Malware Analysis Report

2025-01-18 21:23

Sample ID 240322-zp7a1agg88
Target 731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a
SHA256 731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a
Tags
adware persistence stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a

Threat Level: Known bad

The file 731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer upx

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

Modifies system executable filetype association

UPX packed file

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Installs/modifies Browser Helper Object

Modifies WinLogon

Enumerates connected drives

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-22 20:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-22 20:54

Reported

2024-03-22 20:57

Platform

win7-20240319-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ftp33.dll C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2004 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2004 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2004 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2004 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2004 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2004 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2104 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2104 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2104 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2104 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1828 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1828 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1828 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1828 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2576 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2576 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2576 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2576 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2792 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2480 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2480 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2480 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2480 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2944 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2944 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2944 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2944 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 880 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 880 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 880 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 880 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1956 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1624 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 796 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 796 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 796 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 796 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1060 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1772 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2932 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

"C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe"

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 bublikimanager.com udp

Files

memory/2004-0-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2104-2-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2004-1-0x0000000000360000-0x0000000000397000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 43815cd0051aadc351a144ebd969b5c0
SHA1 3f36f9bdc6e2820492253b62bc2c19daa3e704eb
SHA256 4782ebb4c6ccb629300c374b7854a1895f357a5cab0e4c4624bf977d3f134d2a
SHA512 be6e602a521ab0c6e8e2c118455c08945e6a63fe8b248cb94eccba8c8e7ead404fc14d90becae3596c8b218a7fe2a764c73ea72f11c60c5b982e20abadee1563

memory/1828-7-0x0000000000400000-0x0000000000437000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2104-12-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2004-11-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c6011e7beb3191ae11ee0c8d45200ddb
SHA1 6beaf4787143fa264f3b0bb6364669e13cebdf76
SHA256 6159dcecba36289cc63c2a04e3aba88bb63d515902b6555c2dd1b4190f266aea
SHA512 bcd140b7cddaecca3f10f63e68f5f592bb4c6bed4d643527a286ac48a4a60801f06166ce7b7862891d3b616598782c82d6f37ee6a851b934b1b81cebd5ccec59

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8000e753590db4e32c9218f1646d1789
SHA1 445e6c943748d5fefac40b02787c98ce03074995
SHA256 80cd52c5c730a9dcfe4f2f45f9e5d8da8302d41ebc269a67f931c68906391489
SHA512 42d68341c310c2ec74043b5d37c218bb50fcf77ad0df525275874eceedd2539e2474406a0b4098d9c25bcac1acd320dcea5e5ba97668a364cb1e64b3bcfd7761

memory/1828-18-0x00000000002E0000-0x0000000000317000-memory.dmp

memory/2576-23-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1828-22-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ed4a25229f65cd49547b9a8fb746c928
SHA1 e85daae6ed9f47bf70565817d44234128a7076f8
SHA256 9f0edee816325d063da58051dbb59b1bec32d660c4e678e7d689ee7645f4eea9
SHA512 0602e22771bc623b3c634178f86525ae9efeb56c23b58f5cd10c52ee0de388957322f18dd798ae9915c9ca74ce87bf83b1f71946156a9207d44af0959390912d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 303adeaf6c799b6abb977965b748063b
SHA1 165effd391b45b0c949df9935b41473e6802e267
SHA256 2378ef926108dd7ff9828522399fd01df5f9bed66e90f8e67bab4c20af3fea73
SHA512 9d814c78d6c8f349142773af6632a2274a3e850f2c05684d9a5efb2ad7e65b1702fdf612698934c52219caf2cd45dfda8e6a88a95217cd6a75e8d334650412a0

memory/2576-30-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 48e9ff57da36b5f54f9da7746834f47a
SHA1 40098ca92874fea56d991a1d0ee14f5742e7839c
SHA256 55062941899d4c1d57a4cb7641d149d4a3280491290861ef009799db028f7740
SHA512 5fb4d8f7565512a32192b569d89972a02bc3d41e34da793cecb3fdc4c2886499f80eabc8727113927f31c4a576305d7ff71f6d230b93ab90368f887912055a5e

memory/2480-37-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2792-39-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bc5d6064671e4d470f066248abcbce70
SHA1 d4914f8808786102d107a5eb3f2a730b09d75ce1
SHA256 97ec85bd705fda74a078b6dc7ddad83302401116e9bbc411d64b61d69198945f
SHA512 c4ab177df466f99bec00b8d6c68f6c4b2c2e686bec480bf6e4c0604a5997efa3d466b34f555998e34234ffa9d3aa5a137793cf324c8e0cf8dd700b5865210efb

