Analysis Overview
SHA256
731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a
Threat Level: Known bad
The file 731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
Modifies system executable filetype association
UPX packed file
Loads dropped DLL
ACProtect 1.3x - 1.4x DLL software
Installs/modifies Browser Helper Object
Modifies WinLogon
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-22 20:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-22 20:54
Reported
2024-03-22 20:57
Platform
win7-20240319-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftp33.dll | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
"C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe"
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | bublikimanager.com | udp |
Files
memory/2004-0-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2104-2-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2004-1-0x0000000000360000-0x0000000000397000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 43815cd0051aadc351a144ebd969b5c0 |
| SHA1 | 3f36f9bdc6e2820492253b62bc2c19daa3e704eb |
| SHA256 | 4782ebb4c6ccb629300c374b7854a1895f357a5cab0e4c4624bf977d3f134d2a |
| SHA512 | be6e602a521ab0c6e8e2c118455c08945e6a63fe8b248cb94eccba8c8e7ead404fc14d90becae3596c8b218a7fe2a764c73ea72f11c60c5b982e20abadee1563 |
memory/1828-7-0x0000000000400000-0x0000000000437000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2104-12-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2004-11-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c6011e7beb3191ae11ee0c8d45200ddb |
| SHA1 | 6beaf4787143fa264f3b0bb6364669e13cebdf76 |
| SHA256 | 6159dcecba36289cc63c2a04e3aba88bb63d515902b6555c2dd1b4190f266aea |
| SHA512 | bcd140b7cddaecca3f10f63e68f5f592bb4c6bed4d643527a286ac48a4a60801f06166ce7b7862891d3b616598782c82d6f37ee6a851b934b1b81cebd5ccec59 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8000e753590db4e32c9218f1646d1789 |
| SHA1 | 445e6c943748d5fefac40b02787c98ce03074995 |
| SHA256 | 80cd52c5c730a9dcfe4f2f45f9e5d8da8302d41ebc269a67f931c68906391489 |
| SHA512 | 42d68341c310c2ec74043b5d37c218bb50fcf77ad0df525275874eceedd2539e2474406a0b4098d9c25bcac1acd320dcea5e5ba97668a364cb1e64b3bcfd7761 |
memory/1828-18-0x00000000002E0000-0x0000000000317000-memory.dmp
memory/2576-23-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1828-22-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ed4a25229f65cd49547b9a8fb746c928 |
| SHA1 | e85daae6ed9f47bf70565817d44234128a7076f8 |
| SHA256 | 9f0edee816325d063da58051dbb59b1bec32d660c4e678e7d689ee7645f4eea9 |
| SHA512 | 0602e22771bc623b3c634178f86525ae9efeb56c23b58f5cd10c52ee0de388957322f18dd798ae9915c9ca74ce87bf83b1f71946156a9207d44af0959390912d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 303adeaf6c799b6abb977965b748063b |
| SHA1 | 165effd391b45b0c949df9935b41473e6802e267 |
| SHA256 | 2378ef926108dd7ff9828522399fd01df5f9bed66e90f8e67bab4c20af3fea73 |
| SHA512 | 9d814c78d6c8f349142773af6632a2274a3e850f2c05684d9a5efb2ad7e65b1702fdf612698934c52219caf2cd45dfda8e6a88a95217cd6a75e8d334650412a0 |
memory/2576-30-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 48e9ff57da36b5f54f9da7746834f47a |
| SHA1 | 40098ca92874fea56d991a1d0ee14f5742e7839c |
| SHA256 | 55062941899d4c1d57a4cb7641d149d4a3280491290861ef009799db028f7740 |
| SHA512 | 5fb4d8f7565512a32192b569d89972a02bc3d41e34da793cecb3fdc4c2886499f80eabc8727113927f31c4a576305d7ff71f6d230b93ab90368f887912055a5e |
memory/2480-37-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2792-39-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bc5d6064671e4d470f066248abcbce70 |
