Malware Analysis Report

2025-01-18 21:26

Sample ID 240323-alk6xsde6t
Target dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c
SHA256 dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c

Threat Level: Known bad

The file dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Detects executables built or packed with MPress PE compressor

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

Modifies system executable filetype association

Enumerates connected drives

Adds Run key to start application

Modifies WinLogon

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 00:18

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 00:18

Reported

2024-03-23 00:20

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1744 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1744 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1744 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1744 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1744 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1752 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2672 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2672 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2672 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2672 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2684 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2684 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2684 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2684 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2476 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2476 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2476 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2476 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2496 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2496 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2496 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2496 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1644 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2700 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2700 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2700 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2700 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1672 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1672 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1672 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1672 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2324 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2324 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2324 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2324 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1620 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1620 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1620 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1620 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2352 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2352 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2352 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2352 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2032 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2032 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2032 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2032 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1212 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1212 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1212 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1212 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1060 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

"C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe"

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/1744-0-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1744-1-0x00000000002E0000-0x0000000000318000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 57e3d23c33c08c247b867135e7c645be
SHA1 cce3fb747b66bcdbaef28e8f8cd0c2cb37e81da0
SHA256 67f9369febd13869239c1f45598695a95cde862cf917a750a6cdc2ea99b6caba
SHA512 541b9d40785d05245de6dc1e962023a26f27924a2c70a8a378705c2398f597f4ca35f4689807ac19a98242e20aec6fb29182a38434f48e19bac8b7b2381dcdb3

memory/2672-6-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1752-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1744-10-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 720d7fd5394e79d0dc48cc536c1a8b41
SHA1 f43991522845d8091d9f7355b237f8afb040676a
SHA256 29e0cb859f6a07e76c514d156d7efdb15033c1dfee53ec4dc759651b3560076e
SHA512 698dd508bf924752db84703d9d8cc0cec8a96f4833ac4f04202b41553d89181c01de900ea3fcaa11d507267a0af20ccda66ed10b78ead443d6a54cb235ee6d9a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 34834e46c4a1c7038154630a339f2bf3
SHA1 c2683c028acc2fe9390e1fcedcf48fb2de8b044d
SHA256 32c67cd5c3b1e5d79c5070d79535f2191d0fab3835f07e0a186f06e896f4895c
SHA512 008a50e92fc6ab52977f42756937887b155424f5a54b44ba55d8b1bc186818800e84441cf1cf269c4c2be74be316dc14e728628a0124453bdd55f69482ef96b0

memory/2684-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2672-19-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c8b7cd53ba77d1082e69dd2d70e4802d
SHA1 0b4cad95c23465ec8e48dedfeaade75be4306f30
SHA256 4d88ee99b5e4e952809a92f4790e458d31a1a9eae08f3c867b841b3304a6b6af
SHA512 c45ee2d69b4e4298974beba10f1973c139fee665ae7d35167a29a5358f0717e5030d595f383ff4c95757d7a650152f3b02c09205f3b0e0b76a1065b6f14f2641

memory/2684-27-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2424296b212a0ec90c5ff590d427a005
SHA1 fa50b3b0a813fd765e5f1304410920f2214708e5
SHA256 0b71dbad52c5974830d1977812d990d82ac96ac1e1c8bd25baed371a05cbf03d
SHA512 5b971247012626ba0ecd7cbac280d71352d2780738fdb35ec1f787b831d1bb3ad027b13b7bc53ead412058c9f3c54bc9bd558e33280831037656e9aadc637b16

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7e8c505b00676247805a97cf45afdea7
SHA1 8d8c2f5cfd9578354d2dbe2895c2f3fea36d4bab
SHA256 0d8c87c3fb6af75ed32390cecd41a8b5d8bb5b88276e25acee142024a7f0a15f
SHA512 154119ba8658aad0c297fa965bede3d00bd84dce20b2348ccfa983ec53985fbbb72dd978c8b1cce23e544991e905c9da66c0e63db425e7c40670218bab06a6c0