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6d8fff658598939b28850ce57ae36fd0
SHA1 9aae963a8f2947196422d8596e5900bb411bdbf9
SHA256 e96ea2b65d2a026f1a57f3e8c2b6aff1297b1c361b853720a5f81cf1a46697d5
SHA512 e25f68e2b6e21f7606632bd516424687801b90c30e8c49c0d5a3bc636b38ca19472f97a328d3084e9bd37ebb7a6c9bffefab43f6b1c67a807f4c63b47cfbd312

memory/2480-49-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2944-45-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4e69bb101ed634abe212661d711a7cee
SHA1 55429396db2a7cc515f9ab15f28001fa6ef7e7dd
SHA256 2a34b4d4e3eb1bd33c7537eda4136e192e81558eabd2e6e80181f32f415c7e85
SHA512 7d3f2d0fdd05d30b1fe381359312380b7219e962f2e90b28db8cb573aa2785ba7019422c52c89b9acc318d8a7e048dbb5aa13adada8e9c760e40902ff987d73d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a586eb6f48bc74a870550d424bbeecf6
SHA1 8c292750f22791766edf66ec5688c606467956fe
SHA256 28c12b40332b4ee5a6e54748e48da145a4dba8e3e5bab7f45f62a95b55b2514b
SHA512 add46e9d27d0346b8e0a6688492eae2dc2f8d625914f3130d839b3d3f7eedcac6d201ff82f7dc60e4df7f0f86b668f42eae595e2db8b7b5bbbd83fa4256064ed

memory/880-56-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2944-57-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5f5c352f76f4289df91324aeb251e185
SHA1 b5e0192fb3facc1728026200055ceb3cbd4ad861
SHA256 f2547b4f5cecbad41b806f8d94cbf5e180fcdc319c92993eae9111757137e730
SHA512 c0ae3d5c322453b91a73a662760b8a2a5fe861931b74fa27e6d8e42f3178680c9e4bb5a094bc763a609153be4a3b85de7354af0874fc8f1b51344e5e3764d332

memory/880-65-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6bcecf32fbe7551b8d0ed75b8a3844b6
SHA1 20d8964f036c1bbbcb7a8827a3cc0abaf6b31f58
SHA256 21b19e13ee6ee319f997b5297c26c8aed93f6351e535c9140dfffb08a99f6b84
SHA512 1211ea8a9a1faa06c3850582d310b80ada974ced83117bf180e3677299f9d516dc67acf4b7bcc4dee0ce1cf6601c2b2eab1b89853fab7f6bbf1dce888e479747

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ee44006a94203d89e8433ef275018ce2
SHA1 b86d9cf5cf0cb6717d07521b3b837c32722ea150
SHA256 19bb2b83ebdffae99a1c97c15a68c56828fbe48746ac3f7661a4ed7cd5364553
SHA512 cf8bbcaf1201113d2b12e900963417c75013eba927b98c747fcdc95978b2da9ecd5645bb05ca59b4951fc696de98936d982c63ed39b41c7fc18ef5bf56decb46

memory/1624-71-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1956-73-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 27596ee9a0dc05e450a2220a2fb85aa2
SHA1 dd04f6a9459bd28c1d10864b89ca248b9b4e825a
SHA256 2fd5e56c943852941fd9e8f3cdee1c25d9aad2dc6869f3066b7f275c68a6b4c2
SHA512 904a79abbe64636a66d824d61cf170a1c6ee40963dafea4a4fb35c8d54cbcc8b0603b693eccdbd029f0a0990452055facb4fdee51dacbd57f5027e1088f65849

memory/1624-83-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6b2ee45ad8e5961667d9adf75c5bfeb5
SHA1 1702be610342335629c4fff4d3524e38f3341102
SHA256 4637cd9a440353b42b00bd9eb9f106d02e13cfc781fa6083b87b9707680a87b1
SHA512 7e698e91209ba89692ac0fe80907ddb7b65c523b787804372ab4c491c7507870dc4d9788af8109e53798d22a46c9066fa439478fffc909f69e3465faff2c2937

memory/796-94-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2932-95-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1060-93-0x0000000000400000-0x0000000000437000-memory.dmp

memory/796-89-0x00000000003A0000-0x00000000003D7000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5dfebc9b55a965dfef5cf6bc27d6f9db
SHA1 c7403f406de5827671a7a718b1c5cbddc485e1f7
SHA256 1040d9702b83ee060d7915ad832a9c8f02cfa98aa0d2a8625956982da8d4f0ea
SHA512 685696c88d33886a23a73054d28f8a48bb96ddb603fa496016eb4d35aef2e397f91f792609da8f526732599d76f92d1843c1b392d520381071b6d5fbb094c0b1