| SHA1 | d4914f8808786102d107a5eb3f2a730b09d75ce1 |
| SHA256 | 97ec85bd705fda74a078b6dc7ddad83302401116e9bbc411d64b61d69198945f |
| SHA512 | c4ab177df466f99bec00b8d6c68f6c4b2c2e686bec480bf6e4c0604a5997efa3d466b34f555998e34234ffa9d3aa5a137793cf324c8e0cf8dd700b5865210efb |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6d8fff658598939b28850ce57ae36fd0 |
| SHA1 | 9aae963a8f2947196422d8596e5900bb411bdbf9 |
| SHA256 | e96ea2b65d2a026f1a57f3e8c2b6aff1297b1c361b853720a5f81cf1a46697d5 |
| SHA512 | e25f68e2b6e21f7606632bd516424687801b90c30e8c49c0d5a3bc636b38ca19472f97a328d3084e9bd37ebb7a6c9bffefab43f6b1c67a807f4c63b47cfbd312 |
memory/2480-49-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2944-45-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4e69bb101ed634abe212661d711a7cee |
| SHA1 | 55429396db2a7cc515f9ab15f28001fa6ef7e7dd |
| SHA256 | 2a34b4d4e3eb1bd33c7537eda4136e192e81558eabd2e6e80181f32f415c7e85 |
| SHA512 | 7d3f2d0fdd05d30b1fe381359312380b7219e962f2e90b28db8cb573aa2785ba7019422c52c89b9acc318d8a7e048dbb5aa13adada8e9c760e40902ff987d73d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a586eb6f48bc74a870550d424bbeecf6 |
| SHA1 | 8c292750f22791766edf66ec5688c606467956fe |
| SHA256 | 28c12b40332b4ee5a6e54748e48da145a4dba8e3e5bab7f45f62a95b55b2514b |
| SHA512 | add46e9d27d0346b8e0a6688492eae2dc2f8d625914f3130d839b3d3f7eedcac6d201ff82f7dc60e4df7f0f86b668f42eae595e2db8b7b5bbbd83fa4256064ed |
memory/880-56-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2944-57-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5f5c352f76f4289df91324aeb251e185 |
| SHA1 | b5e0192fb3facc1728026200055ceb3cbd4ad861 |
| SHA256 | f2547b4f5cecbad41b806f8d94cbf5e180fcdc319c92993eae9111757137e730 |
| SHA512 | c0ae3d5c322453b91a73a662760b8a2a5fe861931b74fa27e6d8e42f3178680c9e4bb5a094bc763a609153be4a3b85de7354af0874fc8f1b51344e5e3764d332 |
memory/880-65-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6bcecf32fbe7551b8d0ed75b8a3844b6 |
| SHA1 | 20d8964f036c1bbbcb7a8827a3cc0abaf6b31f58 |
| SHA256 | 21b19e13ee6ee319f997b5297c26c8aed93f6351e535c9140dfffb08a99f6b84 |
| SHA512 | 1211ea8a9a1faa06c3850582d310b80ada974ced83117bf180e3677299f9d516dc67acf4b7bcc4dee0ce1cf6601c2b2eab1b89853fab7f6bbf1dce888e479747 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ee44006a94203d89e8433ef275018ce2 |
| SHA1 | b86d9cf5cf0cb6717d07521b3b837c32722ea150 |
| SHA256 | 19bb2b83ebdffae99a1c97c15a68c56828fbe48746ac3f7661a4ed7cd5364553 |
| SHA512 | cf8bbcaf1201113d2b12e900963417c75013eba927b98c747fcdc95978b2da9ecd5645bb05ca59b4951fc696de98936d982c63ed39b41c7fc18ef5bf56decb46 |
memory/1624-71-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1956-73-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 27596ee9a0dc05e450a2220a2fb85aa2 |
| SHA1 | dd04f6a9459bd28c1d10864b89ca248b9b4e825a |
| SHA256 | 2fd5e56c943852941fd9e8f3cdee1c25d9aad2dc6869f3066b7f275c68a6b4c2 |
| SHA512 | 904a79abbe64636a66d824d61cf170a1c6ee40963dafea4a4fb35c8d54cbcc8b0603b693eccdbd029f0a0990452055facb4fdee51dacbd57f5027e1088f65849 |
memory/1624-83-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6b2ee45ad8e5961667d9adf75c5bfeb5 |
| SHA1 | 1702be610342335629c4fff4d3524e38f3341102 |
| SHA256 | 4637cd9a440353b42b00bd9eb9f106d02e13cfc781fa6083b87b9707680a87b1 |
| SHA512 | 7e698e91209ba89692ac0fe80907ddb7b65c523b787804372ab4c491c7507870dc4d9788af8109e53798d22a46c9066fa439478fffc909f69e3465faff2c2937 |
memory/796-94-0x0000000000400000-0x0000000000437000-memory.dmp