memory/2476-34-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8fb1aa1015286deae39958d1b60b2aac
SHA1 03d717b01953d21e2ac33765f09526dfbcbbac41
SHA256 4eb58a6c506325018576cc6ff5799b1a27e5cda18832aabd5912cf47b3fed7d0
SHA512 9047632fe91db02b13905b66e5107857373cafeaaaad473d828f47eff2f381697620fe1f3bc56e67f119a6cb3371cf5bc32e87f94cbe5fb1b2a54ce13e559368

memory/2496-42-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bb6f0355e54a09ef7ee93eb6f0e55c56
SHA1 1a500577458e208decaa36f5a7ad945f64579ca8
SHA256 d7a5d1dc918cf0557c4f95ae21b45ec0a386b9878778eb97fd6114eaa7ccac5e
SHA512 1239670e9e936826787c9acfa9450a088381f4c749e0fdb220e1312ec0bbb64f8c34e3e6f586b6881862235bd261146be71c53683ce3d7571c452cc368baf393

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1e1d50885ce89bd28f956e2e2f3d8537
SHA1 b0a9e78cf202f14138b539ebd639ee14567fb224
SHA256 c3f63e08f66dd4f839635d6d1c14602ba59163c31783c099fac3c45a2842d068
SHA512 ad7aab4908d876effd7ddd3dd5b152ab0afdc86489c026a5211a88c29395b1630744dd11edc74e22d2d89f61e9123c7cb63696feda8024392a85c61ddae01506

memory/2700-52-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1644-51-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e4410ec9ae1fe4501ad13a534a7a55d6
SHA1 ecdb92f9ff40b13e05f1994c1b98aa503509930b
SHA256 31cd967552d174c2d2b4290427864393c25d75d26b39daf38760fa0c2d4f3c13
SHA512 8d89fa9b79f6330d333fb36406208ed14edaa0d2f6dfcc9b3fe42a48ce9584ad1464728035edb2553249a571f0ed8472f55dae7b42047fb90acfc8b0b41d3bbf

memory/1672-58-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 56594541327922c64e33409707838bc4
SHA1 00f4d57cdfb8c632ac10c4356111bca832f2e0a1
SHA256 a6ac40c1f25d03f521d11e207b8eee950f2ae7b27c39f6514ded59cd13b543d0
SHA512 aebe351c9e3fc82e44434a37604b7322571f0b407f20453383c5ebea1e103fb0ec185c47840ad206c0372e106a60078f5f31a49a8cd2dc4115f47c5cbae8a347

memory/2700-62-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5a6ec759359375d1cc71ac9434c0e2d8
SHA1 c1fb2c518adcaaccea77b8764fc4073c9fbc8cc1
SHA256 46bd8404a5cb3218bde31017901bb89d3eadf83cf23091cb8d9895dd9fcba339
SHA512 aff1f9b73653b25b7fa2ed7f3fc35f5364a2c1baf42602ad3eb24e538e358ae93c2df7cfbfecdc49aea91e7fe2560644337fb87878db1d4fc62374bf54838f8c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5130da8c66e1d5c3a240c6d00b65f2d7
SHA1 241a6555c25599c6a7dbc44d2ffd600bc871b577
SHA256 57e1c1b9666841d662d658992ab0db6a03c2620bad9fd3cc58d963612116a3f5
SHA512 ba538afa2670fee740c18e3e236f6371add834fea575e6e79124eecf1305de8769c8f8c735298eea193578225731c30d7c1e234c38d50a8663fe73a2cbb7a51a

memory/1672-69-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2324-70-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ab84fb3f501126f33f56f8153b80977b
SHA1 ff649f036d6f17671a6c0d3aaefd32f09bb2ee54
SHA256 e7361bb4e2dbe46dcb371173f54fd510c96dc6a9b523fcc7142809efc9f48e4e
SHA512 04705f52dfb0aecf23a4bc5ff010a5d4483580203dc11914008e47263681a8f6ae7c86f87c20ddff6c6a2ac78c035f90a9059e023a165dfb54f154e47e24179d

memory/2324-78-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8f2cae32188e29e5e89892d2be43d43c
SHA1 b065b49df79558e69c7448d5321d36b2e060a35f
SHA256 8d9e3db3bac177a9765ce9f6e33fb0f793e22bd74c136c7c2723a63c2527d79a
SHA512 d50ee3988d8e461ad0d69ed850a438bcf4e8af3be883d82697c12e8111f99d3d1d926f4e32a3534f2d197027b28b6ff6e53b1a7cec1ddfa14fefd30d9edc1650

