0090f0116431a1b3051edf6b99872279c8cef |
| SHA256 | ea325b902cedf8e482a8fe558686b5423604a178065b4118141fb3065ba874aa |
| SHA512 | 893a959b1b8c3b5c97cd62bd44e3e4826b43a15eb08d5ad54799345af7305967c90a3ca376d734f0243e1f9614d664d93b6fb5973521f02442d4a4e764f4ca76 |
memory/2632-35-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 22fa0723ac35fa6a46fda2fef4ddd7b6 |
| SHA1 | f846644ef943d829958da5e349ef4baf6ee210ec |
| SHA256 | 030b6f80e7f26182d87dba658cb2da14d46cedf75b92b7efbb6bdbc24f1633f8 |
| SHA512 | 792219b132df97bfbead717b83278da8d6255a96590afb0b75bf6e848135a493db0753050c29a078cf013fc57f8fd5b3a701eeb7c77b100c155484c624d3baf3 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 09a6925dc7edc8c7f014d1bb27dbe314 |
| SHA1 | e305625632977b8d70578964ce82125aceb0d045 |
| SHA256 | e3fc358d5e17d2fb236bab23c3570d89088828badd7973073eb274a6afe68b78 |
| SHA512 | dc1f8331268f9939c86c21303b25341045dcad17ea1f470c02eb49766c8281db9dc0fa110f56d47ead4ee5f0ff2b29a82eb4af2d7cb6c464041558a2ed21dbde |
memory/2892-48-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2632-49-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ab1b642b50ff01bd4093f442c78f3c26 |
| SHA1 | 7e92bc4f3173d89c2493646a6811cff360139b73 |
| SHA256 | 9a64a965ac63554bfc52c75a8a5e46ebdf99c1a504af04791fa61363f0931f89 |
| SHA512 | 3dab84c06ccd1c088d678538ecfdca7f0f751419083a872a4f71b77daa4311c7478802723df95e9686724095d703b2874f4277e3867624cf3e1b19d0b77ac4ff |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ef1565766119342bf517a53abb7a3a6e |
| SHA1 | 7655753c6de2e58dc880ff7e56bb390eb6a6d2eb |
| SHA256 | db86545e4ec3925abb197db424901cc76fe3ee42d897971f12f9a0cadf4dca21 |
| SHA512 | 449d1331025b76def85b112f70cb5cfbe1229a9a9bfa96e2df6109dc81414db167207b1e692fcf2455575a756bbe25dd5049f57da844ca4796b5a5689f0e2544 |
memory/2892-59-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1932-57-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a7dd7e27527f80681cfe5694a8ddeb72 |
| SHA1 | 8940aa1878b8f440e38a5581c875e1c06e92314e |
| SHA256 | f8662e2fdaf0499729624c5783d94fb62533c7106afaf5c782ba72cd3167d78a |
| SHA512 | c9cab80d346d5330ceb8f04951f4acbcd4adfd749e5171ec837e0c162ddf6ba57cfb8f90887e3afdeb76620f654e48f5293826470a13cec0fa3e088d95313ab5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a952660dcd628769e32e093a3227fc04 |
| SHA1 | 44d5fa88902f907d45106ac4411f4dbb5d5eab93 |
| SHA256 | e68209286873bc3b19152483747c9d1eb877dff3b5583afdb86f29001bbe67c5 |
| SHA512 | 4ab544c827b8475005abff4dbeb9cb5ca4abb0bb938f85586aeb8587a6b861e9904b3e4168f6e5caca0440503e0858b020c898610c3c2203f56fbc364f8a2cc1 |
memory/2356-65-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1932-69-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 50705d95a0ddb6cb6bfc1d16d9e94083 |
| SHA1 | 5a9a536f2fcbabda72fa0800221f4c414de1d456 |
| SHA256 | f28d6e9edb2b73939d83d94b6ab2bd5a1a5b4783b4ddff7b4a96c4a60e0966c0 |
| SHA512 | ee7650238e92d1dccf408ac8a52e8fc53e64b5782d89468bf332f3982ca28680aa4ebd9c0ba2df6e13e8e8fb54140bfcbcf277d1fd6bb5a380c7647446632b57 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2573cc29b428a921813a345d5426c21c |
| SHA1 | b19df853e8ebfec3d83a82c2ba342cee920dbfbd |
| SHA256 | c8e7f18a31edd35770be0cc3b7969f0faf44ce2f0d031856d448f9d6d4bc3f0b |
| SHA512 | 20a9fc7abdf1b6eb35870d708d5db1bde24d690c1693db98bff1629989b46200edbe322d832eeb160a891f089d19c037b7f627550dea4cb5be12d8f63831994a |
memory/2356-77-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2624-75-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f212adcf1cfcbf49e1c82ded9bd5444a |
| SHA1 | 8502522985dade2af583d05473947647f1e3b4b3 |
| SHA256 | d21dcdbe215df39505f58e794e987ad209f3dad915e487ef9e565a6dd0cfbc94 |
| SHA512 | 0c8447091ae8d8d84e75266474d54f95da72410aa4a14ad860786957de8d88cea332d39238c4e7e06c35713d9845125de543eeee6bb85e163de3568b0772bb2a |
memory/2624-85-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 70ed3206de0f67f0d5e886e84ef872bc |
| SHA1 | 41d9564e57e7659f1159b977c830a52766df4da8 |
| SHA256 | 2c8434f8118e0d91fbdbb237078fa4b22d1098d20a56fed6d61ffcf2a97ca108 |
| SHA512 | 43188548e35f3249dba90149644f3c7f4b52aa90284da3335b8f41f5b47a26590912d72692d77f238afdd3baa9f26a2f4dee7ec50da3cc086a3615def475f252 |