memory/2932-95-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1060-93-0x0000000000400000-0x0000000000437000-memory.dmp
memory/796-89-0x00000000003A0000-0x00000000003D7000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5dfebc9b55a965dfef5cf6bc27d6f9db |
| SHA1 | c7403f406de5827671a7a718b1c5cbddc485e1f7 |
| SHA256 | 1040d9702b83ee060d7915ad832a9c8f02cfa98aa0d2a8625956982da8d4f0ea |
| SHA512 | 685696c88d33886a23a73054d28f8a48bb96ddb603fa496016eb4d35aef2e397f91f792609da8f526732599d76f92d1843c1b392d520381071b6d5fbb094c0b1 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 23f4ad817e4ef53297e9529d397beb49 |
| SHA1 | c670ca13b2b69b9c463055b68be9ffb910774996 |
| SHA256 | 51d73fccb98ce5a0984e53bea9861376a3b62a625e97b12a74bf6dc34c4d2868 |
| SHA512 | 4ec6f74b47dee2fe59023db2f79a046ed0ef4fdf8b761a53c2dedd42a625168f45051dc01f6708a1e4aa8e82251968bf5ee740728b83b29f1afa834c61a097fc |
memory/1056-106-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1772-104-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8a20325ab14810a179be36bd06364578 |
| SHA1 | dd3ad82b0ae09048abff367bbddd9c13952171b6 |
| SHA256 | dde34d3cb7a3955ff8f1449b5707c1e9cb496b43be415b2cc0867ee5cd9c85aa |
| SHA512 | 1b990d1eca389d0415668a942d433def40b3a937b5936fde1c63af496d539b559c3dd9bc02f85a9c3e92241b401ed4fdb0d3f047de071e4fbf055f5a850f00f8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3f40be953b666e2226caf8613ca86348 |
| SHA1 | 005fd46280e8e2c7ab2cc2e090d43114547c0f80 |
| SHA256 | f29c30ae0a992616d7c0b79d65f173049da4b955c4ece225e69001a5c361ab0d |
| SHA512 | f2d968132b2fc8f5ef46543134c8735f9c3c29642c87fad8dacc82ead0c5cef553586f2d416f1cbb9fff4505ad6724b8fb8f2809f3b8723eb243e18c8524ee07 |
memory/1904-118-0x0000000000400000-0x0000000000437000-memory.dmp
memory/432-120-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5d1f6aa440d3234ff8235f9608b077a1 |
| SHA1 | b66a35351141ce4660217951e91b7b3ad60fe3de |
| SHA256 | 9913b3e351ce477d448a785a49df121058533e66a75c08dfc827cb66df6f09cb |
| SHA512 | f0ade446535764bfc03ac15d2132fac49d7f587760db61067271cf34fe15b25ec999b673e6fcdf25dfe5484d20b5ff1214d380f60711c003234d1f4b98519572 |
memory/976-135-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1552-137-0x0000000000400000-0x0000000000437000-memory.dmp
memory/432-136-0x0000000000400000-0x0000000000437000-memory.dmp
memory/820-131-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6ae72d501bf2f56c8fcb336bd0a3f6e7 |
| SHA1 | ff006da0228308e341b8a9b102b9922774dfefd1 |
| SHA256 | 22c37f052c3b871bb49c49d9b8c33cb8dd80a88c42c6466d62711622a400e527 |
| SHA512 | 1af007c7186902997ec4981fc1ca1fb3111c26a6ace9ebab68c7725a9fab024d18d6dc26121a5b475f87c7418361df3306c8174167b81a0daf08eef151eee364 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f9fab2e8b2710a01c061b74463583e67 |
| SHA1 | 8f4c4ba40b5f982c1bbac53487bc267c6e6a5c91 |
| SHA256 | 2ec699e0c7767e484b1bdc7e8fa5d24c4f17d5a8f29aeb3181dc3ba0666decb1 |
| SHA512 | f40dea5f4861cccc2924bf74a59f77391cb75bd7a3a4ebc1cf1138f4a7353f40b24d8e1937c47dae8240f3edea4362a12a5674be9ec884caa745d808372dd685 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 359a272f4e43579e59be8c44e510bd04 |
| SHA1 | 695d6b0c550a1e9e60d081a44b94bee1e8ca5f88 |
| SHA256 | 0b77470b829bf4cbfa36685e83df30ec93d80beea0a73ab24186361fdef9cb1a |
| SHA512 | b97f30bc94efdeef66e92523532544caff9a877ee3710bd5d131ef57c3cb2b20b7674814c004726b8090a7f7a36d78ba7bac842606ab84b6c422de28a353b1dd |
memory/820-144-0x0000000001FD0000-0x0000000002007000-memory.dmp