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 23f4ad817e4ef53297e9529d397beb49
SHA1 c670ca13b2b69b9c463055b68be9ffb910774996
SHA256 51d73fccb98ce5a0984e53bea9861376a3b62a625e97b12a74bf6dc34c4d2868
SHA512 4ec6f74b47dee2fe59023db2f79a046ed0ef4fdf8b761a53c2dedd42a625168f45051dc01f6708a1e4aa8e82251968bf5ee740728b83b29f1afa834c61a097fc

memory/1056-106-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1772-104-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8a20325ab14810a179be36bd06364578
SHA1 dd3ad82b0ae09048abff367bbddd9c13952171b6
SHA256 dde34d3cb7a3955ff8f1449b5707c1e9cb496b43be415b2cc0867ee5cd9c85aa
SHA512 1b990d1eca389d0415668a942d433def40b3a937b5936fde1c63af496d539b559c3dd9bc02f85a9c3e92241b401ed4fdb0d3f047de071e4fbf055f5a850f00f8

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3f40be953b666e2226caf8613ca86348
SHA1 005fd46280e8e2c7ab2cc2e090d43114547c0f80
SHA256 f29c30ae0a992616d7c0b79d65f173049da4b955c4ece225e69001a5c361ab0d
SHA512 f2d968132b2fc8f5ef46543134c8735f9c3c29642c87fad8dacc82ead0c5cef553586f2d416f1cbb9fff4505ad6724b8fb8f2809f3b8723eb243e18c8524ee07

memory/1904-118-0x0000000000400000-0x0000000000437000-memory.dmp

memory/432-120-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5d1f6aa440d3234ff8235f9608b077a1
SHA1 b66a35351141ce4660217951e91b7b3ad60fe3de
SHA256 9913b3e351ce477d448a785a49df121058533e66a75c08dfc827cb66df6f09cb
SHA512 f0ade446535764bfc03ac15d2132fac49d7f587760db61067271cf34fe15b25ec999b673e6fcdf25dfe5484d20b5ff1214d380f60711c003234d1f4b98519572

memory/976-135-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1552-137-0x0000000000400000-0x0000000000437000-memory.dmp

memory/432-136-0x0000000000400000-0x0000000000437000-memory.dmp

memory/820-131-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6ae72d501bf2f56c8fcb336bd0a3f6e7
SHA1 ff006da0228308e341b8a9b102b9922774dfefd1
SHA256 22c37f052c3b871bb49c49d9b8c33cb8dd80a88c42c6466d62711622a400e527
SHA512 1af007c7186902997ec4981fc1ca1fb3111c26a6ace9ebab68c7725a9fab024d18d6dc26121a5b475f87c7418361df3306c8174167b81a0daf08eef151eee364

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f9fab2e8b2710a01c061b74463583e67
SHA1 8f4c4ba40b5f982c1bbac53487bc267c6e6a5c91
SHA256 2ec699e0c7767e484b1bdc7e8fa5d24c4f17d5a8f29aeb3181dc3ba0666decb1
SHA512 f40dea5f4861cccc2924bf74a59f77391cb75bd7a3a4ebc1cf1138f4a7353f40b24d8e1937c47dae8240f3edea4362a12a5674be9ec884caa745d808372dd685

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 359a272f4e43579e59be8c44e510bd04
SHA1 695d6b0c550a1e9e60d081a44b94bee1e8ca5f88
SHA256 0b77470b829bf4cbfa36685e83df30ec93d80beea0a73ab24186361fdef9cb1a
SHA512 b97f30bc94efdeef66e92523532544caff9a877ee3710bd5d131ef57c3cb2b20b7674814c004726b8090a7f7a36d78ba7bac842606ab84b6c422de28a353b1dd

memory/820-144-0x0000000001FD0000-0x0000000002007000-memory.dmp

memory/532-145-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1160-146-0x0000000000400000-0x0000000000437000-memory.dmp

\Windows\SysWOW64\ftp33.dll

MD5 52cfd3a478476c335fffc7f32dee8f5d
SHA1 4783f6790ae635e51f2ba96df87c3ddbf323525f
SHA256 708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c
SHA512 966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

memory/820-155-0x0000000010000000-0x000000001010B000-memory.dmp

memory/820-160-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1552-161-0x0000000000400000-0x0000000000437000-memory.dmp

memory/532-162-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1160-163-0x0000000000400000-0x0000000000437000-memory.dmp

