Malware Analysis Report

2025-01-18 21:31

Sample ID 240322-b619baef47
Target ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa
SHA256 ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa

Threat Level: Known bad

The file ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

Modifies system executable filetype association

UPX packed file

Modifies WinLogon

Adds Run key to start application

Installs/modifies Browser Helper Object

Enumerates connected drives

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-22 01:46

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 01:46

Reported

2024-03-22 01:48

Platform

win7-20240215-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2328 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2328 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2328 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2328 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 2328 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 2328 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 2328 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 860 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 860 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 860 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 860 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2520 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2520 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2520 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2520 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2516 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2516 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2516 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2516 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2948 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2632 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2892 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2892 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2892 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2892 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1932 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1932 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1932 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1932 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2356 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2356 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2356 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2356 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2624 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2624 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2624 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2624 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1468 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2032 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2032 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2032 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2032 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2012 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2012 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2012 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2012 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 816 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 816 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 816 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 816 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3040 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3040 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3040 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3040 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

"C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe"

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 bublikimanager.com udp

Files

memory/2328-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/860-1-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ffc20bbf5c115d80f1c6e4f8d8ed9542
SHA1 7db2d677f609abd4a4fa79e229218b5fd728a945
SHA256 e290fb46031ec018fae77f2d3063a2156e56012458aa105dc9f02581511042d3
SHA512 ba8f30e1cfa0859689a947a287217e2341567492fc392ea4cc8f885bdc71a064076cc79db8d63a1a1b1bf56fd2431c359ca4ce2fef76e2e751019ceeaee09917

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2328-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/860-10-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f6de9814a371a7bbe9f32c054f4c933b
SHA1 04a2501540b2f4fe536fe97b1376cf558c3d26a3
SHA256 3a9bff65adb134499e56816d7ef34a22243e61080801f3be623f148dd270dbbf
SHA512 77bef3ef7ca34c4f39513430f8ad654e0c04742ac4c7eda7dc3f936fed409ca08812445053a80bf8db2699960f7a22e9f6c64e5b2183ab0f53280f92145fe28d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4a8ac7c051f4f630af44c586f7ba8c68
SHA1 bb4e5b47513d43f63dee7b8f05e16ba9a1e7e4b5
SHA256 041d40983cf916426c2a7513cfa72c2d1d39f8794ae9d17ef0f411db1b6a632d
SHA512 4ee7d5a5152dadcb771616894340f506e7c4cecff02753582a3235af72eee79d4961edfd20328693627a62555f819ed3ecfbcf43106d9e1c294ce6902212bbec

C:\Windows\SysWOW64\drivers\spools.exe

MD5 204903c69a7958703cfc12d8f7b17579
SHA1 8d0d5656126868cc0e905009eeda4b12766cbde1
SHA256 4bb78b2b76c3de88637c5b64c9317fca818b703bccfbe7054a6971703855e4ae
SHA512 b0795e945487ad7b2b7108ec0070007a55083751ba0b9167f90bc2bd9918e247be2134b7d825808e71e32f2e2ce260297d1eabe49ff1e6752b6a1e286a3881a7

memory/2520-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2516-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2520-16-0x0000000000310000-0x0000000000340000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c44daa4510b494775f6a181c6b816c41
SHA1 e71e96ad0d36a3f6c2c92c2e7ac46cce6c59edb9
SHA256 acfb3bff4f278157e38ec64746ff62640c2fda4da4dea21b628e31abacb93347
SHA512 bed489a44c7f99acd3a3da86ec7acd321a2cc58b002784ebfa4752d59e962406a0015f2f5b0a921aa99596f8c9542d1d988530ad8027877fa9906acf64ff6bbd

memory/2516-29-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e587ff1c531a5871ca3eb7d2a3184916
SHA1 7e9496425762ad144659cd7d928ae49ca509c97e
SHA256 9473a40b3a56c5f4ca2c9ad577733fad8b0ca123aac1e002d3a3950846624ded
SHA512 cd1f2ebc5159acadf544ef4a410c5680c31a75dc00f6c1f19815ba42274f86008f14ad7ddf5e3a21104ae83a915a6c66d38e60679aabc70d62165ba72dc13810

memory/2948-30-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2516-25-0x0000000000360000-0x0000000000390000-memory.dmp

memory/2948-39-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c60bcc04ae4e5443667a4c1a3a3bb59c
SHA1 43c0090f0116431a1b3051edf6b99872279c8cef
SHA256 ea325b902cedf8e482a8fe558686b5423604a178065b4118141fb3065ba874aa
SHA512 893a959b1b8c3b5c97cd62bd44e3e4826b43a15eb08d5ad54799345af7305967c90a3ca376d734f0243e1f9614d664d93b6fb5973521f02442d4a4e764f4ca76

memory/2632-35-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 22fa0723ac35fa6a46fda2fef4ddd7b6
SHA1 f846644ef943d829958da5e349ef4baf6ee210ec
SHA256 030b6f80e7f26182d87dba658cb2da14d46cedf75b92b7efbb6bdbc24f1633f8
SHA512 792219b132df97bfbead717b83278da8d6255a96590afb0b75bf6e848135a493db0753050c29a078cf013fc57f8fd5b3a701eeb7c77b100c155484c624d3baf3

C:\Windows\SysWOW64\drivers\spools.exe

MD5 09a6925dc7edc8c7f014d1bb27dbe314
SHA1 e305625632977b8d70578964ce82125aceb0d045
SHA256 e3fc358d5e17d2fb236bab23c3570d89088828badd7973073eb274a6afe68b78
SHA512 dc1f8331268f9939c86c21303b25341045dcad17ea1f470c02eb49766c8281db9dc0fa110f56d47ead4ee5f0ff2b29a82eb4af2d7cb6c464041558a2ed21dbde

memory/2892-48-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2632-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ab1b642b50ff01bd4093f442c78f3c26
SHA1 7e92bc4f3173d89c2493646a6811cff360139b73
SHA256 9a64a965ac63554bfc52c75a8a5e46ebdf99c1a504af04791fa61363f0931f89
SHA512 3dab84c06ccd1c088d678538ecfdca7f0f751419083a872a4f71b77daa4311c7478802723df95e9686724095d703b2874f4277e3867624cf3e1b19d0b77ac4ff