memory/2032-95-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1468-94-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | fa87059637bc087afd6b73d751a7ecd1 |
| SHA1 | e5670f6d841d8bd579ea56e21621363f3fa0503a |
| SHA256 | 167e3debf9bfc15c5670961674991362844841a6423850643462610612093a42 |
| SHA512 | fa2c0b4a84def998f0a168b2bbeac37e8531eb6352e198a6d669dff5c9b6e51180e9a10f23c2ec828f305d5e56a41f1cc1d70472b26d3fa164c71040ebc3ddbb |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 519ea5364db422ce8d8b27ce13fe9bf8 |
| SHA1 | a699fffdcb7db2f00f382287e69172ca321eba9d |
| SHA256 | 53f97297962c51b3dda7f3361541de9e3f992b39cde9350fe72713a547250f1c |
| SHA512 | 5a296402c35fc04bd62916abe2ee0cad1cf0d361db5bb1d774c0e3c23f2fc6ef93eb0245a40e0e56ec9cbc662052c95538383246709e65e09dba402d473cfde3 |
memory/2012-103-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f2076a5e9e4858c1f93feb28308a5a6c |
| SHA1 | d8d1bc5b06eb4bea28d702fbd5f8368c8f895ed5 |
| SHA256 | 7c1c3d8ce7a3f69ba310a480b6e8863241089dd1f4774bd68016b25c199052b1 |
| SHA512 | 9d03b3705a358285f90423bc7930d42005ee5997fd97796cc6733ac7ad2e36951fbdfd41ba075255cb83676733084bd9d6700145ffdb4e4bd3bbc7fecf3ecd8e |
memory/2032-104-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2032-99-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7c89c06381c60f480db61b7bf1d20f1b |
| SHA1 | 0925596be6ca89087a07ea999585e7dc3e0e1551 |
| SHA256 | e978144028d88a1da2cc08b9baa6c05372a6ceb7ce71cc19f65efbd2f14303c3 |
| SHA512 | cf1f4dac077f6f01b2e90d7b2f56cc7dc475265f50b26979828997337c8d101e1265626669bdf2f5555d84873992f546056f7f72cc372bed39e3ea1652801b1e |
memory/816-111-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2012-113-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0ee95c6431faede5829bf074b9f2aae4 |
| SHA1 | b9d668f09238c3659367531fedc1ab8e5b29607b |
| SHA256 | c615c079d1784b823c36545ad319668e6a7bb47c0cf37eb73c7eaa52b895c791 |
| SHA512 | 3f157e69e22fbb850a322310f37aa80e42aa898e582b39c1262ffa9c9c9259480a5b80c89afa563cc408a1197ac03d197b58f964cdcbd8e1353f19af15f014fa |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 142fd7378265928eb655e11e82d97a05 |
| SHA1 | 848fd8c7f57b54b403e863a5f3fac39ee9cf857e |
| SHA256 | 4d48c573dcab10eee11a611592ec99148cb43bc2bd1930911f2fc912662a5850 |
| SHA512 | 76df7afc5a0b8644789b197b565e1d200b9148d078d2c3d8d32470e1e9d0f03549b52bb8a7bb9e080611e31c8d99ed1d838c75c34f8878b28ba50e1b547b1789 |
memory/816-118-0x0000000000310000-0x0000000000340000-memory.dmp
memory/3040-120-0x0000000000400000-0x0000000000430000-memory.dmp
memory/816-122-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bce934392e1e3cefd3b51d1bcc9bd58c |
| SHA1 | 717c213d7e34b41c26fce5924bcf64a6f9da8aaa |
| SHA256 | 631e7f405d348c8a5826d9d658bd131cfca32ecddc169ec54a78245bad45dfea |
| SHA512 | 2598b3621ee1ee0fc3a4a0be2b3b58b9c5cefe2651b2b824ca42880040076f95f7b2c6590da8110b8e532fcb54cca18deac2fb23198a2c3dbade4c694bdda06d |
memory/2224-129-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3040-131-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 096333f755c8140fa77782d075bba52d |
| SHA1 | 88e29ccb1ba45c13441ab59670c4b485c1c3049f |
| SHA256 | ec0e2ca5c4c91352297e95a3771a307fff2419d9785a3df277d15d447f8507ed |
| SHA512 | ad5e09294e9ab19af95de0584003aa5995e07dbaed5198876419feb511ed7952dffc8baf71cdd31691675b5e13a0fa352efc017a5c4d12c7edd631a7adde062f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | fb358d8218bdd6a51cc6ef746c57c90a |
| SHA1 | c6f5e228506f0de1ace3cfb2139887461f576546 |
| SHA256 | 1a74632835b5c9d7b401d5488bcea89585bf5386d7c32249e516dfc7e64babca |
| SHA512 | 56d2c7b287a29aa610151a83b4e669bb1b76a333eda29b2d21593b306d8fbc6d867594e3d8e30269f2e815533c8be4b8ce311e015b4d9601f71c029543be19f8 |
memory/2224-137-0x0000000000360000-0x0000000000390000-memory.dmp
memory/1284-140-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2224-142-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 40086dfc852aeb9ab7973c110e924014 |
| SHA1 | 3c447e78a868f5148a5c631243429558a2775640 |
| SHA256 | a8f84d399cb4c589849a2a730a0eb267fd6785f3977623e098b8a6660cd574a1 |
| SHA512 | 828f2c78fe1b764c36dd12b91f87276431a7e2efa1f9a05b6e3cd952022e950ccef34bf9d2482271431e9548e33a0c3e8dcc1f8e23357d0c1646a890e0bad968 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 816c9eb93baaad90b57e96ef0bc5e88d |