memory/532-145-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1160-146-0x0000000000400000-0x0000000000437000-memory.dmp
\Windows\SysWOW64\ftp33.dll
| MD5 | 52cfd3a478476c335fffc7f32dee8f5d |
| SHA1 | 4783f6790ae635e51f2ba96df87c3ddbf323525f |
| SHA256 | 708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c |
| SHA512 | 966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86 |
memory/820-155-0x0000000010000000-0x000000001010B000-memory.dmp
memory/820-160-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1552-161-0x0000000000400000-0x0000000000437000-memory.dmp
memory/532-162-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1160-163-0x0000000000400000-0x0000000000437000-memory.dmp
memory/820-168-0x0000000000400000-0x0000000000437000-memory.dmp
memory/820-170-0x0000000010000000-0x000000001010B000-memory.dmp
memory/820-173-0x0000000000400000-0x0000000000437000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-22 20:54
Reported
2024-03-22 20:57
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
156s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ftp33.dll | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
"C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/2972-0-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Windows\SysWOW64\ftp33.dll
| MD5 | 52cfd3a478476c335fffc7f32dee8f5d |
| SHA1 | 4783f6790ae635e51f2ba96df87c3ddbf323525f |
| SHA256 | 708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c |
| SHA512 | 966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86 |
memory/2972-10-0x0000000010000000-0x000000001010B000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7f5091fffa1c3ed801618093cd50c2ec |
| SHA1 | eeaceced66c61c8c9bb24d154dd9b2a65e51722d |
| SHA256 | c8d20ad81a1acf185f6a152c6d3889d373b4799c905ce11286e3581e6b1981be |
| SHA512 | 151803a121ca25c8ed532c8d22f276ebe26c432d96599e46ca286c1cb0c2733563109ee45e5fd98b44b194f0c991dcf3173e5909784e5ee4ef3ce77b03220d14 |
memory/2972-11-0x0000000000400000-0x0000000000437000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2972-14-0x0000000010000000-0x000000001010B000-memory.dmp
memory/2472-16-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c9c8bc41752fe15a73fd24f7ca4ccddb |
| SHA1 | 53caa164532f072139895d6f4b369ca3201f3477 |
| SHA256 | 4b7713b231369a15b939206cf50f44744a45ccf6a8e196683b8533e8941a854d |
| SHA512 | 3676ae6ebb766b51dc86e2bd7def4a54a91fee4b909c868d6ec17c46d5e61e76fe6e1e22333cb47eee12723443eb316057bfebaaeb7088b21d1c71fc498ad1a9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f57be3ee87980855b6bed84a825e0481 |
| SHA1 | bf12da95305416844ac567089c1b7a729697252f |
| SHA256 | 7f4398eb5656d701eb14c454e229325ca08b67c2bdf9ae3b0b19cef28b2d12a3 |
| SHA512 | 2994daff3c65841127e44fc692086c1f7f1e6c1215f8d2b2a1ad732fe8291bca596e6b3dd14e9a521bd7e407a4da119e2aab186d043b72bafe39c564b7855bf9 |
memory/4772-28-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d97911cda98e53267cfdcdf33ecb0540 |
| SHA1 | cf9045b917d492ca007ae66eaca1b7a618d97821 |
| SHA256 | 7755ef742a652e7efec6a852b63c1ea0c8eb5940ac1561e67ccc59320e8e267e |
| SHA512 | 3fcc88326ccb756280174dc92532c2a4f00c5874e9b7120febb241d0a66e6d15c463ea239b62d5532f1e78af355fbf866275809995b64683894707c9d7f45283 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8bda13e3b160ab623cbad13bb4c4b62c |
| SHA1 | f9f82e179e152b47a3d189623306d1a9d5669252 |
| SHA256 | 3088b39ed270f19cb6c2dfd874c5390bad5642fa8bf06a2dcf5a2ceadd4e19a7 |
| SHA512 | 360fbd399247d05de7427c01ae4f157d1ec8178273608eeac72392b955a0bc61ced2ecd0e40f634ac9a92af3d92c1b8c8006779d2841feafb3a438760c05880c |