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ef1565766119342bf517a53abb7a3a6e
SHA1 7655753c6de2e58dc880ff7e56bb390eb6a6d2eb
SHA256 db86545e4ec3925abb197db424901cc76fe3ee42d897971f12f9a0cadf4dca21
SHA512 449d1331025b76def85b112f70cb5cfbe1229a9a9bfa96e2df6109dc81414db167207b1e692fcf2455575a756bbe25dd5049f57da844ca4796b5a5689f0e2544

memory/2892-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1932-57-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a7dd7e27527f80681cfe5694a8ddeb72
SHA1 8940aa1878b8f440e38a5581c875e1c06e92314e
SHA256 f8662e2fdaf0499729624c5783d94fb62533c7106afaf5c782ba72cd3167d78a
SHA512 c9cab80d346d5330ceb8f04951f4acbcd4adfd749e5171ec837e0c162ddf6ba57cfb8f90887e3afdeb76620f654e48f5293826470a13cec0fa3e088d95313ab5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a952660dcd628769e32e093a3227fc04
SHA1 44d5fa88902f907d45106ac4411f4dbb5d5eab93
SHA256 e68209286873bc3b19152483747c9d1eb877dff3b5583afdb86f29001bbe67c5
SHA512 4ab544c827b8475005abff4dbeb9cb5ca4abb0bb938f85586aeb8587a6b861e9904b3e4168f6e5caca0440503e0858b020c898610c3c2203f56fbc364f8a2cc1

memory/2356-65-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1932-69-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 50705d95a0ddb6cb6bfc1d16d9e94083
SHA1 5a9a536f2fcbabda72fa0800221f4c414de1d456
SHA256 f28d6e9edb2b73939d83d94b6ab2bd5a1a5b4783b4ddff7b4a96c4a60e0966c0
SHA512 ee7650238e92d1dccf408ac8a52e8fc53e64b5782d89468bf332f3982ca28680aa4ebd9c0ba2df6e13e8e8fb54140bfcbcf277d1fd6bb5a380c7647446632b57

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2573cc29b428a921813a345d5426c21c
SHA1 b19df853e8ebfec3d83a82c2ba342cee920dbfbd
SHA256 c8e7f18a31edd35770be0cc3b7969f0faf44ce2f0d031856d448f9d6d4bc3f0b
SHA512 20a9fc7abdf1b6eb35870d708d5db1bde24d690c1693db98bff1629989b46200edbe322d832eeb160a891f089d19c037b7f627550dea4cb5be12d8f63831994a

memory/2356-77-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2624-75-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f212adcf1cfcbf49e1c82ded9bd5444a
SHA1 8502522985dade2af583d05473947647f1e3b4b3
SHA256 d21dcdbe215df39505f58e794e987ad209f3dad915e487ef9e565a6dd0cfbc94
SHA512 0c8447091ae8d8d84e75266474d54f95da72410aa4a14ad860786957de8d88cea332d39238c4e7e06c35713d9845125de543eeee6bb85e163de3568b0772bb2a

memory/2624-85-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 70ed3206de0f67f0d5e886e84ef872bc
SHA1 41d9564e57e7659f1159b977c830a52766df4da8
SHA256 2c8434f8118e0d91fbdbb237078fa4b22d1098d20a56fed6d61ffcf2a97ca108
SHA512 43188548e35f3249dba90149644f3c7f4b52aa90284da3335b8f41f5b47a26590912d72692d77f238afdd3baa9f26a2f4dee7ec50da3cc086a3615def475f252

memory/2032-95-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1468-94-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 fa87059637bc087afd6b73d751a7ecd1
SHA1 e5670f6d841d8bd579ea56e21621363f3fa0503a
SHA256 167e3debf9bfc15c5670961674991362844841a6423850643462610612093a42
SHA512 fa2c0b4a84def998f0a168b2bbeac37e8531eb6352e198a6d669dff5c9b6e51180e9a10f23c2ec828f305d5e56a41f1cc1d70472b26d3fa164c71040ebc3ddbb

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 519ea5364db422ce8d8b27ce13fe9bf8
SHA1 a699fffdcb7db2f00f382287e69172ca321eba9d
SHA256 53f97297962c51b3dda7f3361541de9e3f992b39cde9350fe72713a547250f1c
SHA512 5a296402c35fc04bd62916abe2ee0cad1cf0d361db5bb1d774c0e3c23f2fc6ef93eb0245a40e0e56ec9cbc662052c95538383246709e65e09dba402d473cfde3

memory/2012-103-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f2076a5e9e4858c1f93feb28308a5a6c
SHA1 d8d1bc5b06eb4bea28d702fbd5f8368c8f895ed5
SHA256 7c1c3d8ce7a3f69ba310a480b6e8863241089dd1f4774bd68016b25c199052b1
SHA512 9d03b3705a358285f90423bc7930d42005ee5997fd97796cc6733ac7ad2e36951fbdfd41ba075255cb83676733084bd9d6700145ffdb4e4bd3bbc7fecf3ecd8e

memory/2032-104-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2032-99-0x0000000000370000-0x00000000003A0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7c89c06381c60f480db61b7bf1d20f1b
SHA1 0925596be6ca89087a07ea999585e7dc3e0e1551
SHA256 e978144028d88a1da2cc08b9baa6c05372a6ceb7ce71cc19f65efbd2f14303c3
SHA512 cf1f4dac077f6f01b2e90d7b2f56cc7dc475265f50b26979828997337c8d101e1265626669bdf2f5555d84873992f546056f7f72cc372bed39e3ea1652801b1e

memory/816-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2012-113-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0ee95c6431faede5829bf074b9f2aae4
SHA1 b9d668f09238c3659367531fedc1ab8e5b29607b
SHA256 c615c079d1784b823c36545ad319668e6a7bb47c0cf37eb73c7eaa52b895c791
SHA512 3f157e69e22fbb850a322310f37aa80e42aa898e582b39c1262ffa9c9c9259480a5b80c89afa563cc408a1197ac03d197b58f964cdcbd8e1353f19af15f014fa