| SHA1 | fde93693461038befbaae5b6644e4fef038d9c33 |
| SHA256 | 9c5a85d6107ccb0da24c49bc2fd1943f5e687d8f4160a4b6af919ddd6dbcf4d2 |
| SHA512 | f65d2473608fe8d91c65097040cbb8d1053ed998fb1e1058656d53ad030fb51a5dfa91418fefc3f2b0a171139f450dfe920f81e34a206b69caa1c72f58395e18 |
memory/1284-146-0x00000000003D0000-0x0000000000400000-memory.dmp
memory/952-149-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1284-151-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | decfa50e3e93b333930f812662bf2d15 |
| SHA1 | 5af074065386f2c456c855a1ebc60f73a78b0084 |
| SHA256 | 3f134db483c396000064a6b788ea88f3c054d3930cf1fc002735405fffe640e0 |
| SHA512 | 3b68e40f0cb80d91226fae2f35b3eef63942b9baa360084b58b46890b0f2010d0ee7c7ad3ee358cabd34fccc66e8d4971e2279d57de94f452ed06f0079b30099 |
memory/952-156-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/856-159-0x0000000000400000-0x0000000000430000-memory.dmp
memory/952-161-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 70d3672c4642ee5b152e19ee508fc149 |
| SHA1 | f310fb507d4e5c1b8d21c77cbf149a7f78f92398 |
| SHA256 | 697d4b6c7a0e39ea7dd251cc99d5d5bc14837881df4b82624155d1a918d93725 |
| SHA512 | 3a334395e6cc64f23a2fcd7a987939cc2b0f6a6401213ff750b879526c666f40ef32a55563381e27a8d38600296b51cbfdd05730c9ceaeb42fd1ab746a5374ca |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a6a1849f30a064a1d56a90a7dfdd7f88 |
| SHA1 | 61867b2c68e6a3bfae9bf6ea573aeaac345f6436 |
| SHA256 | d8d49658ce6e895eff9f93bb7f071568f2541de72930068281ce03431e2b4a76 |
| SHA512 | 2321c314938f954fbe87307b7cae9738d918e7a1983b6c0e645596832561c806c0de3fea11128d71476c67c714d28c20790bb9e3381fe6dcaed0b1c366964d4c |
memory/856-167-0x00000000004E0000-0x0000000000510000-memory.dmp
memory/2096-168-0x0000000000400000-0x0000000000430000-memory.dmp
memory/856-170-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b174bbb776ac096caf9cddf48739f71c |
| SHA1 | 3606f8cbcb67b16268e4b31544ec9112f457092d |
| SHA256 | fcc2d9d7266f039b3b6e28a6b7dd4d1312665b3175df21822c7055c605551ad8 |
| SHA512 | ef0c17c743b0dbcceeb92025d415321c5a8cbb4b307c4996687d1c842b86a4268f1a2553899fbcf1cb04a2d64ba4709a785ce16f6f9b4435ed62de1497d3e983 |
memory/2096-175-0x00000000003D0000-0x0000000000400000-memory.dmp
memory/1880-178-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2096-180-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 834cdf193a6a5af351a30a00299d75df |
| SHA1 | 1a0b41b1f690c43f832528b3c3d618860462fb50 |
| SHA256 | d291d39c9da74d334160a8d0fd3b71bcc5dcd6a20cc8bedb718e1e6574d02e74 |
| SHA512 | 903005305ed9292ee3ed126e67f3c5cf64ee19bbe0fea0988b2a3df3065e03cee139336fbfb688f43cb4ad0b4cf357aac74ea326262937e0a0b521ddb54fadad |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4c4a675101d6ea09da14c664240193f8 |
| SHA1 | 9a4e6bb99ff4f0d27cc33f288e247d4595bf32be |
| SHA256 | 43424aa5324066e22d77096e549646d7b37e9be554b201dd1af25ec164bf3801 |
| SHA512 | 19253450bb369095e6eef2eed942abf5aa4e54b125d943e83861639ce0873b411f20228372bf4a89eff924a2a705f5f107ad7df52dab377f891ddd7f76bbeea3 |
memory/2652-186-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1880-188-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a5664ac314ca55ca96b76ccad22933d9 |
| SHA1 | b23d8df8d8c565af319d7b78b72927b33b0896e7 |
| SHA256 | d773551d11be9bcec154865262c3ef3845863f4d60e4282baae1fb86cd157db9 |
| SHA512 | edb0a59383e1dcd3f4ceed67b21f6b0709d07a35cf576b587c33ff5db88d31f274715d24f2f70048c77730dff4c8db02f09148d5fa7c2ef86ff1b76135a9f4da |
memory/2592-195-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2652-197-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 39deaacdf3aafd3edb2013d010ca84b2 |
| SHA1 | f89910fdc122c37a36534f4fa5f7825a1c14e0ed |
| SHA256 | 233dc5073cbde25f8a18dad432d157dba467b71ebfb30cbda054d747268c5ae1 |
| SHA512 | 95cf64f2ebd6b33351aa34606e866387287545b3cfd9f125e2489159bf9070fe685f64acb4905b9d8ef440ea90c4ff506d880fb448fb6719a42a52db0bb19026 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 94ee6ccd0d56c3749acce44727ee85fa |
| SHA1 | c795fdff9269d7d1ace556e43f50fdaf7af0aad2 |
| SHA256 | 30bfb202c632eb0deacbe972647cdc2bf1563b7cf48884af6a6140edafecb4ad |