C:\Windows\SysWOW64\drivers\spools.exe

MD5 07268952a2f842225a86edd6b85d7dbb
SHA1 c07671e7845f86d38f4f9ff83f1b73a9c876eba7
SHA256 3ce4f92fab3469e312cc600508197109840a799ebf8acd2e9a941b3109934ae9
SHA512 e8b562c1c614b2f0322682d02fd16c9d297009a1ac933af5b05856d3f2d7369da83aad01ebb9f157af95ba7aa5f37849d25a6153893de78984e1829d1629a969

memory/1620-82-0x00000000004C0000-0x00000000004F8000-memory.dmp

memory/1620-86-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2352-87-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 17adffb834f4befc5e60a17f11ac0532
SHA1 7d490ce839762958f27e6fce81d419cc38b497c1
SHA256 ff4a28ca9372e875bc3f410bb1bb79ed04b4d1fc4a16714c55e11133d02e3a3e
SHA512 9ba3a030d0879cd4b700c4ce6ddef8d7c5f17ce6b55e997160c93c22beeeff0995a13819e987f98a5bbfcdcf1ab0e1dcce9572b81418a607eddb5dde619d0fb3

memory/2032-92-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2352-96-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4f8ffd08950fd750814001a14a0c4648
SHA1 0a26755fa71af0ef9f60d4c6cfb6b12b99cb4f6c
SHA256 0e96305c81752f068a9f1f75ba55652e4869a61bb5f2c2e5b0eec275d16b984e
SHA512 77e2abd8e592503c2946cb18e199cd38519961cbdea9a558e744d828ab4542c568440260a818defb262808843c18930633e64db2a483f4d5572b649573fa403a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0805bcb62f4c3e0a0efa327b5715d2ea
SHA1 dc2faab350b2cdd1d149a11148f5cc78f7d931aa
SHA256 501327a965064408645ad963a079e8bf653b68e51c1555a90615c5e6e84134b7
SHA512 799c67806f5e3f54367d03aaa6937f9967e369997ca5c53f22e390965b48a636acab7a8fb58021cdb01285794e0ba1f73dfaa8e42447047e38e799d25d89d1a0

memory/2032-102-0x0000000000830000-0x0000000000868000-memory.dmp

memory/1212-103-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2032-105-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 44bf8aae44b006754d83122bda9c94de
SHA1 a80bcd7364999f7c7d3a872af2ab1ff7a9d11c1d
SHA256 950c24a3712bf5de59b4547339065b5a67793f3b9dbbde70bb23f397700c06ce
SHA512 3064c93e58cf5c4addf73ffeb18b5c8758d6eb3c7fbf2b9d7b7e400d7407dbad6af9ba255b123d93c5052a6100b0299c339cee8e5a0ffe3a0d24a0fceed86882

memory/1212-113-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2c03b2cd71abe99c53e21c1bc4dfe46e
SHA1 2febc2a126c86edd493d67b80c081ec1dfd1578f
SHA256 0e82cddc0265d887d323ca4f18018d7e0e74ec06a8bfa9e380bcde3460dea050
SHA512 14a5f244583827187424059fa9bf2ba5bfb4168561a903fc12892ebfffe04844313591901190db86f78c565493a0a45ebb8de5aa484113b3253cd092c2e91e42