C:\Windows\SysWOW64\drivers\spools.exe

MD5 142fd7378265928eb655e11e82d97a05
SHA1 848fd8c7f57b54b403e863a5f3fac39ee9cf857e
SHA256 4d48c573dcab10eee11a611592ec99148cb43bc2bd1930911f2fc912662a5850
SHA512 76df7afc5a0b8644789b197b565e1d200b9148d078d2c3d8d32470e1e9d0f03549b52bb8a7bb9e080611e31c8d99ed1d838c75c34f8878b28ba50e1b547b1789

memory/816-118-0x0000000000310000-0x0000000000340000-memory.dmp

memory/3040-120-0x0000000000400000-0x0000000000430000-memory.dmp

memory/816-122-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bce934392e1e3cefd3b51d1bcc9bd58c
SHA1 717c213d7e34b41c26fce5924bcf64a6f9da8aaa
SHA256 631e7f405d348c8a5826d9d658bd131cfca32ecddc169ec54a78245bad45dfea
SHA512 2598b3621ee1ee0fc3a4a0be2b3b58b9c5cefe2651b2b824ca42880040076f95f7b2c6590da8110b8e532fcb54cca18deac2fb23198a2c3dbade4c694bdda06d

memory/2224-129-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3040-131-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 096333f755c8140fa77782d075bba52d
SHA1 88e29ccb1ba45c13441ab59670c4b485c1c3049f
SHA256 ec0e2ca5c4c91352297e95a3771a307fff2419d9785a3df277d15d447f8507ed
SHA512 ad5e09294e9ab19af95de0584003aa5995e07dbaed5198876419feb511ed7952dffc8baf71cdd31691675b5e13a0fa352efc017a5c4d12c7edd631a7adde062f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 fb358d8218bdd6a51cc6ef746c57c90a
SHA1 c6f5e228506f0de1ace3cfb2139887461f576546
SHA256 1a74632835b5c9d7b401d5488bcea89585bf5386d7c32249e516dfc7e64babca
SHA512 56d2c7b287a29aa610151a83b4e669bb1b76a333eda29b2d21593b306d8fbc6d867594e3d8e30269f2e815533c8be4b8ce311e015b4d9601f71c029543be19f8

memory/2224-137-0x0000000000360000-0x0000000000390000-memory.dmp

memory/1284-140-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2224-142-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 40086dfc852aeb9ab7973c110e924014
SHA1 3c447e78a868f5148a5c631243429558a2775640
SHA256 a8f84d399cb4c589849a2a730a0eb267fd6785f3977623e098b8a6660cd574a1
SHA512 828f2c78fe1b764c36dd12b91f87276431a7e2efa1f9a05b6e3cd952022e950ccef34bf9d2482271431e9548e33a0c3e8dcc1f8e23357d0c1646a890e0bad968

C:\Windows\SysWOW64\drivers\spools.exe

MD5 816c9eb93baaad90b57e96ef0bc5e88d
SHA1 fde93693461038befbaae5b6644e4fef038d9c33
SHA256 9c5a85d6107ccb0da24c49bc2fd1943f5e687d8f4160a4b6af919ddd6dbcf4d2
SHA512 f65d2473608fe8d91c65097040cbb8d1053ed998fb1e1058656d53ad030fb51a5dfa91418fefc3f2b0a171139f450dfe920f81e34a206b69caa1c72f58395e18

memory/1284-146-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/952-149-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1284-151-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 decfa50e3e93b333930f812662bf2d15
SHA1 5af074065386f2c456c855a1ebc60f73a78b0084
SHA256 3f134db483c396000064a6b788ea88f3c054d3930cf1fc002735405fffe640e0
SHA512 3b68e40f0cb80d91226fae2f35b3eef63942b9baa360084b58b46890b0f2010d0ee7c7ad3ee358cabd34fccc66e8d4971e2279d57de94f452ed06f0079b30099

memory/952-156-0x00000000003C0000-0x00000000003F0000-memory.dmp

memory/856-159-0x0000000000400000-0x0000000000430000-memory.dmp

memory/952-161-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 70d3672c4642ee5b152e19ee508fc149
SHA1 f310fb507d4e5c1b8d21c77cbf149a7f78f92398
SHA256 697d4b6c7a0e39ea7dd251cc99d5d5bc14837881df4b82624155d1a918d93725
SHA512 3a334395e6cc64f23a2fcd7a987939cc2b0f6a6401213ff750b879526c666f40ef32a55563381e27a8d38600296b51cbfdd05730c9ceaeb42fd1ab746a5374ca