| SHA512 | f83e98ca6046debc9360f8251dc3b1f3230c6b8b6af4ba11580e34975c030c09d755fcd5e0f42960a1e84875acd31c90bb74b7013ddc6b74d1c048b635b4015a |
memory/2540-205-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2592-207-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a2863803cce0156202ba605c41452208 |
| SHA1 | d017c1be1e3c0c6f0e4dae7620b9275dcaaa89ae |
| SHA256 | 64e0d79b00fc1f614e73344d982c236d8b4aa60da18c4324d035c2fb2edfe4fc |
| SHA512 | 080a106e4f15fc31e6af3d879c13578444424f32822158971f480c9ce13baec488eacec9eebc0a9d2dc838580ca118915c079cbc2ea4527c564347bb460c1eb0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bcd30b4d4fdb687e86e5b33cd60f83e2 |
| SHA1 | 00f7463ba1fe621175fe1d4ece9a6b64de6bc902 |
| SHA256 | faff5a98567aeba02f659b10213a337bd03061892174f6c1127c57114d11393b |
| SHA512 | 197606d184125b1339e179d3b0ab602a448dd509f0998ab1e820a4b7284bd07a43379c3d9e43df1092f3ab5333e26dfe371791e42177ead8ed2715e15e1d4172 |
memory/2436-215-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2540-217-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 64c014e4cb2136416aeb2c0647baccb8 |
| SHA1 | e4245d73253821ade4a481958bc4c1b1f893f23e |
| SHA256 | b4234502b1f4d823ddd5be397e6b36f0be75ea8f49a5f01eb2990f737fa5d65c |
| SHA512 | fb1dae71e2bea46403294bcaee8f38c19235766ab5c75f4bdbc424c8031324db7ef98d2b2c04f69567787369e372fc203a6598e3c7d51779304c109f19d35eb6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a7a3f2176f5ee7242070a47c96734463 |
| SHA1 | 636027a7f28e3db831017d350fe4ce7e489f76a3 |
| SHA256 | 5d58036046cb1302f0f5fd61143f003a48757cb071928a8efb2537a7fee1741b |
| SHA512 | bd5bbefe2ff46090496519052634b10cd8b80a723c4729a102588d2b79ae50c7b983242f8d7b05b1c0756e8346e0807f5bb478f94cce30ab013e82ce208c7caf |
memory/2332-225-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2436-227-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2332-233-0x0000000000400000-0x0000000000430000-memory.dmp
memory/752-240-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2756-239-0x0000000000400000-0x0000000000430000-memory.dmp
memory/752-246-0x0000000000400000-0x0000000000430000-memory.dmp
memory/768-252-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1696-259-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1696-257-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/2504-260-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2504-267-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/2640-268-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2504-266-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2640-275-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2640-273-0x0000000000390000-0x00000000003C0000-memory.dmp
memory/1664-276-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2108-283-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1664-282-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2108-288-0x0000000000390000-0x00000000003C0000-memory.dmp
memory/1720-290-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2108-291-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-298-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1732-299-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1720-296-0x00000000004B0000-0x00000000004E0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-22 01:46
Reported
2024-03-22 01:48
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
"C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 20.231.121.79:80 | tcp | |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
Files
memory/3724-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3f8f8ee77cd77b9ed8ab7ab8e6d7b675 |
| SHA1 | 0a2b9387b4acac89aa3d1b56cd6c4a3affa7b248 |
| SHA256 | 847b71539589cea92534fe1e595bdb9b0bd0259642f54cf6ce6bc418f4a7d5fb |
| SHA512 | 573ee78f06d609635fd54db8a002caab7b1a73ab58f433574aeef8cdda660168434eaf4adc1feb089491a8776a856a90df7174c70c875c9a7344e32599fddf82 |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4704-8-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3724-9-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7008469dc477e17cc476f1111f8ef536 |
| SHA1 | a4ff262c146002ac80b4c1332e2ba33e427bab70 |
| SHA256 | aacccc43a831310f9bd7a2457f2f75f6407eeea708dcfdf301eb2051dd3564ec |