C:\Windows\SysWOW64\drivers\spools.exe

MD5 45686464fd68464ba343c4e629799417
SHA1 4e475d8aac230939774dbe847ed160ee388bcef8
SHA256 4e323a7c3254c117d633cb10faa7f689a510c3e96260ca8a33a7cec2727862d5
SHA512 b942b6b861f46f29f62e60a389af06af7af59e7a1fc04736bfd6c0a347b7cdc766344db6ec75bab75adeb6fe73c8a69e380271a25dffe52cc76f62585748d538

memory/1060-120-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1060-121-0x0000000000370000-0x00000000003A8000-memory.dmp

memory/1200-122-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1200-127-0x00000000003A0000-0x00000000003D8000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4b5a0fe0d31ac5939b76b5143d595741
SHA1 8fa9e2e51a6c5e02ed1fc28a98c912ab7610d84a
SHA256 de2e9b70cfc4751f9a7264043ebe8d78604b6efce5174d644ee0ec8d63cc57f9
SHA512 982f2812efa43c77a7241111dd98958d656954b1db09fda442e17ca9f8b6878cac855a296fd82ca9377d4ec04a036b8dc2db09e5a55c055b69eb183759d3784d

memory/1200-131-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4c542c2f7d803b7841abf28eec4e6210
SHA1 750c8319a243d5926457e4b7f0eec4768702ab34
SHA256 245dc9b429f2681fe628d04bd5ebda141d50d5d136c6e6c9066d502e19e8632f
SHA512 1570efbe93889596eb97d99bd556e1327e34aadc59884006d28e68176d737378cc2a7438e62bcd46fc7551749ffa93ab04385f440a4fb1c0737a10775daa6ef7

memory/2316-135-0x0000000000360000-0x0000000000398000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e5c8ccaa7e3ef4b7de71c3c7f29934a0
SHA1 9e6c0d4dcfb7a4e6e6a493f94129b77f37f7996b
SHA256 4ace11868e3cea285645b45266ace12844d54e0836c5bfae9d4469b101d8d0ae
SHA512 99f279fbc83724e511c298b7c0a9192520ad0c44d01a807b0e34cc6211cfa4e07dcaa3b850d58f3f968541db076b0176caccf9da5ab85f3de935abbf1f375982

memory/2316-139-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 27485a19998cc3c8c8e6678bcea4ff4b
SHA1 00e1c963e5000acd06bf063a95a070ab93b3748b
SHA256 33eeffd8e5ace789589fac4764a169628c73119036903aaa6846a43f4a4edb59
SHA512 a23b916369639d85af6a1e1dd5071850a032df18bb72ccd92ba6d98814c445ec6ff0aecd0a025dbb2e3d49e9f35c2c48731fda2d5db639999ae9eb7b0c4717e7

memory/1648-148-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1792-144-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b2cb5e5ab94e7f991559e11d4077b5ad
SHA1 7d4c9e633da361d0372bab6bcb9ee664df30fab2
SHA256 2496528df3773a6f7aee5030328090f9aaef0e44422b1233a3abdc8da33a40fd
SHA512 2d6a4d1ed18fc584709c85869ca964339e2aa1fec4e109b331a74423dc08599a0389f8c84fd7fe6c1c1ce3f20f61d1f82b3c9e8341af7819a633dee34ca92ed8

C:\Windows\SysWOW64\drivers\spools.exe

MD5 323678f48a53d93e2f69560e6d97b3e3
SHA1 42600700d2245b58cc460eae9ebc811111ea76fa
SHA256 b4f09f9dd419ff90d2177ceab9d5d880f2780130668ea73a0f16a07325f93de0
SHA512 77ab9a257802cbeba47ede4620cd54217f1d1b89cb311be203e4c4432ab0692ac4607b5d9af211c3f90b934c94ca659e867902459c84b765b701db72dbdd6a96

memory/1792-157-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5441c1e6590eec941f56658b61e75e6d
SHA1 0fe9d37a8186db92945a728cdca17a5b62e77069
SHA256 f8e32f4ef4c173eb3f6dd8fc408a9ea0244543c4c8f22225e6467e87de7f25b6
SHA512 c790a56d587e7034539938eaf54b4a1a3d78379ec2e798ea74e67bd19256ac1864a0f16a7e76f64453187757d6f53a3a6215002eeacaf838726241ce7379669f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4cbe65eebb556693c94c5d33cab5fabf
SHA1 b274c088b0bc2cf71da81f28f968bdfc527f72d8
SHA256 86d80c15ccacf46ef51618769b850769e39aeb203b72502704fb3b742af330dc
SHA512 f9eed8f2c6104fe74dbf47243e6a1970c826fd61540f038522295d11a09e072deac6ed91c3037c90ca2cf67f3e778b3ee0eddf4330bdc865332a36bd42ba93c7