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a6a1849f30a064a1d56a90a7dfdd7f88
SHA1 61867b2c68e6a3bfae9bf6ea573aeaac345f6436
SHA256 d8d49658ce6e895eff9f93bb7f071568f2541de72930068281ce03431e2b4a76
SHA512 2321c314938f954fbe87307b7cae9738d918e7a1983b6c0e645596832561c806c0de3fea11128d71476c67c714d28c20790bb9e3381fe6dcaed0b1c366964d4c

memory/856-167-0x00000000004E0000-0x0000000000510000-memory.dmp

memory/2096-168-0x0000000000400000-0x0000000000430000-memory.dmp

memory/856-170-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b174bbb776ac096caf9cddf48739f71c
SHA1 3606f8cbcb67b16268e4b31544ec9112f457092d
SHA256 fcc2d9d7266f039b3b6e28a6b7dd4d1312665b3175df21822c7055c605551ad8
SHA512 ef0c17c743b0dbcceeb92025d415321c5a8cbb4b307c4996687d1c842b86a4268f1a2553899fbcf1cb04a2d64ba4709a785ce16f6f9b4435ed62de1497d3e983

memory/2096-175-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/1880-178-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2096-180-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 834cdf193a6a5af351a30a00299d75df
SHA1 1a0b41b1f690c43f832528b3c3d618860462fb50
SHA256 d291d39c9da74d334160a8d0fd3b71bcc5dcd6a20cc8bedb718e1e6574d02e74
SHA512 903005305ed9292ee3ed126e67f3c5cf64ee19bbe0fea0988b2a3df3065e03cee139336fbfb688f43cb4ad0b4cf357aac74ea326262937e0a0b521ddb54fadad

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4c4a675101d6ea09da14c664240193f8
SHA1 9a4e6bb99ff4f0d27cc33f288e247d4595bf32be
SHA256 43424aa5324066e22d77096e549646d7b37e9be554b201dd1af25ec164bf3801
SHA512 19253450bb369095e6eef2eed942abf5aa4e54b125d943e83861639ce0873b411f20228372bf4a89eff924a2a705f5f107ad7df52dab377f891ddd7f76bbeea3

memory/2652-186-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1880-188-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a5664ac314ca55ca96b76ccad22933d9
SHA1 b23d8df8d8c565af319d7b78b72927b33b0896e7
SHA256 d773551d11be9bcec154865262c3ef3845863f4d60e4282baae1fb86cd157db9
SHA512 edb0a59383e1dcd3f4ceed67b21f6b0709d07a35cf576b587c33ff5db88d31f274715d24f2f70048c77730dff4c8db02f09148d5fa7c2ef86ff1b76135a9f4da

memory/2592-195-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2652-197-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 39deaacdf3aafd3edb2013d010ca84b2
SHA1 f89910fdc122c37a36534f4fa5f7825a1c14e0ed
SHA256 233dc5073cbde25f8a18dad432d157dba467b71ebfb30cbda054d747268c5ae1
SHA512 95cf64f2ebd6b33351aa34606e866387287545b3cfd9f125e2489159bf9070fe685f64acb4905b9d8ef440ea90c4ff506d880fb448fb6719a42a52db0bb19026

C:\Windows\SysWOW64\drivers\spools.exe

MD5 94ee6ccd0d56c3749acce44727ee85fa
SHA1 c795fdff9269d7d1ace556e43f50fdaf7af0aad2
SHA256 30bfb202c632eb0deacbe972647cdc2bf1563b7cf48884af6a6140edafecb4ad
SHA512 f83e98ca6046debc9360f8251dc3b1f3230c6b8b6af4ba11580e34975c030c09d755fcd5e0f42960a1e84875acd31c90bb74b7013ddc6b74d1c048b635b4015a

memory/2540-205-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2592-207-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a2863803cce0156202ba605c41452208
SHA1 d017c1be1e3c0c6f0e4dae7620b9275dcaaa89ae
SHA256 64e0d79b00fc1f614e73344d982c236d8b4aa60da18c4324d035c2fb2edfe4fc
SHA512 080a106e4f15fc31e6af3d879c13578444424f32822158971f480c9ce13baec488eacec9eebc0a9d2dc838580ca118915c079cbc2ea4527c564347bb460c1eb0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bcd30b4d4fdb687e86e5b33cd60f83e2
SHA1 00f7463ba1fe621175fe1d4ece9a6b64de6bc902
SHA256 faff5a98567aeba02f659b10213a337bd03061892174f6c1127c57114d11393b
SHA512 197606d184125b1339e179d3b0ab602a448dd509f0998ab1e820a4b7284bd07a43379c3d9e43df1092f3ab5333e26dfe371791e42177ead8ed2715e15e1d4172

memory/2436-215-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2540-217-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 64c014e4cb2136416aeb2c0647baccb8
SHA1 e4245d73253821ade4a481958bc4c1b1f893f23e
SHA256 b4234502b1f4d823ddd5be397e6b36f0be75ea8f49a5f01eb2990f737fa5d65c
SHA512 fb1dae71e2bea46403294bcaee8f38c19235766ab5c75f4bdbc424c8031324db7ef98d2b2c04f69567787369e372fc203a6598e3c7d51779304c109f19d35eb6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a7a3f2176f5ee7242070a47c96734463
SHA1 636027a7f28e3db831017d350fe4ce7e489f76a3
SHA256 5d58036046cb1302f0f5fd61143f003a48757cb071928a8efb2537a7fee1741b
SHA512 bd5bbefe2ff46090496519052634b10cd8b80a723c4729a102588d2b79ae50c7b983242f8d7b05b1c0756e8346e0807f5bb478f94cce30ab013e82ce208c7caf

memory/2332-225-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2436-227-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2332-233-0x0000000000400000-0x0000000000430000-memory.dmp

memory/752-240-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2756-239-0x0000000000400000-0x0000000000430000-memory.dmp

memory/752-246-0x0000000000400000-0x0000000000430000-memory.dmp

memory/768-252-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1696-259-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1696-257-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/2504-260-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2504-267-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/2640-268-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2504-266-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2640-275-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2640-273-0x0000000000390000-0x00000000003C0000-memory.dmp

memory/1664-276-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-283-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1664-282-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-288-0x0000000000390000-0x00000000003C0000-memory.dmp

memory/1720-290-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-291-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1720-298-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1732-299-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1720-296-0x00000000004B0000-0x00000000004E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 01:46