| SHA512 | e8920e7431101a172679d4ecc8b924be3f827a40d66bed045d43b7436c9116a172c680f55f7339dc26a035a7706d6b4545cca8adbb5fbe34f9e9da6ec79fd637 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 65842a51361befb7189c95fe72a0212a |
| SHA1 | dfe7352317af0ece00a04084322de65180a603d0 |
| SHA256 | fd5cc66bb045f398d5f5ef0b9b6665c41d137e1f3b55f785929e5fa7fe6ec4f4 |
| SHA512 | ffb58f0e33b24ef9dd5adc8a9e9b93a552fb16654653109c26761fa550e679d6faa46f54285fb62838f1d487bec3cf48ba06f1b5454976c48f20494ec2df96d2 |
memory/3864-18-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4704-22-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 400ad9cf48137bb23ce35d4e10bdcd5e |
| SHA1 | 26e64f5d4fdba24e5c013dc715bde6f1ff0b3017 |
| SHA256 | 7a30f0d05d05ba20968028aa1bcea1081ddd2f3db975b3dbe29dd095c13d0820 |
| SHA512 | 89e917036f0fc36cc728393fae4f49768b0eaa4386783dc39938c1576ef76319c124a6bb84f6cdefebdaf0b36f4f601e8fdb5b5ba295bc1d6c2aaf9d5e18d29b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | eb1b1801cdda0b2f8693f145b0d3200e |
| SHA1 | 87d2db0e43f3a1651145f191731aeb3becd13fa1 |
| SHA256 | af59cc5906c040fea2c756b2e4f4f0ab4cfb7e64e1cde52ab8295d194175984c |
| SHA512 | 8da7a2c10a7fc8dc130694e9c00eb7d7b5234e7a616828618c0ecf8d371f65caf3a6ce34dc969661cf937e2fbbc1dbcc753a65df9ab3e657cbb4b111a8002426 |
memory/2696-33-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3864-35-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7bfb57fc3ef78c59d2d5851d07709e65 |
| SHA1 | 589d9f517ce84a8d786c3ff9d57a122c6bef173d |
| SHA256 | 6f5205c585d1e69aef074d8de0641bf84949408ad78fec7363a8ef69156e7ec1 |
| SHA512 | e2cc052e4d921bcdf195099813b007f83709b4b29c9e485bd6a8c2073bcb9cfc6bc5b8abb227152a3e6df1b4ab55688179156bc198b5a62470565937bbf3259a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e8559aa33568102e6a110366add6d5d6 |
| SHA1 | 73830deca970649715e00e53c22f02618e82f880 |
| SHA256 | 4966fa6b556a11f5cf8dc1f693e3a5de205144483b41471caeffa57da90706cf |
| SHA512 | 90ce7ee6a3f17d539107f67f878dd6c5a298fbe2b7bd746c1236b884241089fe52668e98cd87a6f8448180ed075f9596aa10fa320c85ca655e5284fe8ec7a916 |
memory/4384-46-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-48-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 57ec03a220478e82530895afdd3eb29c |
| SHA1 | 863d914add62eee6400c8aa222ac18f96d4e0a06 |
| SHA256 | 4c35cc0f998e00a2c5ad73760f5d9a99eaaef5016c8f94a82ee46e89b6fd7093 |
| SHA512 | 8f29d8ec33ff5735caf0fa33b45867cb9f8ed5302f7f76b14bde13643e1bce1565e98c122924d311e84098bbcd36d2cfe275bfaa04912da44f7db2c20df1a1b5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c5d51e0fb3ab943168034fd966ea7312 |
| SHA1 | 0c078fbcebf4471c64ec71c8b66cb64699709a04 |
| SHA256 | 8791cea309c47fc83cbd965ff16e29105167671f5c1481c5494f3892cffa424b |
| SHA512 | 4b0b2d7b07a8d1593beaad53ed79ee364793c897af3ebdc6fee65a8cfc40fb2f3b581bb7f3573f31275e8e1f7486ce5fcc6d58546b3f24baa597ddd395ef589c |
memory/5776-59-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4384-61-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 45b1639154bde013aafa5adfa8a955fe |
| SHA1 | ba14a45d2f78812a66544a8a45cdae5391f81231 |
| SHA256 | 1d2414bf44cb576e15c83df8cfdf30495d4f73b25a5fbe8067c245ba881b1f67 |
| SHA512 | 926e71d7a3e8e6c6a5eaf0bd7914f8e5fa70fc16c39479a6980787fedb5de4ccf3f64a16db184f1401cb09519b6b1bb0701a3a2e691c98ce45a60d4b85ad1914 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e8ce968a6d10467f2a4a08555297c7d4 |
| SHA1 | 86feb14d6e9fb6ac84c0b5fad269ffd403843b6f |
| SHA256 | 525b06c27790f2dc8e8b6bd4ef0ec2dd7fce8f92ffa4cf1c93c243bbb47d62dd |
| SHA512 | 2acfe0dc78b85c8f2bdc762f6f36d75e45cf4d2b89e479456413bd11be3673b77150c8cd3c7d07ae1451888d459c2899cfa2b81ec92b3dc27759ea91eae102cf |
memory/4508-71-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5776-74-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 911ce136d118861e5f1f9cbfd665418f |
| SHA1 | ca192332e25cabcd317cc81beb9ef4e5d2b545fa |
| SHA256 | d0c12be1f3080e33977c2d2e543da934bfaa3ce5b8f14f2a1ce2c2ccbd47db3a |
| SHA512 | c76a63cd1069d8a40f6357c36db7d62fdfec33d0889a04d335bf48b779f578e38347994b39e759500120790ae6fc6f0a8513950cd57f870c2bcf21f7d06436bd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ebaca7534a22e04160e40feffd81621c |
| SHA1 | 69ccdf21d776ec715d9dfad795b0acd3c53d2680 |