memory/820-168-0x0000000000400000-0x0000000000437000-memory.dmp

memory/820-170-0x0000000010000000-0x000000001010B000-memory.dmp

memory/820-173-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-22 20:54

Reported

2024-03-22 20:57

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ftp33.dll C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2972 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2972 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Windows\SysWOW64\reg.exe
PID 2972 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2972 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2972 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2472 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2472 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2472 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4772 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4772 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4772 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4908 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4908 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4908 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1428 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1428 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1428 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3720 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3720 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3720 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3084 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3084 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3084 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 564 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 564 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 564 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3436 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3436 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3436 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4820 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4820 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4820 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4008 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4008 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4008 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1244 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1244 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1244 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1312 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1312 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1312 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2840 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2840 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2840 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3748 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3748 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3748 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2076 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2076 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2076 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2540 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2540 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 2540 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4368 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4368 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4368 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 1188 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4704 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4704 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 4704 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe
PID 3056 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

Processes

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

"C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

C:\Users\Admin\AppData\Local\Temp\731902fae71cf1d0f16b20e94992cbb52072295a01957aff6a94d9c11ede999a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 171.255.166.193.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/2972-0-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Windows\SysWOW64\ftp33.dll

MD5 52cfd3a478476c335fffc7f32dee8f5d
SHA1 4783f6790ae635e51f2ba96df87c3ddbf323525f
SHA256 708e375cb5fe09d4bbd61dd5622f3ce1b5a11c5c4648cb7c4ce87d96f9c6151c
SHA512 966a909d3e2cb46d3fa07e66cb21b2917bd003d081f670d2f4aa1d8ebe17afc936ee7e4605da86a576484560799cb33f3fc13fcc6632bbcabe65e5726f8d4d86

memory/2972-10-0x0000000010000000-0x000000001010B000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7f5091fffa1c3ed801618093cd50c2ec
SHA1 eeaceced66c61c8c9bb24d154dd9b2a65e51722d
SHA256 c8d20ad81a1acf185f6a152c6d3889d373b4799c905ce11286e3581e6b1981be
SHA512 151803a121ca25c8ed532c8d22f276ebe26c432d96599e46ca286c1cb0c2733563109ee45e5fd98b44b194f0c991dcf3173e5909784e5ee4ef3ce77b03220d14

memory/2972-11-0x0000000000400000-0x0000000000437000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2972-14-0x0000000010000000-0x000000001010B000-memory.dmp

memory/2472-16-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c9c8bc41752fe15a73fd24f7ca4ccddb
SHA1 53caa164532f072139895d6f4b369ca3201f3477
SHA256 4b7713b231369a15b939206cf50f44744a45ccf6a8e196683b8533e8941a854d
SHA512 3676ae6ebb766b51dc86e2bd7def4a54a91fee4b909c868d6ec17c46d5e61e76fe6e1e22333cb47eee12723443eb316057bfebaaeb7088b21d1c71fc498ad1a9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f57be3ee87980855b6bed84a825e0481
SHA1 bf12da95305416844ac567089c1b7a729697252f
SHA256 7f4398eb5656d701eb14c454e229325ca08b67c2bdf9ae3b0b19cef28b2d12a3
SHA512 2994daff3c65841127e44fc692086c1f7f1e6c1215f8d2b2a1ad732fe8291bca596e6b3dd14e9a521bd7e407a4da119e2aab186d043b72bafe39c564b7855bf9

memory/4772-28-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d97911cda98e53267cfdcdf33ecb0540
SHA1 cf9045b917d492ca007ae66eaca1b7a618d97821
SHA256 7755ef742a652e7efec6a852b63c1ea0c8eb5940ac1561e67ccc59320e8e267e
SHA512 3fcc88326ccb756280174dc92532c2a4f00c5874e9b7120febb241d0a66e6d15c463ea239b62d5532f1e78af355fbf866275809995b64683894707c9d7f45283

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8bda13e3b160ab623cbad13bb4c4b62c
SHA1 f9f82e179e152b47a3d189623306d1a9d5669252
SHA256 3088b39ed270f19cb6c2dfd874c5390bad5642fa8bf06a2dcf5a2ceadd4e19a7
SHA512 360fbd399247d05de7427c01ae4f157d1ec8178273608eeac72392b955a0bc61ced2ecd0e40f634ac9a92af3d92c1b8c8006779d2841feafb3a438760c05880c

memory/4908-40-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 65d7c89836bdd9d9e2b69cdc9ca87b06
SHA1 e6175f8e970be68162c2216ffafe06020cee36f5
SHA256 5a547c78e246da9569ea9f5370afc9bcd27aa3f7453bc6696a143441e3c682c4
SHA512 18b79af4e20003982336e63ff5f0508dcfb24a0b52b45a394602d4c4996df0e4017a4a0795eaac7455c2176340cf6c85fcb59b91c9b76cdf8241edd45d1e7892