memory/4908-40-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 65d7c89836bdd9d9e2b69cdc9ca87b06 |
| SHA1 | e6175f8e970be68162c2216ffafe06020cee36f5 |
| SHA256 | 5a547c78e246da9569ea9f5370afc9bcd27aa3f7453bc6696a143441e3c682c4 |
| SHA512 | 18b79af4e20003982336e63ff5f0508dcfb24a0b52b45a394602d4c4996df0e4017a4a0795eaac7455c2176340cf6c85fcb59b91c9b76cdf8241edd45d1e7892 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9131ed4a1c8bfa64d81fb430d97121a0 |
| SHA1 | a4ba17ad0626a18ad1447a43c971dadd5bd0b00d |
| SHA256 | a4c0cd4662963c2c65094ba18ae12948a752115b5586004fce954e97b17fb059 |
| SHA512 | 77684fceda88f16716f3f346e96eb6cd763042ea219e018ca15e45795b03e2769372b09a0e1333315ebb4b6ab9a54b58b2f000390b8e4ade95fa91cb91f6e13b |
memory/1428-52-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bf4d1ab18da2af484743c5232b69614d |
| SHA1 | 98ad8f01e745c3501202d6e04e88b044e1f13b41 |
| SHA256 | 66dfac62601d8d6e9b1e673dd30b7adad8d7cb88e743a12c1d9d58d02587aaa1 |
| SHA512 | 488237e1e4c4bec00d262341e09d3b58f976ef8b6e6b1491216bcbc609044b19f3e214c72ca65a5b30737bff9b1a8d77f780729db217e51d3a8ff0ebb47f6589 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 901494b597ed92c70016d3900eb472b0 |
| SHA1 | 1ae8fcdd3755739a83429b86f5ed612daa071f48 |
| SHA256 | 4350b8494cdac0806f3c933f074e63d0655e37e5a6a203a50fc1e24e6745c156 |
| SHA512 | ac2c0b4e64176cb8a587225ef306252c5abe22dad6571dfa620551849a29122e68025362fcbb12294dc90dae6285a1a6f215e229be2ff716a2df3114495c941e |
memory/3720-64-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fa6a0ec030bdfdac47b7a42e19a3918d |
| SHA1 | e2766e3d2037089f3860291ebd63f3431cc38ca0 |
| SHA256 | 11975edf01c059f53bab4a8961435ad7b9c11ce11a5a525a8edd97394c0b3215 |
| SHA512 | c1b092c59033a20df8bf4ef14f8caed8c5e45903c9c27ef9e68149b8ca754b70907a80ca88f88796f357184275fcb1ec2f3ac418bb183846255ab48e4c0cf548 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e8332bcf0c20b3d571379001e2658cfc |
| SHA1 | 9ee6d1415df2c8e2c2daf2cc0a2ec8c368a236e9 |
| SHA256 | 3f1faa0afdae0ca798e9ad3d912befe50ce0b0347fe525c69a2af91b0a6938b8 |
| SHA512 | a2e162fd8cb1860df8d17a4828caf3a8a887d856931e0bb8d0c0ed6449db05633b3e8ddb2f78fd52a555008aedef251ef87f4117dc0b2df096bbfb5bbcb2f2f3 |
memory/3084-76-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0733fcf315b661053781877254c59e0e |
| SHA1 | 8dc08798eb52092d79bfb3ae272900791885c286 |
| SHA256 | 921de54a7a095297f38f4041d86cb27b07a13750d65d02d8089e403a513f384c |
| SHA512 | 77fdbb3a2157e7e715d76e5e921ddc2ef73951e40c67f06e3ac5c09a220fae4436d28fe32068d346a7279605d0bd507398aeb73d08c83c295173d5f3ef3c5d40 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 910fc250ee0df23dbc506a1bb238177f |
| SHA1 | 6f6a68af9e77cd6c469449e91c513c9c3e769c5b |
| SHA256 | 26c5889eab5d623479d820b08befe96c933a0e239a3b6144f51e37730438502c |
| SHA512 | d90852a01b360de4a08414fef7104d4ed03cba1cd4fa83e0e34e43e3abdcdbabbefbc79be90267fb7632ede22c90b883a9dcda50eb202c915e5317d9707b7878 |
memory/564-88-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 49ff953f45dd058a07d2ff4f3a487ae9 |
| SHA1 | 36f878366dff9e1561e09bf0ae0c0639b152a3d5 |
| SHA256 | de55e28bfff8cb568b5f2f1c7e6e88e725615ed1e917dc55640e848d1eddbb07 |
| SHA512 | e3e07d98bb1a05f9364f5fa6567695915ee259536465faa8fa9adf06ef8ba78b8bdd1bb9315085d8368c9221cadd1c7390e11d2f260451295df5c70452d18247 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6a4631516a9749deda5a72b1c5bfe8e8 |
| SHA1 | fdea9be8c88a19c1c80d8e575394b690a08bbf83 |
| SHA256 | 0a057416a78cbb8ef6d12191c8dd51f956becda762d2d9241b9380396a7fc473 |