| SHA256 | b420e8bad9ddd31552d926c1fda945c91136ff9470b0935bd75cdadef052d6d9 |
| SHA512 | df6ad12e4beb5664280d101aaa1cb8de301151e521507c1c429bad9c24377b7f5fdb4506599272af032441d934a62fed49d52c7fe0522e339b873dc87bce39a3 |
memory/5832-85-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4508-87-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 23eb9508938d532d598540c2be165666 |
| SHA1 | f8c2b56102733736fb7d95a5d0ea51889eb80f36 |
| SHA256 | 342da1a86141fb5f0fb1e29eec02a25b72e37775e4e5f1f973931a06874cc679 |
| SHA512 | e85e42add42bfc03e6fe5b926ae729d2b46c55ca7b2bd9aa04cada499caeca6067c46632780a5b953f5a6cdf9a99ea9517a6e6904032f786d3efe8c649fb3e42 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4490d9104f3c2f7aef2cbc5d8ce3bc83 |
| SHA1 | f27a90375cd49dcd941e0c191889f220fc2c0390 |
| SHA256 | 9c0085297213e422accab0f1926de568c4fc3df63024242c84020abaa108c53e |
| SHA512 | 971d5c8e3ebcadd8ce57f5542cf1ba9d1d8e2f120dfa53b71f63dc7b6288b2dd5317691f1af75733c15d210bd513069200fa25c2cbfb7b216825ea69bfae19a3 |
memory/2144-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5832-100-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f7f852b522e40dcbfce869fe9f023cb5 |
| SHA1 | 8c35ff164cb6b7bad5d72a53d70f1973e1ff8212 |
| SHA256 | b5be43f9987de136da76e5d185d1107996837720d502327728f7afd099bfb6b4 |
| SHA512 | 1f1e268b47add36492ac1ec6874ca66e4db2483eb7ac7fd0b0cad2d38b12ea4c6017ecbc75132ec1904f8ded3b10704bdd24209fd6b058e7b255a1f2bfaf440a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8c3fd51d584d88bb3cfdcee5d8e3d33a |
| SHA1 | ab22990cee7afe34f60f1da062ab85689dc4f8a8 |
| SHA256 | 88d579a7fbee03ac8588a42c2503ade601ef5953bf37bb210ecb40ff62da4b32 |
| SHA512 | 1c40d1841bf969428c3d856106112c35563aac9c8ed5d582566448d5cfed42d56da035bec7c87b8d58fc8364a0b371758d621004f016fa10ffae26281f6447a7 |
memory/3612-111-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2144-113-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bdc33572a31a0de86c9f1adecdab3576 |
| SHA1 | d2d39771e8491d923db3047e8aeae908fd9ff1fc |
| SHA256 | 7a60548e04d7c099051c7743c3aa7c3e1f538bc639db8c72990e3cfceb9bddaa |
| SHA512 | dddb6724be006d5152d4e5eb6dd81a1f62a8d4ad41c840de11228ef4b75e70bdf1217537ca8dbcebbb6ea5f73e657f7a2947e84d78dd41075864316eb236dd91 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9b072cea1bf92a4aca1554da353054db |
| SHA1 | 9b2c09c9b71a9f07f97301dbc346b54d89be02cb |
| SHA256 | e07726fd5684a8fe795ade846caf91cdda35e1c38f908710d739453d2cd6f7a4 |
| SHA512 | 8703062ed8cf240408744e424ae8818bcdb8699993b8f0489c4db6a6e36ddba98c703be48c68239f870caacfcc86d73948dcecff05cefe8d14d268fb44089015 |
memory/4892-124-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3612-126-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5503d4332718414fba7b9be2721de536 |
| SHA1 | fbd3f0fa378d3cea0bbb6403b8f2e87933ac1888 |
| SHA256 | e74ca0956278e757226f7d419f3c36ef8d0ea77538e391a045dc8189d4c5aedb |
| SHA512 | 7de166b749ad8adf71e5b6d8d8802c0742858b8e52983d91b2f62c049b4d3c0e9413cbb1e3bf62e41fb17212a2bee2ef67caed5d031eb7344b161059cf4c6d67 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e0a20a892b3c219c045dd5b341f9ab7d |
| SHA1 | 6f65a9a26bd04166dfe2cddcb780fc68ce68b787 |
| SHA256 | 443425bb8ed88bb318407d4115dbcbc59a4e417883c9f9c0dc59938ac017d469 |
| SHA512 | 78e7dd71d3e67d68316551bd708a8e7f362f7bf795c89d8b65f9337ddd474cc0af4d0b079885ce964683ab2ceed5b4a76e5cc5785932cf69f93fccde10e77e97 |
memory/4496-137-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4892-139-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4541a40321a338a3ef391cdf2ae01bda |
| SHA1 | 3cb9089e3c12a61cb653e14be142f94e67c07600 |
| SHA256 | 4c3286e940983815ffb2d54e6eff5c943edbdefce9d6c81846f8346aeeb32dc4 |
| SHA512 | c7d9a9f94805e70a95fd2325c27d9bb28231a577b51f4b99e92930b8e9ddb7e6608d427783b6edeaafbd362cea8814550386f35289e83ffd712bfc84bbf798a2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | be1b5067b9e45e59df23baf42e5af5ad |
| SHA1 | 9fb864266c8f42041b35be1e1ae3e75c41b202e8 |
| SHA256 | 97b48af034c04c79138a0156dbd707423c1ae8089f88276dd4c66e6d24416a36 |
| SHA512 | 68e1c2d3978869475abf6151ff823bbc6b481f2670d01bf5b90732ab6e5ff66dcadf01b125a2bc2f7209d733e1f886c9822bb0dfea964595f0cc67c560e0a89d |