Reported

2024-03-22 01:48

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 3724 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 3724 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Windows\SysWOW64\reg.exe
PID 3724 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3724 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3724 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4704 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4704 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4704 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3864 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2696 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2696 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2696 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4384 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4384 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4384 wrote to memory of 5776 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5776 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5776 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5776 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4508 wrote to memory of 5832 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4508 wrote to memory of 5832 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4508 wrote to memory of 5832 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5832 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5832 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5832 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3612 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3612 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3612 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4892 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4892 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4892 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4496 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4496 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 4496 wrote to memory of 5272 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5272 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5272 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5272 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1000 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1000 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1000 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2684 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2684 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2684 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5072 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5072 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5072 wrote to memory of 5636 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5636 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5636 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5636 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 3224 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2832 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2832 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 2832 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1252 wrote to memory of 5268 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1252 wrote to memory of 5268 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 1252 wrote to memory of 5268 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe
PID 5268 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

"C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

C:\Users\Admin\AppData\Local\Temp\ebe717197fc4cf26017678e09e1cf478f9a92ede908aea895f3aea5d129cf3fa.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 20.231.121.79:80 tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/3724-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3f8f8ee77cd77b9ed8ab7ab8e6d7b675
SHA1 0a2b9387b4acac89aa3d1b56cd6c4a3affa7b248
SHA256 847b71539589cea92534fe1e595bdb9b0bd0259642f54cf6ce6bc418f4a7d5fb
SHA512 573ee78f06d609635fd54db8a002caab7b1a73ab58f433574aeef8cdda660168434eaf4adc1feb089491a8776a856a90df7174c70c875c9a7344e32599fddf82

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4704-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3724-9-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7008469dc477e17cc476f1111f8ef536
SHA1 a4ff262c146002ac80b4c1332e2ba33e427bab70
SHA256 aacccc43a831310f9bd7a2457f2f75f6407eeea708dcfdf301eb2051dd3564ec
SHA512 e8920e7431101a172679d4ecc8b924be3f827a40d66bed045d43b7436c9116a172c680f55f7339dc26a035a7706d6b4545cca8adbb5fbe34f9e9da6ec79fd637

C:\Windows\SysWOW64\drivers\spools.exe

MD5 65842a51361befb7189c95fe72a0212a
SHA1 dfe7352317af0ece00a04084322de65180a603d0
SHA256 fd5cc66bb045f398d5f5ef0b9b6665c41d137e1f3b55f785929e5fa7fe6ec4f4
SHA512 ffb58f0e33b24ef9dd5adc8a9e9b93a552fb16654653109c26761fa550e679d6faa46f54285fb62838f1d487bec3cf48ba06f1b5454976c48f20494ec2df96d2

memory/3864-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4704-22-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 400ad9cf48137bb23ce35d4e10bdcd5e
SHA1 26e64f5d4fdba24e5c013dc715bde6f1ff0b3017
SHA256 7a30f0d05d05ba20968028aa1bcea1081ddd2f3db975b3dbe29dd095c13d0820
SHA512 89e917036f0fc36cc728393fae4f49768b0eaa4386783dc39938c1576ef76319c124a6bb84f6cdefebdaf0b36f4f601e8fdb5b5ba295bc1d6c2aaf9d5e18d29b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 eb1b1801cdda0b2f8693f145b0d3200e
SHA1 87d2db0e43f3a1651145f191731aeb3becd13fa1
SHA256 af59cc5906c040fea2c756b2e4f4f0ab4cfb7e64e1cde52ab8295d194175984c
SHA512 8da7a2c10a7fc8dc130694e9c00eb7d7b5234e7a616828618c0ecf8d371f65caf3a6ce34dc969661cf937e2fbbc1dbcc753a65df9ab3e657cbb4b111a8002426

memory/2696-33-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3864-35-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7bfb57fc3ef78c59d2d5851d07709e65
SHA1 589d9f517ce84a8d786c3ff9d57a122c6bef173d
SHA256 6f5205c585d1e69aef074d8de0641bf84949408ad78fec7363a8ef69156e7ec1
SHA512 e2cc052e4d921bcdf195099813b007f83709b4b29c9e485bd6a8c2073bcb9cfc6bc5b8abb227152a3e6df1b4ab55688179156bc198b5a62470565937bbf3259a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e8559aa33568102e6a110366add6d5d6
SHA1 73830deca970649715e00e53c22f02618e82f880
SHA256 4966fa6b556a11f5cf8dc1f693e3a5de205144483b41471caeffa57da90706cf
SHA512 90ce7ee6a3f17d539107f67f878dd6c5a298fbe2b7bd746c1236b884241089fe52668e98cd87a6f8448180ed075f9596aa10fa320c85ca655e5284fe8ec7a916

memory/4384-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2696-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 57ec03a220478e82530895afdd3eb29c
SHA1 863d914add62eee6400c8aa222ac18f96d4e0a06
SHA256 4c35cc0f998e00a2c5ad73760f5d9a99eaaef5016c8f94a82ee46e89b6fd7093
SHA512 8f29d8ec33ff5735caf0fa33b45867cb9f8ed5302f7f76b14bde13643e1bce1565e98c122924d311e84098bbcd36d2cfe275bfaa04912da44f7db2c20df1a1b5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c5d51e0fb3ab943168034fd966ea7312
SHA1 0c078fbcebf4471c64ec71c8b66cb64699709a04
SHA256 8791cea309c47fc83cbd965ff16e29105167671f5c1481c5494f3892cffa424b
SHA512 4b0b2d7b07a8d1593beaad53ed79ee364793c897af3ebdc6fee65a8cfc40fb2f3b581bb7f3573f31275e8e1f7486ce5fcc6d58546b3f24baa597ddd395ef589c

memory/5776-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4384-61-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 45b1639154bde013aafa5adfa8a955fe
SHA1 ba14a45d2f78812a66544a8a45cdae5391f81231
SHA256 1d2414bf44cb576e15c83df8cfdf30495d4f73b25a5fbe8067c245ba881b1f67
SHA512 926e71d7a3e8e6c6a5eaf0bd7914f8e5fa70fc16c39479a6980787fedb5de4ccf3f64a16db184f1401cb09519b6b1bb0701a3a2e691c98ce45a60d4b85ad1914