| SHA512 | 1d0e064a66c585bf475038e87afbe3ba55f43a799b3a85be5dca072427a88328b06bec48c0d8470e2e2835d2634df2ade78f1ff85b46d46dc46e3ff0bfffc8c4 |
memory/3436-100-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4de3db7c9b1781c2012d0a5bda9beca5 |
| SHA1 | fedfa462cf9bc4f5c310b7a228ba93ed09e58c5c |
| SHA256 | c096ab201895c0dbf755e6e2d3a9377962e3aaff6e0e7e685dcb39a898600da5 |
| SHA512 | cc74c422b573e64e2095fe544917dde997b3958b39d58b62c92c32850d20675282075267a5e8ecc709a22ab50597866ba7f0bd44fceefbec81a9334531ccc983 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4beb447acd2bb23f095ce3d6a15ca296 |
| SHA1 | 80bb58ee31774c9a308abb81d0dee603647bc765 |
| SHA256 | 132304b8ea39ce26d4b7cfa51bff2eb6276de75a847464cd328d9a28f57b0c80 |
| SHA512 | 0a927ceee387c5180bd921ab912ed9ff6a2183507ea381b0c2716fced047226307aa6e2e3f42e89a985e71e0a0d4a97ba4c1aa8e5b5f6df0acffb26697b36ede |
memory/4820-112-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 75698db2a308e95b73b9337a9031449d |
| SHA1 | 1df739f59af22fc5abff0fcea2ac4d79eb417101 |
| SHA256 | 515a0491ee471429e9e47cb5d5fcd945566957444ed3af0ecefdeccd44487009 |
| SHA512 | 9c10ece545e376e3e5e5792a6f17e66eeb02eefde3d95548707d5908bae7b6fd0b20be86851282636d8e6e03d4b001e4fcc2650c27022b23567445b11a0e9c33 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4b2c4b93cb42fa445295a08604591117 |
| SHA1 | 45924ba04b2d1e849ccd40ad4c593147a02e7e2a |
| SHA256 | c65cbca83f64f369bb72ceac08fecc5e6efbb979c91037d6e79a410aa1bd999d |
| SHA512 | e55059059e2a84f01672742d6eb86c87a0d6425227100af1e5288f50c0edb26085ee5796bec6385f573f3b84a934b0ce801f99aeddcc143710bbff836b5d0da5 |
memory/4008-124-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 55a9c1a1d007b74ef7c72b2a1ac30593 |
| SHA1 | 228af8540156503ab810dae625f13c173994fcfe |
| SHA256 | 5901056d6e035fdcdf1fa8c2060afde23269fb3ebaf41f03d7f9e431997d0d24 |
| SHA512 | 0bd7365675ef2a66b7ac12eba5fed110604886016544dbedeaf87c268a9f245a698d05143255855c68a14cab0ad4b4d5ed3fc15a7c9b755b4b891f642909e575 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 279bc8ef6b7add4a28036a50ca9ec36a |
| SHA1 | 359e6017d352839974de537536e8d449fc4e0e9c |
| SHA256 | 43bd52ef3a7ed2464f814c8f5251f8ecfd1c4777442f602da623bc541e51f405 |
| SHA512 | f95b5658904a2f8a4c426d0223ea8b82f31c448411bb2905bc3407321edffc8907f3acba06684f166400c9ff3ac1560f667d648ec219d51431a5fb2b888b5f80 |
memory/1244-136-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bb72323322e57a209d6629b8874d52ba |
| SHA1 | e6cfcf737e27f231c7c29b2fd4d9c5b0cb4ea78a |
| SHA256 | bda41184b8f92e8ce1fb9db1156b90c6f70a1cac7b13697bdc6ead01cb93a794 |
| SHA512 | a7c09a82969a1cc26e611c183bac3c1b55cbbe3cf5e876aba166883e3c60ff38cd18b970fc319e8364178144b43a9e6a8c582efa0372e7af03e7127bfd9bea26 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a837beb63978829fc02d81fa2418202f |
| SHA1 | 0c334c863908039b7d892eea25660d3351cc13c7 |
| SHA256 | 03729f058e459731c931b80cab6f0a17ffd8f34dcc038f269f9e10ffa8c9cdc5 |
| SHA512 | 457138d6b65f807a69c2f7ca40a5a6a2a4efb4a8c8331bdb9fdd13bcebd14a36c60e4fd0653a76aac23e4cfbecb161b097b9c87d10dbe21d9ee2acf1d90befec |
memory/1312-148-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fbfb6dcc92040044f931fd8ca3dc29e4 |
| SHA1 | cd8e520834b35fa71c1e6aac35a5895c79f6e8e6 |
| SHA256 | 0ae69ffe6d7a1d73579af1e297668abc7bca650d9ff92c3ef59ee98c4cabe1a1 |
| SHA512 | aee48691b6f6a7044439136cb21cf8e8b530ccb639e08df586bc62c839f054b3bec0bd96e6f7034942ecb9f4b106afa662be1277b5153a35be72ddfc722b4436 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 418e0fc81f5426977b543926d171e275 |