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9131ed4a1c8bfa64d81fb430d97121a0
SHA1 a4ba17ad0626a18ad1447a43c971dadd5bd0b00d
SHA256 a4c0cd4662963c2c65094ba18ae12948a752115b5586004fce954e97b17fb059
SHA512 77684fceda88f16716f3f346e96eb6cd763042ea219e018ca15e45795b03e2769372b09a0e1333315ebb4b6ab9a54b58b2f000390b8e4ade95fa91cb91f6e13b

memory/1428-52-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bf4d1ab18da2af484743c5232b69614d
SHA1 98ad8f01e745c3501202d6e04e88b044e1f13b41
SHA256 66dfac62601d8d6e9b1e673dd30b7adad8d7cb88e743a12c1d9d58d02587aaa1
SHA512 488237e1e4c4bec00d262341e09d3b58f976ef8b6e6b1491216bcbc609044b19f3e214c72ca65a5b30737bff9b1a8d77f780729db217e51d3a8ff0ebb47f6589

C:\Windows\SysWOW64\drivers\spools.exe

MD5 901494b597ed92c70016d3900eb472b0
SHA1 1ae8fcdd3755739a83429b86f5ed612daa071f48
SHA256 4350b8494cdac0806f3c933f074e63d0655e37e5a6a203a50fc1e24e6745c156
SHA512 ac2c0b4e64176cb8a587225ef306252c5abe22dad6571dfa620551849a29122e68025362fcbb12294dc90dae6285a1a6f215e229be2ff716a2df3114495c941e

memory/3720-64-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fa6a0ec030bdfdac47b7a42e19a3918d
SHA1 e2766e3d2037089f3860291ebd63f3431cc38ca0
SHA256 11975edf01c059f53bab4a8961435ad7b9c11ce11a5a525a8edd97394c0b3215
SHA512 c1b092c59033a20df8bf4ef14f8caed8c5e45903c9c27ef9e68149b8ca754b70907a80ca88f88796f357184275fcb1ec2f3ac418bb183846255ab48e4c0cf548

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e8332bcf0c20b3d571379001e2658cfc
SHA1 9ee6d1415df2c8e2c2daf2cc0a2ec8c368a236e9
SHA256 3f1faa0afdae0ca798e9ad3d912befe50ce0b0347fe525c69a2af91b0a6938b8
SHA512 a2e162fd8cb1860df8d17a4828caf3a8a887d856931e0bb8d0c0ed6449db05633b3e8ddb2f78fd52a555008aedef251ef87f4117dc0b2df096bbfb5bbcb2f2f3

memory/3084-76-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0733fcf315b661053781877254c59e0e
SHA1 8dc08798eb52092d79bfb3ae272900791885c286
SHA256 921de54a7a095297f38f4041d86cb27b07a13750d65d02d8089e403a513f384c
SHA512 77fdbb3a2157e7e715d76e5e921ddc2ef73951e40c67f06e3ac5c09a220fae4436d28fe32068d346a7279605d0bd507398aeb73d08c83c295173d5f3ef3c5d40

C:\Windows\SysWOW64\drivers\spools.exe

MD5 910fc250ee0df23dbc506a1bb238177f
SHA1 6f6a68af9e77cd6c469449e91c513c9c3e769c5b
SHA256 26c5889eab5d623479d820b08befe96c933a0e239a3b6144f51e37730438502c
SHA512 d90852a01b360de4a08414fef7104d4ed03cba1cd4fa83e0e34e43e3abdcdbabbefbc79be90267fb7632ede22c90b883a9dcda50eb202c915e5317d9707b7878

memory/564-88-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 49ff953f45dd058a07d2ff4f3a487ae9
SHA1 36f878366dff9e1561e09bf0ae0c0639b152a3d5
SHA256 de55e28bfff8cb568b5f2f1c7e6e88e725615ed1e917dc55640e848d1eddbb07
SHA512 e3e07d98bb1a05f9364f5fa6567695915ee259536465faa8fa9adf06ef8ba78b8bdd1bb9315085d8368c9221cadd1c7390e11d2f260451295df5c70452d18247

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6a4631516a9749deda5a72b1c5bfe8e8
SHA1 fdea9be8c88a19c1c80d8e575394b690a08bbf83
SHA256 0a057416a78cbb8ef6d12191c8dd51f956becda762d2d9241b9380396a7fc473
SHA512 1d0e064a66c585bf475038e87afbe3ba55f43a799b3a85be5dca072427a88328b06bec48c0d8470e2e2835d2634df2ade78f1ff85b46d46dc46e3ff0bfffc8c4

memory/3436-100-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4de3db7c9b1781c2012d0a5bda9beca5
SHA1 fedfa462cf9bc4f5c310b7a228ba93ed09e58c5c
SHA256 c096ab201895c0dbf755e6e2d3a9377962e3aaff6e0e7e685dcb39a898600da5
SHA512 cc74c422b573e64e2095fe544917dde997b3958b39d58b62c92c32850d20675282075267a5e8ecc709a22ab50597866ba7f0bd44fceefbec81a9334531ccc983