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e8ce968a6d10467f2a4a08555297c7d4
SHA1 86feb14d6e9fb6ac84c0b5fad269ffd403843b6f
SHA256 525b06c27790f2dc8e8b6bd4ef0ec2dd7fce8f92ffa4cf1c93c243bbb47d62dd
SHA512 2acfe0dc78b85c8f2bdc762f6f36d75e45cf4d2b89e479456413bd11be3673b77150c8cd3c7d07ae1451888d459c2899cfa2b81ec92b3dc27759ea91eae102cf

memory/4508-71-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5776-74-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 911ce136d118861e5f1f9cbfd665418f
SHA1 ca192332e25cabcd317cc81beb9ef4e5d2b545fa
SHA256 d0c12be1f3080e33977c2d2e543da934bfaa3ce5b8f14f2a1ce2c2ccbd47db3a
SHA512 c76a63cd1069d8a40f6357c36db7d62fdfec33d0889a04d335bf48b779f578e38347994b39e759500120790ae6fc6f0a8513950cd57f870c2bcf21f7d06436bd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ebaca7534a22e04160e40feffd81621c
SHA1 69ccdf21d776ec715d9dfad795b0acd3c53d2680
SHA256 b420e8bad9ddd31552d926c1fda945c91136ff9470b0935bd75cdadef052d6d9
SHA512 df6ad12e4beb5664280d101aaa1cb8de301151e521507c1c429bad9c24377b7f5fdb4506599272af032441d934a62fed49d52c7fe0522e339b873dc87bce39a3

memory/5832-85-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4508-87-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 23eb9508938d532d598540c2be165666
SHA1 f8c2b56102733736fb7d95a5d0ea51889eb80f36
SHA256 342da1a86141fb5f0fb1e29eec02a25b72e37775e4e5f1f973931a06874cc679
SHA512 e85e42add42bfc03e6fe5b926ae729d2b46c55ca7b2bd9aa04cada499caeca6067c46632780a5b953f5a6cdf9a99ea9517a6e6904032f786d3efe8c649fb3e42

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4490d9104f3c2f7aef2cbc5d8ce3bc83
SHA1 f27a90375cd49dcd941e0c191889f220fc2c0390
SHA256 9c0085297213e422accab0f1926de568c4fc3df63024242c84020abaa108c53e
SHA512 971d5c8e3ebcadd8ce57f5542cf1ba9d1d8e2f120dfa53b71f63dc7b6288b2dd5317691f1af75733c15d210bd513069200fa25c2cbfb7b216825ea69bfae19a3

memory/2144-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5832-100-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f7f852b522e40dcbfce869fe9f023cb5
SHA1 8c35ff164cb6b7bad5d72a53d70f1973e1ff8212
SHA256 b5be43f9987de136da76e5d185d1107996837720d502327728f7afd099bfb6b4
SHA512 1f1e268b47add36492ac1ec6874ca66e4db2483eb7ac7fd0b0cad2d38b12ea4c6017ecbc75132ec1904f8ded3b10704bdd24209fd6b058e7b255a1f2bfaf440a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8c3fd51d584d88bb3cfdcee5d8e3d33a
SHA1 ab22990cee7afe34f60f1da062ab85689dc4f8a8
SHA256 88d579a7fbee03ac8588a42c2503ade601ef5953bf37bb210ecb40ff62da4b32
SHA512 1c40d1841bf969428c3d856106112c35563aac9c8ed5d582566448d5cfed42d56da035bec7c87b8d58fc8364a0b371758d621004f016fa10ffae26281f6447a7

memory/3612-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2144-113-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bdc33572a31a0de86c9f1adecdab3576
SHA1 d2d39771e8491d923db3047e8aeae908fd9ff1fc
SHA256 7a60548e04d7c099051c7743c3aa7c3e1f538bc639db8c72990e3cfceb9bddaa
SHA512 dddb6724be006d5152d4e5eb6dd81a1f62a8d4ad41c840de11228ef4b75e70bdf1217537ca8dbcebbb6ea5f73e657f7a2947e84d78dd41075864316eb236dd91

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9b072cea1bf92a4aca1554da353054db
SHA1 9b2c09c9b71a9f07f97301dbc346b54d89be02cb
SHA256 e07726fd5684a8fe795ade846caf91cdda35e1c38f908710d739453d2cd6f7a4
SHA512 8703062ed8cf240408744e424ae8818bcdb8699993b8f0489c4db6a6e36ddba98c703be48c68239f870caacfcc86d73948dcecff05cefe8d14d268fb44089015

memory/4892-124-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3612-126-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5503d4332718414fba7b9be2721de536
SHA1 fbd3f0fa378d3cea0bbb6403b8f2e87933ac1888
SHA256 e74ca0956278e757226f7d419f3c36ef8d0ea77538e391a045dc8189d4c5aedb
SHA512 7de166b749ad8adf71e5b6d8d8802c0742858b8e52983d91b2f62c049b4d3c0e9413cbb1e3bf62e41fb17212a2bee2ef67caed5d031eb7344b161059cf4c6d67