| SHA1 | fd12246791e9c20b9688f4a20e3826a4b1e3354f |
| SHA256 | 20406b64dcaceae94782017bc7778891beb7071aa88ca0db930ea347d1d322fb |
| SHA512 | 717e5b14ecd2c40d23a77ef39e20280c42da7fa09d41a2d996a257e2a1d91724708f75dbcdbb1b4aa1804641856f7d09b16093c7e87c7c978221eaf8bd7bc237 |
memory/2840-161-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3748-159-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e813e3a78e974ed79a1d9b5dc3b82d46 |
| SHA1 | 544ab0e65ed220d8ef7d9ee3d60f8e69863e3a46 |
| SHA256 | 4763109e6aa663023842ef51d11994cd52e4b508dbff7eb5081ecccf03e7b160 |
| SHA512 | ab57c01c63fbe9404a45e3380ec4b672f190e9679933156a866655c3b27030965d24d924d26698bf67583c42a5bbb14bdad1e018c2dbe17226a07b6d5b8e7b64 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 09de17b5d54710f5fe91bf7b7210cabe |
| SHA1 | 3379395daa74053443f701e130725b01b0974543 |
| SHA256 | 652d2b83173c106114e56b589b5cc6ce68655b7c01ab6cd1d9e692b5d651cbf8 |
| SHA512 | a64dc4e19f7fbd23623a50660df3c5cf79ed4e86a8324fd38ccb79d16307e79397d5df8f35b2d11abfa15b0014a752d64367a1a509270136521d901754abada0 |
memory/3748-173-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c6f7c7ed5f29e9f552156e660ae8096f |
| SHA1 | b87008ec7808451f13bf4a9ab25b26bd495237ae |
| SHA256 | f94220052c0d7bfbe1432bac0b683363b654d088d2bb7b2fc2ef92d003715bd9 |
| SHA512 | ce7e0cfd0adfdf7224ecc53d917bf49842c0363c6b71628926614d5a9f4a9c60bdde36d66fd21fa7a2d256beb60dfdaf4f91100c22b3b044769c7609c1c06d43 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d21baef060936466f45b5bd4d6b4236d |
| SHA1 | d6c25e5629dfe8f187e77a049b058bc5c1e86206 |
| SHA256 | 1eab784418dbbd96085aae89e8b6fc07ed762aa659591feb8ed7eb7689f8fced |
| SHA512 | 05b8dc186a8396d30d083318a5d1fe8be1397e2a9183bde6fbec077efffb0aa0ee99c8f637c107bf3c093c1ffce896a3353cd44f1523c875bf7b217a9b9672ea |
memory/2076-185-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0e56776e7676e87543a1cd237bf26f7d |
| SHA1 | 0e723bc030ec821934845cf0fb1757162e362428 |
| SHA256 | 59eed750eedc5130e63521f0abf1972c12f02b2c60096038500d67c784517188 |
| SHA512 | 17c91926fa908bd01d42d52760e4d4b249092a40a0e39bbbc261058265aa8064eb009e5b089004b12c4089436bb37a92321e86c2519a74c1fd28b51afa9858ed |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 69ad4aba18a8ed2b4f64a269485e4c65 |
| SHA1 | 66eb283a7dce89e0e8d38431a3ac9ae6f2406234 |
| SHA256 | f489355ec4ad9684a5696dda7bb69489c0285fd1b8ea8783e844a21d3dae2d33 |
| SHA512 | 65b7a85e8ce1cc61c5227b8736c5a77675fd123dd2911e431ccb41715018406f35810a8a04e9346935641569385b601f35bc487258ff3807f585157298ed6198 |
memory/2540-197-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0fb9a26092f006d84492ef4a087ced59 |
| SHA1 | a95c6fac5b468b89f0b6ea9b82f858ddde47f2f4 |
| SHA256 | 399d5557b728c2d34b52ba6652e27c4066cc61fbce340ca8882d2e464c33518d |
| SHA512 | 561360985d7599523505a5635c4b6281a5e693fbf1d379ea1048fb768dcce9c46dd6be97c04a6a9bbc6dadba685cf9e363e6e52314ab89999063f2e2c4fb6b26 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e3c133ff938b5d1d7e882bd96821608f |
| SHA1 | eca7bd901fe08fd036bdc037df4ab7b9eb4b8616 |
| SHA256 | 0612c496c92ea4f814291dc168225f91f12181b7d9ab1212800a5a6276387d9c |
| SHA512 | 57d41fb7045526c3d041903b333095230b2de26014df1f1837d54dc6bcb406969813ecc22ec1d1577963ec543390923e48dd8cad6092ae9002c53e28d62351f0 |
memory/4368-209-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d5122e88c9cec5607ba42bdc06321b2f |
| SHA1 | 50c590b1b49032cfa8a09637a24eac0a29cb55df |
| SHA256 | f009952b14e78cd28c1382c6289e7fc1b832ea1e9c8a98dafe3bedcc2643561a |