memory/1320-164-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 481b5a40d5a4f69ecd5b39f8889c1199
SHA1 2d29d21a0d304270bd00b7a63da81745061de426
SHA256 e4eeb99d92a804a1ac21c58eb2b88244b570801a1e79d48a6d6e821d56e3c779
SHA512 9037881df3f57775ea045bbf7692a7a7bdd6574e5d894c02fc68aeda97196a71728777c33bb2d89d2edeb56895628aa18e4bcd45f66db977cb23cd5b392bc8ae

memory/2884-171-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1004-173-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3f70ab0b218061d895fb19ca80ffc7bb
SHA1 59227236d5f91fc7f7aed93cb888e5b63b62f53d
SHA256 8de4cbd9efd5017f7afe4fdababe409059dc9be794d034b1cc68f506ebdbf309
SHA512 84f0a09c8ffa3f9167f0c34df32448888978a2b28fbf6f5d55b777718d315d289aa2f7c0721501de91fc53a5b88491adb6e424d0acffc6d4e7dc0639f4a62ed8

memory/2884-179-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9e7f55afd6c81201cd7e48f1c3f74b9f
SHA1 1940d9d918a29d7498c638951d903e331283f214
SHA256 4dc0aa09996730eab6de9cc208c14bd6398bfcfb1413ec1cd886ba21866ffb0d
SHA512 10e02901679ac2a9a67d3bfa652868bc4ca253ada65c26c898fdb05ff1e7973fbb3c826ed48642dd837bc0e27fff916dcf96c745723e7abae4385f11b22386e0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f2ddad87ef892a8ade8e04ed6713cfaf
SHA1 79a0a653076aff159c95532cdf19b209c07eac4a
SHA256 baa9cd871d6f35924fcf11b91b2cd1983f9968208daa14e04e0ef647fc25d2ec
SHA512 326885ea5866d9ce6c8a2f91ecec7df1bea065dc4016df3e80e2013203cf83d56e81cc399dc7d950dcc73e4abe44cd31d5a770aba0bc9697b920e3008baaca7a

memory/2512-188-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4208ac3fed6bdeefc772a152da476653
SHA1 7e9f91913a504c630d2c4b524609bb4879f68d71
SHA256 4beac7ebe14e49554837f3df7a2a60d846c248183e8e08df3bbe92486f6d08e6
SHA512 d809f073b5eaa2ca62d57c929b304cd7263275900842fdcb8ed83d86154d9e8f9139bba58a91efd436d69186fe45ea8c1f67d9c189697b058bb1ba5400b8d7a5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d65ee1047482c6465314875b2d0b5a28
SHA1 eb4587f772b80454cd517707bd38927f0d447003
SHA256 a6a9b630548da64f1bcb058bed4ef4eabce517facddbcfe0b110469f3f0a1c94
SHA512 ca61ea56e382f48eb9fc916ff0e7e7c5e587a39aef5c38c615ff1b8c01fca7da4bedae1ee236850385c53330068d8ef67ee338db15b2f5f08867ce51272c78e7

memory/936-195-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2f80d0a517a881d319a0218e5f6e954a
SHA1 b80a355cb227a417e92362c92b4734d7c1d6c3cd
SHA256 f1cf0b3bcdbeb404a931fd76d94876279fadc393336f960cfe4722ade2e35d73
SHA512 1084710c73205078766b63d0b2a035a94ad943030e21e1e120141e7228ab5f020bec256ed0f51cae93854259bffe48a5bedbc59815f3d67b26fa8c4e07903bfc

memory/2628-203-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a5f33b382ae1b91489a8d656a05a618c
SHA1 b0462c2319adf75bb780897193a172cd8df5c058
SHA256 a2b7d589687291bf547c7f7958fd5e03a6211e07578e69c3c5322f75825f25c7
SHA512 d6a87b7f83a3b5d9b9a7f1a6c5f1379725a384cc02a84e9c9cd9f96cc775a6d93429e774bc9681bf400b65cd5e0cefff9fa1446db0d4609c5bcfd8217ec061f0