memory/4496-152-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5272-150-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0fae10609b8a3d6af3eb6c5fe6d5da99 |
| SHA1 | d01d132bd47a9bdfba686b4020a8828fc9363616 |
| SHA256 | 79db74a9fb580c395d32483f4b546c75243dc2dd93062e42f28e07aef05a2b1e |
| SHA512 | 107abfac5b22863049799f2c94e5b076c4e9e7ddf8ddf862c17140571fd11d17e57469b5cbb7fc9056a6e790e4e15667042cf3b79e085ad10bddafac8eada398 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cca5bd37fa0b04160573d0ded1b7a470 |
| SHA1 | 24b30b970d3b9810bf3748aaf4cbc8e75245c46e |
| SHA256 | 09183550c511eec215b30833e100655d7417c5bc79f8ba2c7d4e206928f6a3a9 |
| SHA512 | 1b7e883c7459b8a5b291bc5835ef246654b164aec2d26926dde3616c38b603a173d70eb08aaaec4c57329bf4e26512bd308d4d5f58b3d5c3ab616ea2c389dbc1 |
memory/1000-163-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5272-165-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ec8d45b50196d532f52ea2ecbdc570c3 |
| SHA1 | b3201264a90dddb10c41ffa8920864d08e54a526 |
| SHA256 | 533100f4638fbac58fa5f67780a36c7ad99d2e788cc3926cbe870de18fd6f89c |
| SHA512 | 66cf006efbbf48280762772b7a311fbab5f11e1ba9b19279519b9b0b09357c123b81db4165d0b3deaf7324cbde1a7370e81b7e4fa0fc00af9815dc116ef18b14 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a866f858383666451d7c0b43a83b29b2 |
| SHA1 | e8c23c4b91e0dddf19336fbfeaccdec41db3a121 |
| SHA256 | 7657aadd46d8518c96685a9c90ea9266a79ac3358549747e37ba202c16e4a1f9 |
| SHA512 | f791de316f179fc0f08cb023d189c650b2b9034556749a72ae3aa112d044d1f0914d4cd2f64ace086dbabb88cc7b09f39df377811bd7c2d6739bc1cac3a60aaa |
memory/1000-177-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 883480a10b2d55de313a32f6ac4342f9 |
| SHA1 | 1a605858e196be3bb528e5fa22d26274d5117a8f |
| SHA256 | 237415c343a9de8b26ff49ba39723869510562f97ae8d5eaf61550fc31885c9e |
| SHA512 | 5abc22e808d0e442401eab8840440893fb1066aef7aa6b2d86a25496e171a6cffe5e3eb6ec5c3a5ef5cdf7028d3716ad38c87d69ea630ce43e4563ab4684ea5b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7a9edf36c77f0ac9a3dd401ba33f343e |
| SHA1 | a098bca75cce3ab2bb6e8d0d95e6c77d5196beb9 |
| SHA256 | 83a01c3fc733a11192e5f158d56ebb3768ee43b48d9b0be85d8f27fdd9dd2c50 |
| SHA512 | 933ac9647c76ba84a27dcd6862253b68728cf8c5dd0a9c779e6e5e1f627f25a0e1e3b915fe2577aa7627d0fca3ac0ed7bbfc39581791f3447aae9fd987cb5ece |
memory/5072-188-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2684-190-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 20198e46b8d4f2ca2b6684aedb9d778d |
| SHA1 | db40faf38bdf183baed7119b2a722409701abb04 |
| SHA256 | 926bc53636b93b2c90e2bd3cb49f1a499896e34682e9600139e7e2fd0e2f86ed |
| SHA512 | 0f722a5fb4bfe6aa638aadfa5f5ffb80045511a3c883f4ae4bc36c42b1ad27bfe39c90bec3f8bf84c26eff52a57563d2210c69c9e6f3efef2c77a340280ffbf7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 68ecb648561bc6a5687cb2bb7afb3ac7 |
| SHA1 | 90173a6e1cc42324f74725628147b0009dc51a82 |
| SHA256 | 7bb5361974490fab67a1838c0350e784c548d454e6233215895dd3e7bcadcd74 |
| SHA512 | da9a0e1cb42a37ccf64f2046a6fdbc5f8d9c9ace68a85d671a99505438fbde8f36a8383475ba1785f85d612051dd841f4f65228ccdabf137f6e95abd733f7b2c |
memory/5636-201-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5072-203-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f685daf1b6f14a37a498aeb9d0c0b423 |
| SHA1 | c86abd6ca315d8dde4151412273c01ef26cb19a7 |
| SHA256 | 98eda98265d6124af118c68de56d5900a5ef40b255b6702b7d16435e4d451180 |
| SHA512 | 587415431e3ca85a9c27cfbd7e7cbe58d7fdc37da6ce68bd4e673802da5d2cf4d53d2a49af9d1aa13dc8ba6f05d1b8615566ac097d02ca62825d704370207e0d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | dd0c5f02fcb74beecef9086c42645e70 |
| SHA1 | dea86bb317e8d227b9b4b1742205b07b93908141 |
| SHA256 | af1bef69da279382f8992945d1fda9c5ea940e091c68279c2a882a0f67265372 |
| SHA512 | e20f55ef54e839099b3cdb6849fe73807f83c0bf5d689e194a61533dc4f7e3d03e74f495591fbde648e49ee5dbb7e9831b318504b25442e929b71f8a2dafd211 |
memory/3224-214-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5636-216-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c62293b8d3b0580fa6e2c2b42489d718 |
| SHA1 | 657e9d96b8b2f909e064b5c5bfb5587075e3eb27 |
| SHA256 | 98356f4a127a77252196a783a15139c07758fd23383743a6d2cf940834f278f4 |