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4beb447acd2bb23f095ce3d6a15ca296
SHA1 80bb58ee31774c9a308abb81d0dee603647bc765
SHA256 132304b8ea39ce26d4b7cfa51bff2eb6276de75a847464cd328d9a28f57b0c80
SHA512 0a927ceee387c5180bd921ab912ed9ff6a2183507ea381b0c2716fced047226307aa6e2e3f42e89a985e71e0a0d4a97ba4c1aa8e5b5f6df0acffb26697b36ede

memory/4820-112-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 75698db2a308e95b73b9337a9031449d
SHA1 1df739f59af22fc5abff0fcea2ac4d79eb417101
SHA256 515a0491ee471429e9e47cb5d5fcd945566957444ed3af0ecefdeccd44487009
SHA512 9c10ece545e376e3e5e5792a6f17e66eeb02eefde3d95548707d5908bae7b6fd0b20be86851282636d8e6e03d4b001e4fcc2650c27022b23567445b11a0e9c33

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4b2c4b93cb42fa445295a08604591117
SHA1 45924ba04b2d1e849ccd40ad4c593147a02e7e2a
SHA256 c65cbca83f64f369bb72ceac08fecc5e6efbb979c91037d6e79a410aa1bd999d
SHA512 e55059059e2a84f01672742d6eb86c87a0d6425227100af1e5288f50c0edb26085ee5796bec6385f573f3b84a934b0ce801f99aeddcc143710bbff836b5d0da5

memory/4008-124-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 55a9c1a1d007b74ef7c72b2a1ac30593
SHA1 228af8540156503ab810dae625f13c173994fcfe
SHA256 5901056d6e035fdcdf1fa8c2060afde23269fb3ebaf41f03d7f9e431997d0d24
SHA512 0bd7365675ef2a66b7ac12eba5fed110604886016544dbedeaf87c268a9f245a698d05143255855c68a14cab0ad4b4d5ed3fc15a7c9b755b4b891f642909e575

C:\Windows\SysWOW64\drivers\spools.exe

MD5 279bc8ef6b7add4a28036a50ca9ec36a
SHA1 359e6017d352839974de537536e8d449fc4e0e9c
SHA256 43bd52ef3a7ed2464f814c8f5251f8ecfd1c4777442f602da623bc541e51f405
SHA512 f95b5658904a2f8a4c426d0223ea8b82f31c448411bb2905bc3407321edffc8907f3acba06684f166400c9ff3ac1560f667d648ec219d51431a5fb2b888b5f80

memory/1244-136-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bb72323322e57a209d6629b8874d52ba
SHA1 e6cfcf737e27f231c7c29b2fd4d9c5b0cb4ea78a
SHA256 bda41184b8f92e8ce1fb9db1156b90c6f70a1cac7b13697bdc6ead01cb93a794
SHA512 a7c09a82969a1cc26e611c183bac3c1b55cbbe3cf5e876aba166883e3c60ff38cd18b970fc319e8364178144b43a9e6a8c582efa0372e7af03e7127bfd9bea26

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a837beb63978829fc02d81fa2418202f
SHA1 0c334c863908039b7d892eea25660d3351cc13c7
SHA256 03729f058e459731c931b80cab6f0a17ffd8f34dcc038f269f9e10ffa8c9cdc5
SHA512 457138d6b65f807a69c2f7ca40a5a6a2a4efb4a8c8331bdb9fdd13bcebd14a36c60e4fd0653a76aac23e4cfbecb161b097b9c87d10dbe21d9ee2acf1d90befec

memory/1312-148-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fbfb6dcc92040044f931fd8ca3dc29e4
SHA1 cd8e520834b35fa71c1e6aac35a5895c79f6e8e6
SHA256 0ae69ffe6d7a1d73579af1e297668abc7bca650d9ff92c3ef59ee98c4cabe1a1
SHA512 aee48691b6f6a7044439136cb21cf8e8b530ccb639e08df586bc62c839f054b3bec0bd96e6f7034942ecb9f4b106afa662be1277b5153a35be72ddfc722b4436