memory/2472-207-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d519001aa1892541480beecc0c208426
SHA1 2d2419ade639bae6b05a55e8d9824c453fee9037
SHA256 7eb475652bf812e83e18be845ab075b0625a668979c819054be6f46fa8ce0ef8
SHA512 5e2b926ba17d7ddcf671850b4e055507ea69350861c572bc2390e5d5eded5c8f82031dc44323144f216727df14cafb0bf04a35dc75f78ea66143f32c89422894

memory/2444-211-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3d8b4663ed7bc0fc85be5cf05b6b0fef
SHA1 9ea0ec371be97b749d89b14797f4cddfa1187e54
SHA256 3b245322830bc3697001c374a0c45ea07d62cb7184b77026ca85c9f4d71fa942
SHA512 3341205fa6a4af8fd14e94ba663419967347266fb6cb61d4eabb4d137c7ec7ff1be41cd48617d8e3d73aecbb74811f7286c00ca845d8914b02b594d4be0bb9b2

memory/2472-219-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2888-224-0x0000000001FB0000-0x0000000001FE8000-memory.dmp

memory/2888-226-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2708-231-0x0000000000400000-0x0000000000438000-memory.dmp

memory/660-233-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2708-239-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1712-245-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-252-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1904-250-0x0000000000310000-0x0000000000348000-memory.dmp

memory/1928-253-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1928-260-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2600-261-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1928-258-0x0000000000820000-0x0000000000858000-memory.dmp

memory/2600-267-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 00:18

Reported

2024-03-23 00:20

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1300 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1300 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Windows\SysWOW64\reg.exe
PID 1300 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1300 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1300 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3300 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2680 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2680 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2680 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3756 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3756 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3756 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1720 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1720 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1720 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3976 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3976 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3976 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 492 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 492 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 492 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2248 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2248 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2248 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1572 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1572 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1572 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2896 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1592 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1592 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1592 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4516 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4516 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4516 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3124 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3124 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3124 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1968 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4484 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4484 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4484 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4520 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4520 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 4520 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3248 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3248 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3248 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2372 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2372 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 2372 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1784 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1784 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 1784 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
PID 3744 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

"C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 45.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 171.255.166.193.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/1300-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e3d0e90469e585a0e5bdc46141da297f
SHA1 5f4116b033af2edb734f3f07a1c2c71062c62941
SHA256 cf578afb2744ce7736a18688ee37bbfcdc57ba5a49db1cdba8027fb51b76a5a0
SHA512 6fc32a8fa21d82197e9cecc056b32f56679536584ac7a48eaa11ab552db9b3d729a39205aa413d9ffab5e256b0a98d2c8f53362f00f863ae1517da0e035e9c00

memory/3300-7-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1300-9-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6f6c6a9b3ad32a0581bfb4f34313e601
SHA1 f33301958e5ccbcf2494a29226ca0aa9f1157e27
SHA256 1179bd8e5a95eeb5de8aa222e411d0c97364b31467bec421b67201415f0e97db
SHA512 2ea28ccb1c1cbfd1e278e2565a108e2a2b2cc43b2b9b8e310ff12236dde4f65e0821ca441b1559f8e333df0cea2f76749473d2dde55d034e4d676321b82bcc62

C:\Windows\SysWOW64\drivers\spools.exe

MD5 893f59e79db5d2527165daac1bb79117
SHA1 52ca05cb0893fdf6f79eb5a3756ad8839036cb89
SHA256 b4491d06f66f931861624f228116a3bd4db2a36db74abf34f08285f764919bb6
SHA512 be51c59d6f005f70b2364eb786e3264c5d9bd81aa526ec59efffb03380b94294e7e99723516ad35e3b87005af821759cb54bd93c0a0c690a503d7dbdff621089

memory/2680-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3300-22-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1ae423d9a2f2f5629588c835c1e44e08
SHA1 a7355d8e54b8a14f4f88628dc53d01e631dac5b5
SHA256 ba67776eee7b8d97e035c3939d87364bcd7876cd862b9c04dd2f1fa7a54ad333
SHA512 9e38ee5e44b0a96a5f4c5c2b4c2a796b55012230320d7ac2c8e15d3cc14d7093df5efa70060f9adb47c23c2ed39f5cee33020c3780ed97bb2c0ae29c785d2270