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e0a20a892b3c219c045dd5b341f9ab7d
SHA1 6f65a9a26bd04166dfe2cddcb780fc68ce68b787
SHA256 443425bb8ed88bb318407d4115dbcbc59a4e417883c9f9c0dc59938ac017d469
SHA512 78e7dd71d3e67d68316551bd708a8e7f362f7bf795c89d8b65f9337ddd474cc0af4d0b079885ce964683ab2ceed5b4a76e5cc5785932cf69f93fccde10e77e97

memory/4496-137-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4892-139-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4541a40321a338a3ef391cdf2ae01bda
SHA1 3cb9089e3c12a61cb653e14be142f94e67c07600
SHA256 4c3286e940983815ffb2d54e6eff5c943edbdefce9d6c81846f8346aeeb32dc4
SHA512 c7d9a9f94805e70a95fd2325c27d9bb28231a577b51f4b99e92930b8e9ddb7e6608d427783b6edeaafbd362cea8814550386f35289e83ffd712bfc84bbf798a2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 be1b5067b9e45e59df23baf42e5af5ad
SHA1 9fb864266c8f42041b35be1e1ae3e75c41b202e8
SHA256 97b48af034c04c79138a0156dbd707423c1ae8089f88276dd4c66e6d24416a36
SHA512 68e1c2d3978869475abf6151ff823bbc6b481f2670d01bf5b90732ab6e5ff66dcadf01b125a2bc2f7209d733e1f886c9822bb0dfea964595f0cc67c560e0a89d

memory/4496-152-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5272-150-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0fae10609b8a3d6af3eb6c5fe6d5da99
SHA1 d01d132bd47a9bdfba686b4020a8828fc9363616
SHA256 79db74a9fb580c395d32483f4b546c75243dc2dd93062e42f28e07aef05a2b1e
SHA512 107abfac5b22863049799f2c94e5b076c4e9e7ddf8ddf862c17140571fd11d17e57469b5cbb7fc9056a6e790e4e15667042cf3b79e085ad10bddafac8eada398

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cca5bd37fa0b04160573d0ded1b7a470
SHA1 24b30b970d3b9810bf3748aaf4cbc8e75245c46e
SHA256 09183550c511eec215b30833e100655d7417c5bc79f8ba2c7d4e206928f6a3a9
SHA512 1b7e883c7459b8a5b291bc5835ef246654b164aec2d26926dde3616c38b603a173d70eb08aaaec4c57329bf4e26512bd308d4d5f58b3d5c3ab616ea2c389dbc1

memory/1000-163-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5272-165-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ec8d45b50196d532f52ea2ecbdc570c3
SHA1 b3201264a90dddb10c41ffa8920864d08e54a526
SHA256 533100f4638fbac58fa5f67780a36c7ad99d2e788cc3926cbe870de18fd6f89c
SHA512 66cf006efbbf48280762772b7a311fbab5f11e1ba9b19279519b9b0b09357c123b81db4165d0b3deaf7324cbde1a7370e81b7e4fa0fc00af9815dc116ef18b14

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a866f858383666451d7c0b43a83b29b2
SHA1 e8c23c4b91e0dddf19336fbfeaccdec41db3a121
SHA256 7657aadd46d8518c96685a9c90ea9266a79ac3358549747e37ba202c16e4a1f9
SHA512 f791de316f179fc0f08cb023d189c650b2b9034556749a72ae3aa112d044d1f0914d4cd2f64ace086dbabb88cc7b09f39df377811bd7c2d6739bc1cac3a60aaa

memory/1000-177-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 883480a10b2d55de313a32f6ac4342f9
SHA1 1a605858e196be3bb528e5fa22d26274d5117a8f
SHA256 237415c343a9de8b26ff49ba39723869510562f97ae8d5eaf61550fc31885c9e
SHA512 5abc22e808d0e442401eab8840440893fb1066aef7aa6b2d86a25496e171a6cffe5e3eb6ec5c3a5ef5cdf7028d3716ad38c87d69ea630ce43e4563ab4684ea5b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7a9edf36c77f0ac9a3dd401ba33f343e
SHA1 a098bca75cce3ab2bb6e8d0d95e6c77d5196beb9
SHA256 83a01c3fc733a11192e5f158d56ebb3768ee43b48d9b0be85d8f27fdd9dd2c50
SHA512 933ac9647c76ba84a27dcd6862253b68728cf8c5dd0a9c779e6e5e1f627f25a0e1e3b915fe2577aa7627d0fca3ac0ed7bbfc39581791f3447aae9fd987cb5ece

memory/5072-188-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2684-190-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 20198e46b8d4f2ca2b6684aedb9d778d
SHA1 db40faf38bdf183baed7119b2a722409701abb04
SHA256 926bc53636b93b2c90e2bd3cb49f1a499896e34682e9600139e7e2fd0e2f86ed
SHA512 0f722a5fb4bfe6aa638aadfa5f5ffb80045511a3c883f4ae4bc36c42b1ad27bfe39c90bec3f8bf84c26eff52a57563d2210c69c9e6f3efef2c77a340280ffbf7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 68ecb648561bc6a5687cb2bb7afb3ac7
SHA1 90173a6e1cc42324f74725628147b0009dc51a82
SHA256 7bb5361974490fab67a1838c0350e784c548d454e6233215895dd3e7bcadcd74
SHA512 da9a0e1cb42a37ccf64f2046a6fdbc5f8d9c9ace68a85d671a99505438fbde8f36a8383475ba1785f85d612051dd841f4f65228ccdabf137f6e95abd733f7b2c

memory/5636-201-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5072-203-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f685daf1b6f14a37a498aeb9d0c0b423
SHA1 c86abd6ca315d8dde4151412273c01ef26cb19a7
SHA256 98eda98265d6124af118c68de56d5900a5ef40b255b6702b7d16435e4d451180
SHA512 587415431e3ca85a9c27cfbd7e7cbe58d7fdc37da6ce68bd4e673802da5d2cf4d53d2a49af9d1aa13dc8ba6f05d1b8615566ac097d02ca62825d704370207e0d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 dd0c5f02fcb74beecef9086c42645e70
SHA1 dea86bb317e8d227b9b4b1742205b07b93908141
SHA256 af1bef69da279382f8992945d1fda9c5ea940e091c68279c2a882a0f67265372
SHA512 e20f55ef54e839099b3cdb6849fe73807f83c0bf5d689e194a61533dc4f7e3d03e74f495591fbde648e49ee5dbb7e9831b318504b25442e929b71f8a2dafd211