| SHA512 | f06d3bef8ba7aaf5b1b21beef28d60ebfde1c18ff32191666ce1143b9d36545227e113ea9f32fbaa7e983d44de2804d92bff84e2909d995f0f26ecbdf0e55c3c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3ddfc80bdad74c498df8cef88bc74bd1 |
| SHA1 | 5214899ee615b71d201daf289d02952e27c6227e |
| SHA256 | e240313b0f9d626de59b5613a40a21a6adbf6681cefba62f732fcfa124f027f2 |
| SHA512 | e3dcae37466b94fced1d1fe7dabba03300e3c94a59af011a49c578f97c245c5af15125c687941e5ee1862151394cb745037239481e945705dd47c0e390199c75 |
memory/2832-225-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3224-229-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0f7fbac408f6ce2538b95f19191ce245 |
| SHA1 | 8689875fede6f4741493ff221a10823547ac1bf4 |
| SHA256 | f6264d5c58454e3148929dc78035559d22ef5b6fd47b3a33d4cfa55c5106106a |
| SHA512 | 4c3c8cc08bb799c988f6ae4b2216bc72a8472f69073ee6c4d4b3d992c3d0ab80126bc3e5a0ab98ee200a94a4d81acb32dcf0f157af8040b6fb6558fe7dbd1edc |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b6d38396381d2a5e6886374c282631fd |
| SHA1 | 0141d40f6f950b1bd0d6bfd57876d9de49c0b5bb |
| SHA256 | ac4cd186c15704edb4901b2aff7c8607efa6bb022df927614e7b045796e3084b |
| SHA512 | edc9bf6b20da7e89ace65311cf44c7a62fc0c3b1ac40c88d7daaeff1094ce625d34bfed69002e45967745b326133b19a1da946b02965a87f607314a863b792d2 |
memory/2832-241-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4d3812a21ff1a2a090dfa5882d04c6cc |
| SHA1 | d9fe59042019b0eb4edef85418b080f82f28aae0 |
| SHA256 | 0971bae3bbb3a98c353189d1887a60d562e1b0c39fdeb06b28b6635c2c1ef341 |
| SHA512 | 8397477a691fa8a54804e1d1f807b6f32f9e7bb7100b86c3eec78fcac29a5b9ca157922711f27f2a0ad824450009e3858ff66a848df4b82edd360268178532b0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1c69630febde3493822fb02024a3f1fc |
| SHA1 | 95c918f7e2408ff62c95743334d9a16b67b9f09a |
| SHA256 | 61bacd6866c28cc3bd9dcd051addb7a1d9335cb83e79285667af49e0dc9ba695 |
| SHA512 | 596008f33e3f909403d1cc91f9675319a842cf551a0309b0be25a54c7a1284a7984b1d0f5bebff8add69838787e6df7c6aa3278e37cb8b3acd26261bcc3aefa8 |
memory/5268-250-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1252-254-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 276ff5630c83f9845a9776e7e1516d65 |
| SHA1 | 01562e1f0f692dc3ff93d4b94bf78d5862bffd61 |
| SHA256 | 86b80bd0b3feb249c6dcb2fcf77d6b63e2bff09344e1499a22ddd9a4c69bbf24 |
| SHA512 | ba99ca785d4a421b5ebbe75efc9eecda20909372c217f664c9731e0019c2c2844193f1935557d07638ef20351ebdf5bb35de6bf5a77cd85ee464fed2cf7ff92e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f5f8373971637859d49b6cf11ffae8cc |
| SHA1 | 30bedf16269d06e4a5a03435d8e76098a8de9442 |
| SHA256 | 5f17e8720c53842c0faca3f8947a357190b661e3b178c33af3d8802c9915a6e6 |
| SHA512 | 3c23bcf0b727c713aefbe67b5d4ddb3dd85d797fede44ff9abbec0266d10916b57c6b861cee4b7f85c08a3f234b83d4b74d8ebe517d3fb1a8e9ab0b381b0b39f |
memory/5268-266-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3b8496d6720e6f967e44dac2da9c84e2 |
| SHA1 | ad84c6c0166da38e4f749b0128d8dbd2e0ec1f4b |
| SHA256 | c1075d6f91b91c636789e288b1dd2af7f1d8f63e759ee5123efd0f142e204361 |
| SHA512 | 39361baf32d2d5b42f9e882a1c2f599053616c913115ba57cdef28bb41853c16f101ff005c5078e997a3d2c67b7d473655407b40e8df7430473f166012af87ab |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 819d627a5870602c43e3f55baeedc0ae |
| SHA1 | 999429c0ee10cd2146ff6de205582c04d8df4c19 |
| SHA256 | a902eb9c127bfe90907a61b816d45b26282734090f8f3ddccbeeab2c1bb7963a |
| SHA512 | 071dc818f1c1d279f3f7f9b77074ae8ae423de34a92e5a171a5d1df164a49c77145e2d3f8420c9b2f9830bf04857493b9b02881e45c58158dfd7ab3506c805fc |
memory/2204-277-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4496-285-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4564-287-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4496-296-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4060-305-0x0000000000400000-0x0000000000430000-memory.dmp
memory/528-314-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4556-315-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4708-324-0x0000000000400000-0x0000000000430000-memory.dmp
memory/528-325-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1552-334-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4708-335-0x0000000000400000-0x0000000000430000-memory.dmp