C:\Windows\SysWOW64\drivers\spools.exe

MD5 418e0fc81f5426977b543926d171e275
SHA1 fd12246791e9c20b9688f4a20e3826a4b1e3354f
SHA256 20406b64dcaceae94782017bc7778891beb7071aa88ca0db930ea347d1d322fb
SHA512 717e5b14ecd2c40d23a77ef39e20280c42da7fa09d41a2d996a257e2a1d91724708f75dbcdbb1b4aa1804641856f7d09b16093c7e87c7c978221eaf8bd7bc237

memory/2840-161-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3748-159-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e813e3a78e974ed79a1d9b5dc3b82d46
SHA1 544ab0e65ed220d8ef7d9ee3d60f8e69863e3a46
SHA256 4763109e6aa663023842ef51d11994cd52e4b508dbff7eb5081ecccf03e7b160
SHA512 ab57c01c63fbe9404a45e3380ec4b672f190e9679933156a866655c3b27030965d24d924d26698bf67583c42a5bbb14bdad1e018c2dbe17226a07b6d5b8e7b64

C:\Windows\SysWOW64\drivers\spools.exe

MD5 09de17b5d54710f5fe91bf7b7210cabe
SHA1 3379395daa74053443f701e130725b01b0974543
SHA256 652d2b83173c106114e56b589b5cc6ce68655b7c01ab6cd1d9e692b5d651cbf8
SHA512 a64dc4e19f7fbd23623a50660df3c5cf79ed4e86a8324fd38ccb79d16307e79397d5df8f35b2d11abfa15b0014a752d64367a1a509270136521d901754abada0

memory/3748-173-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c6f7c7ed5f29e9f552156e660ae8096f
SHA1 b87008ec7808451f13bf4a9ab25b26bd495237ae
SHA256 f94220052c0d7bfbe1432bac0b683363b654d088d2bb7b2fc2ef92d003715bd9
SHA512 ce7e0cfd0adfdf7224ecc53d917bf49842c0363c6b71628926614d5a9f4a9c60bdde36d66fd21fa7a2d256beb60dfdaf4f91100c22b3b044769c7609c1c06d43

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d21baef060936466f45b5bd4d6b4236d
SHA1 d6c25e5629dfe8f187e77a049b058bc5c1e86206
SHA256 1eab784418dbbd96085aae89e8b6fc07ed762aa659591feb8ed7eb7689f8fced
SHA512 05b8dc186a8396d30d083318a5d1fe8be1397e2a9183bde6fbec077efffb0aa0ee99c8f637c107bf3c093c1ffce896a3353cd44f1523c875bf7b217a9b9672ea

memory/2076-185-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0e56776e7676e87543a1cd237bf26f7d
SHA1 0e723bc030ec821934845cf0fb1757162e362428
SHA256 59eed750eedc5130e63521f0abf1972c12f02b2c60096038500d67c784517188
SHA512 17c91926fa908bd01d42d52760e4d4b249092a40a0e39bbbc261058265aa8064eb009e5b089004b12c4089436bb37a92321e86c2519a74c1fd28b51afa9858ed

C:\Windows\SysWOW64\drivers\spools.exe

MD5 69ad4aba18a8ed2b4f64a269485e4c65
SHA1 66eb283a7dce89e0e8d38431a3ac9ae6f2406234
SHA256 f489355ec4ad9684a5696dda7bb69489c0285fd1b8ea8783e844a21d3dae2d33
SHA512 65b7a85e8ce1cc61c5227b8736c5a77675fd123dd2911e431ccb41715018406f35810a8a04e9346935641569385b601f35bc487258ff3807f585157298ed6198

memory/2540-197-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0fb9a26092f006d84492ef4a087ced59
SHA1 a95c6fac5b468b89f0b6ea9b82f858ddde47f2f4
SHA256 399d5557b728c2d34b52ba6652e27c4066cc61fbce340ca8882d2e464c33518d
SHA512 561360985d7599523505a5635c4b6281a5e693fbf1d379ea1048fb768dcce9c46dd6be97c04a6a9bbc6dadba685cf9e363e6e52314ab89999063f2e2c4fb6b26

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e3c133ff938b5d1d7e882bd96821608f
SHA1 eca7bd901fe08fd036bdc037df4ab7b9eb4b8616
SHA256 0612c496c92ea4f814291dc168225f91f12181b7d9ab1212800a5a6276387d9c
SHA512 57d41fb7045526c3d041903b333095230b2de26014df1f1837d54dc6bcb406969813ecc22ec1d1577963ec543390923e48dd8cad6092ae9002c53e28d62351f0

memory/4368-209-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d5122e88c9cec5607ba42bdc06321b2f
SHA1 50c590b1b49032cfa8a09637a24eac0a29cb55df
SHA256 f009952b14e78cd28c1382c6289e7fc1b832ea1e9c8a98dafe3bedcc2643561a
SHA512 c0ba54f0a9d1a849cbce5ec6dcf48e8832925300655c7863fda95cacbad21f5812dd39a3684ecbcd261dc1d012a482d929fc78f87fe5e820b777c602cf219520