memory/3756-34-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 691f51288ae28e583c824419da3346c6
SHA1 1bc44c2d448781a34abb72311658025458b56a5b
SHA256 c5d8d4f78982b6786d47a4cb3ac5c799364e73f2aa810a5931a59bc049713ca5
SHA512 076d85178f48b9e16d87cc50ecbf3e64dc8fc52eb016aea2d1b4977e56107399fe075f8b4353ea567282fdb0db46634eb05094b1a464cba6f7cf85c31adf814b

memory/2680-35-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 905ff7bc1dd1a6b7a0c031cf106a8cf8
SHA1 8e34ef1319e797f284db2fd8035509d870adc713
SHA256 376fe2ed1a63916ff673a9b2c08938609389185eb1c087db40a325f9ceac9ef9
SHA512 04749df11749b859a98bbb4ed658c170366d027ea9108fdefd604948f9062de5df649440ec474a9a1a32a8965a3b4ed239d2ccc5ea50fb031d3d81746a4607c0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4593cc513e67c30bf0ed7bc52e0b0455
SHA1 71b47b88ee421e91112776908eb62f3d668b7fa0
SHA256 6af74d7f7a0c8aae2fbd1191e1c4dd93c1e258a6885e80066360c5a81edac02c
SHA512 1b0502b90e76e40993eef7ba711801f207b759d72d087c5c24400fedb92e2f5d2042251d9b7c3c211252b7308bd61830cf81079d09faa5317562aa3ec48ad684

memory/1720-46-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3756-48-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 44876bc968801a77d3b762a780c7aa8f
SHA1 d4be391b2388b9c22a52080077b83f352f69de8b
SHA256 005681a157abf5d61902e3917b190d51a7dfebcf0141416bf2e99c98ef892856
SHA512 ad4374bdf4618d704caa286424a96f82386dc00aed23f2702a16d27f5a43cef7e75e7ed53e07dda7be53bc577d015039d9409182b66440920bb107900df6249c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 924c3f1e242dda384f4022f291ab7805
SHA1 5e50d38474f2f3caaab30f5a7981bdfada3d91e3
SHA256 a8c9e01ac59c8b22c4f5168b379593bf96cc07a573db505f33a2d0b31ca6293c
SHA512 6b3d4eaa3a29fd84b04dfb38cecb28e08942b43bfd4e0162fd8f50dfce65299684185fe1b538cb5d79019ca52c6c90b8be5193e76bf8518f922656c2868c04b1

memory/1720-60-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1d58ac7842b165c3f70426292167e38a
SHA1 c4fadb3c7c3ee061af336575426d05725d184d34
SHA256 666a3e6ee5579c27268f48922dd67f353b4a9d8e80912f16d3994223230c1409
SHA512 a84405545307813c8ad73e0f24082ae9d98573aa0553790b871d995b36f20e2b466b3332cf8b50fa0ef8dbc0429a6c17a6a50a998bf18bd6f29ae6c026c698de

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f7636b99ef25b4c8579c24a08948dbe9
SHA1 62e23095cceff88d12aef2069a235ccb7c2a1711
SHA256 a1b9ff3f74402e3ef6061c524aaccafc35a69d7b4a6b66725266bb8a7bc97171
SHA512 36fdfb462987e44f0b774d1c337286fb858df2dc1aa4bca3537ff15b22203faa6d0ae3e8b6238fe4a3c68c5c3d6eb82a3fe454cff6476358831a6c7dbf429a7d

memory/3976-72-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 82e71100efe139251ef586cb5a992c92
SHA1 9584c188a04852f006c0f0bc7492388310618e49
SHA256 b95a18a7e13979a77227bbb7eaeb83f246fd6132bd2fc2851e8a9a6f028c4f9e
SHA512 b863c59d0478d34f6ef7095de69b3e702d672bc62b29e60e818b061654692abf0e62d9c5482f384fd01ce5c2b24d7a8e2172f8a6ca4b4211a7cf93d181a1c02b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 57058e693ce752c0d1022a8492069eaa
SHA1 d003d39e03a15fce6c099316dc289e0b98fdda8c
SHA256 2c8adf529ff832911666eb76b9ad56d568e052d37dc19a2898d7e31e7f4dc0d2
SHA512 625679f750868c8ae79ff022d33ffe03f828465f9713f96a75fbd4fb14e82977ead68657ad78a656a79e5787298d8424bc91f6e88bf4c7b7a25ccaf0cb07abb6