memory/3224-214-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5636-216-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c62293b8d3b0580fa6e2c2b42489d718
SHA1 657e9d96b8b2f909e064b5c5bfb5587075e3eb27
SHA256 98356f4a127a77252196a783a15139c07758fd23383743a6d2cf940834f278f4
SHA512 f06d3bef8ba7aaf5b1b21beef28d60ebfde1c18ff32191666ce1143b9d36545227e113ea9f32fbaa7e983d44de2804d92bff84e2909d995f0f26ecbdf0e55c3c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3ddfc80bdad74c498df8cef88bc74bd1
SHA1 5214899ee615b71d201daf289d02952e27c6227e
SHA256 e240313b0f9d626de59b5613a40a21a6adbf6681cefba62f732fcfa124f027f2
SHA512 e3dcae37466b94fced1d1fe7dabba03300e3c94a59af011a49c578f97c245c5af15125c687941e5ee1862151394cb745037239481e945705dd47c0e390199c75

memory/2832-225-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3224-229-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0f7fbac408f6ce2538b95f19191ce245
SHA1 8689875fede6f4741493ff221a10823547ac1bf4
SHA256 f6264d5c58454e3148929dc78035559d22ef5b6fd47b3a33d4cfa55c5106106a
SHA512 4c3c8cc08bb799c988f6ae4b2216bc72a8472f69073ee6c4d4b3d992c3d0ab80126bc3e5a0ab98ee200a94a4d81acb32dcf0f157af8040b6fb6558fe7dbd1edc

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b6d38396381d2a5e6886374c282631fd
SHA1 0141d40f6f950b1bd0d6bfd57876d9de49c0b5bb
SHA256 ac4cd186c15704edb4901b2aff7c8607efa6bb022df927614e7b045796e3084b
SHA512 edc9bf6b20da7e89ace65311cf44c7a62fc0c3b1ac40c88d7daaeff1094ce625d34bfed69002e45967745b326133b19a1da946b02965a87f607314a863b792d2

memory/2832-241-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4d3812a21ff1a2a090dfa5882d04c6cc
SHA1 d9fe59042019b0eb4edef85418b080f82f28aae0
SHA256 0971bae3bbb3a98c353189d1887a60d562e1b0c39fdeb06b28b6635c2c1ef341
SHA512 8397477a691fa8a54804e1d1f807b6f32f9e7bb7100b86c3eec78fcac29a5b9ca157922711f27f2a0ad824450009e3858ff66a848df4b82edd360268178532b0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1c69630febde3493822fb02024a3f1fc
SHA1 95c918f7e2408ff62c95743334d9a16b67b9f09a
SHA256 61bacd6866c28cc3bd9dcd051addb7a1d9335cb83e79285667af49e0dc9ba695
SHA512 596008f33e3f909403d1cc91f9675319a842cf551a0309b0be25a54c7a1284a7984b1d0f5bebff8add69838787e6df7c6aa3278e37cb8b3acd26261bcc3aefa8

memory/5268-250-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1252-254-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 276ff5630c83f9845a9776e7e1516d65
SHA1 01562e1f0f692dc3ff93d4b94bf78d5862bffd61
SHA256 86b80bd0b3feb249c6dcb2fcf77d6b63e2bff09344e1499a22ddd9a4c69bbf24
SHA512 ba99ca785d4a421b5ebbe75efc9eecda20909372c217f664c9731e0019c2c2844193f1935557d07638ef20351ebdf5bb35de6bf5a77cd85ee464fed2cf7ff92e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f5f8373971637859d49b6cf11ffae8cc
SHA1 30bedf16269d06e4a5a03435d8e76098a8de9442
SHA256 5f17e8720c53842c0faca3f8947a357190b661e3b178c33af3d8802c9915a6e6
SHA512 3c23bcf0b727c713aefbe67b5d4ddb3dd85d797fede44ff9abbec0266d10916b57c6b861cee4b7f85c08a3f234b83d4b74d8ebe517d3fb1a8e9ab0b381b0b39f

memory/5268-266-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3b8496d6720e6f967e44dac2da9c84e2
SHA1 ad84c6c0166da38e4f749b0128d8dbd2e0ec1f4b
SHA256 c1075d6f91b91c636789e288b1dd2af7f1d8f63e759ee5123efd0f142e204361
SHA512 39361baf32d2d5b42f9e882a1c2f599053616c913115ba57cdef28bb41853c16f101ff005c5078e997a3d2c67b7d473655407b40e8df7430473f166012af87ab

C:\Windows\SysWOW64\drivers\spools.exe

MD5 819d627a5870602c43e3f55baeedc0ae
SHA1 999429c0ee10cd2146ff6de205582c04d8df4c19
SHA256 a902eb9c127bfe90907a61b816d45b26282734090f8f3ddccbeeab2c1bb7963a
SHA512 071dc818f1c1d279f3f7f9b77074ae8ae423de34a92e5a171a5d1df164a49c77145e2d3f8420c9b2f9830bf04857493b9b02881e45c58158dfd7ab3506c805fc

memory/2204-277-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4496-285-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4564-287-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4496-296-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4060-305-0x0000000000400000-0x0000000000430000-memory.dmp

memory/528-314-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4556-315-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4708-324-0x0000000000400000-0x0000000000430000-memory.dmp

memory/528-325-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1552-334-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4708-335-0x0000000000400000-0x0000000000430000-memory.dmp