| SHA512 | c0ba54f0a9d1a849cbce5ec6dcf48e8832925300655c7863fda95cacbad21f5812dd39a3684ecbcd261dc1d012a482d929fc78f87fe5e820b777c602cf219520 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f8f4b9ec2e36f06de7a2fab1763a3e18 |
| SHA1 | 7e8f3e5f866dfbb7824f92804a80dc5b6608f118 |
| SHA256 | e91899a4f6f5a4448cbb3a8ed07f76ec023ab8d3ceb31e40a3833c174ba338da |
| SHA512 | d763eda94c398b81aebc1a6ffa1f5089b64d7ccfd84b0c791d3514fd879565b85d77037dd8b3caea5420559e5650794fe30ec4fa51d04b4bc618dbdd28707bba |
memory/1188-221-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 511abfa4a180ce0927077410d88387bc |
| SHA1 | 5fa3ffa66ea03fa85213b931d28397ab948ec2ef |
| SHA256 | fe1fd8d727bfc3d73678bce53f454cc1245e4192a8b8903a7ae74faa4f2bec7a |
| SHA512 | 2c46e95581e42c1dc4faf1aae3ab870e8f9cfb1123d34db2ddecf1df5bc7b750335933697b866335063bb875817ca1fe998a97b3e95efad5fc3c5dc2a2f4f87e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e136f91cc9e78decd3f3c1927dd0e409 |
| SHA1 | 4c10df17b6497f913900912847144f7bacc70ab0 |
| SHA256 | 3245cddd363cd886aaf31d879a8f5eb01188e79055a618ef6cd03b835cf6b546 |
| SHA512 | fd19d3f0b89e6991b3c6092b17e4962c53b94de3b85316e8b01ae0decc3e45626cad24555511d876245d1e5dfa5b40572a8fec5822c15fb5a598add5a0e21c24 |
memory/4704-233-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c8639d6750ca0d8117f73402a455df62 |
| SHA1 | 4b0dbb3338a6fa095d14cab3a35ab5dc541cc5d1 |
| SHA256 | e1dc8359bac50130b26969a2ef247e5d89c1e2f472f67e5dcdca220feae24836 |
| SHA512 | bf2310d68c1fdbb7a93c787ab75916f69bcea270034247567b1c937e9e86511f97f2b727e0d56113a2a70433aba10869ddfc516cf29541a3bb28ee6faee12326 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a153444049df1dcf2222b01d574fff15 |
| SHA1 | 0d3dde46a20d9bb308323e2c5b6760f46689103b |
| SHA256 | 9eb17f5abdbf582169f2be51fee25729d99b49a906df8a680e64118b9e9c3c94 |
| SHA512 | d2407e7002542878dae2055fb6ac64ec65a2979a356c2c77fd0b242f97bbd4b29847d39c5e0bbde12e1e0d0c0e477c965e4c1c17d4892467779c38ee01ddb844 |
memory/3056-245-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ba2851438d65871adcb34e867ee054c4 |
| SHA1 | bac46721ada91a5136490534b9f1f05a9ce29fb2 |
| SHA256 | c7cfaba92de7f85eb76949dcd3c1a7005776d7fdc4f58172088cd0fa918cf647 |
| SHA512 | 70966ef2db4a73f1b28ca37f1fbcfb7c88952985d420ba0a0f35a585463a296b762844e256543972157a0414333cd9f6808bd4af512e255a44a38a5697b241f4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5cf009192764af116d7941cf4a513398 |
| SHA1 | abf3aef4eec4e7c8a6daafc6b63bd94d4c44843d |
| SHA256 | e16e7ff4af6e6bf1b6f832d8308533540a70a0c93df4aa00e75861479e9dd253 |
| SHA512 | 3e0e6f3407e6a2d5d07e5d32c2f48fa7a5b142dffccb48ed8b5e9ea705113a3b501d621615ed5d55e4e259b068370b3d7da967f5b26257d7781f80bb8578f06b |
memory/744-257-0x0000000000400000-0x0000000000437000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f09338f0843f615b68477b34459b24b2 |
| SHA1 | 20d5f0941fbc18afc0506bb1f1f192f730f5f9f4 |
| SHA256 | 9cd21b3c4afc219453c2e9d4e932da0d21f9d3023ae7cf659c5dc2873277cf72 |
| SHA512 | caa40435707d453c5a71aeedc5210e9e8848419d3aad695fcb6e7f2242647bfe74308c9dc8eadd8fd30b73a036e309ca4ed47952a35916fd20f68a77bcab8cd9 |
memory/3220-267-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1472-276-0x0000000000400000-0x0000000000437000-memory.dmp
memory/3268-285-0x0000000000400000-0x0000000000437000-memory.dmp
memory/928-294-0x0000000000400000-0x0000000000437000-memory.dmp
memory/1516-303-0x0000000000400000-0x0000000000437000-memory.dmp
memory/4184-312-0x0000000000400000-0x0000000000437000-memory.dmp