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f8f4b9ec2e36f06de7a2fab1763a3e18
SHA1 7e8f3e5f866dfbb7824f92804a80dc5b6608f118
SHA256 e91899a4f6f5a4448cbb3a8ed07f76ec023ab8d3ceb31e40a3833c174ba338da
SHA512 d763eda94c398b81aebc1a6ffa1f5089b64d7ccfd84b0c791d3514fd879565b85d77037dd8b3caea5420559e5650794fe30ec4fa51d04b4bc618dbdd28707bba

memory/1188-221-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 511abfa4a180ce0927077410d88387bc
SHA1 5fa3ffa66ea03fa85213b931d28397ab948ec2ef
SHA256 fe1fd8d727bfc3d73678bce53f454cc1245e4192a8b8903a7ae74faa4f2bec7a
SHA512 2c46e95581e42c1dc4faf1aae3ab870e8f9cfb1123d34db2ddecf1df5bc7b750335933697b866335063bb875817ca1fe998a97b3e95efad5fc3c5dc2a2f4f87e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e136f91cc9e78decd3f3c1927dd0e409
SHA1 4c10df17b6497f913900912847144f7bacc70ab0
SHA256 3245cddd363cd886aaf31d879a8f5eb01188e79055a618ef6cd03b835cf6b546
SHA512 fd19d3f0b89e6991b3c6092b17e4962c53b94de3b85316e8b01ae0decc3e45626cad24555511d876245d1e5dfa5b40572a8fec5822c15fb5a598add5a0e21c24

memory/4704-233-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c8639d6750ca0d8117f73402a455df62
SHA1 4b0dbb3338a6fa095d14cab3a35ab5dc541cc5d1
SHA256 e1dc8359bac50130b26969a2ef247e5d89c1e2f472f67e5dcdca220feae24836
SHA512 bf2310d68c1fdbb7a93c787ab75916f69bcea270034247567b1c937e9e86511f97f2b727e0d56113a2a70433aba10869ddfc516cf29541a3bb28ee6faee12326

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a153444049df1dcf2222b01d574fff15
SHA1 0d3dde46a20d9bb308323e2c5b6760f46689103b
SHA256 9eb17f5abdbf582169f2be51fee25729d99b49a906df8a680e64118b9e9c3c94
SHA512 d2407e7002542878dae2055fb6ac64ec65a2979a356c2c77fd0b242f97bbd4b29847d39c5e0bbde12e1e0d0c0e477c965e4c1c17d4892467779c38ee01ddb844

memory/3056-245-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ba2851438d65871adcb34e867ee054c4
SHA1 bac46721ada91a5136490534b9f1f05a9ce29fb2
SHA256 c7cfaba92de7f85eb76949dcd3c1a7005776d7fdc4f58172088cd0fa918cf647
SHA512 70966ef2db4a73f1b28ca37f1fbcfb7c88952985d420ba0a0f35a585463a296b762844e256543972157a0414333cd9f6808bd4af512e255a44a38a5697b241f4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5cf009192764af116d7941cf4a513398
SHA1 abf3aef4eec4e7c8a6daafc6b63bd94d4c44843d
SHA256 e16e7ff4af6e6bf1b6f832d8308533540a70a0c93df4aa00e75861479e9dd253
SHA512 3e0e6f3407e6a2d5d07e5d32c2f48fa7a5b142dffccb48ed8b5e9ea705113a3b501d621615ed5d55e4e259b068370b3d7da967f5b26257d7781f80bb8578f06b

memory/744-257-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f09338f0843f615b68477b34459b24b2
SHA1 20d5f0941fbc18afc0506bb1f1f192f730f5f9f4
SHA256 9cd21b3c4afc219453c2e9d4e932da0d21f9d3023ae7cf659c5dc2873277cf72
SHA512 caa40435707d453c5a71aeedc5210e9e8848419d3aad695fcb6e7f2242647bfe74308c9dc8eadd8fd30b73a036e309ca4ed47952a35916fd20f68a77bcab8cd9

memory/3220-267-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1472-276-0x0000000000400000-0x0000000000437000-memory.dmp

memory/3268-285-0x0000000000400000-0x0000000000437000-memory.dmp

memory/928-294-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1516-303-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4184-312-0x0000000000400000-0x0000000000437000-memory.dmp