memory/2248-83-0x0000000000400000-0x0000000000438000-memory.dmp

memory/492-85-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 af9f5b2f7cd919bb7fbfa41d39b23c3e
SHA1 296a17ae02104d333c24eae902df0dc3c317261c
SHA256 6b4fc64355f5d35fd960114361910faab288365601a78dd94b3d11ec647b618a
SHA512 f3e465f78666d24af7802c1b75b22b3f7c3aa53f46772a1d6d505840ed6333d7778f06a2f89de9d4e08f3c8fa915efe038e570f275ee793f10a86e7abc480c40

memory/1572-96-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9857d17303cfd5d858eaabc4dc9a9065
SHA1 c9ae3ad21caac412991d88e8cde0ca0148f353bd
SHA256 88fa454415a5ca1d03f19d0438cb44044ee34e4fcb9d071d0f8fc583104fbdf2
SHA512 19a7d743b6e6efc2dc7006ebccea64488bf25b3fa078299bc5168adfa0532d7611b4226c8270f77e2a3ef65fe64832f19ad9de7851382285800879cde06bc1ec

memory/2248-98-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2429e5524c03e3ab29158499242faa3e
SHA1 afdf934106627f02c7f89d6c88dd03abf5de968d
SHA256 09e3676bcc5027ddac8263813ee9e1b43120d018865fc98459c075bd7007567a
SHA512 fee4c78bf63552c1c08135c894594d0cd034a3cd2e5f89b152f824a0c2195b3d16052f4082a6eeac06574f433b9476d46dd2b189d707c362818a0fd5a5d8a736

C:\Windows\SysWOW64\drivers\spools.exe

MD5 47de5d53503de0bc0ef1e2a060294231
SHA1 6f48c924bd9df4b829f426efee965e55d37e29ad
SHA256 93b9546936ad9bfa1abf310817519de6d41ad20ee0cfd5e85bbca6e7172af393
SHA512 da77df9a52fe812d35269883fff8f407f6d1bfc2e97a0af37fe855036caf085751619c359f09e5d66a1bc1f6d1e4964accafa9ef714775d9b9c462eb4317775d

memory/1572-110-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 95fe9034ab4323a00442f0b323e5094e
SHA1 8435cbd8fee37a074f4de2c9432a7339638dfed3
SHA256 eedc87341ddb1e52992d844e3f759da2167f60a5b178694cd96f0bd0a6a36118
SHA512 c1028c0cc2af0a64aa3fb1fe8a1574330c6e7dae62d980b44843c2cccf095f9ca800500a06437fa6a8ad499436e02a8324ee6c9cb0e0db4acfdde3b891f95025

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bd9f53555268503d04becbbbbfd557da
SHA1 9d3a1dd6b90e1734fb2d35b83f369a599000990e
SHA256 578897110925f2d13bd373d739ce079a64ed6cab3b12de6ee5fecfa36f4bea7d
SHA512 8c15dbb7290d3ef277510d03a2c7bea8351787956bca030ed9c58a7cfb9e30bfaa8641b5c1395ee800d4d2e28deb556951a2f9ce848246d5184f14afc568540e

memory/2804-119-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2896-123-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cec3b88655d46058f3bec84bf85a6605
SHA1 a7add73343a7129fca4e2dfe897a82b9d6dce9c5
SHA256 4629d91f72ac2430ebcfd3f8e41cc7eda751e98ea67d89b18036397df2a46f68
SHA512 8ea700aa43631c2eaa953fdf8d88ef0265e3bfd0ef31ecef6b5c2833292f521e3213fcd47449d39e00a88f8722d09270e69a3d1bdf377ecb27090fd390865609

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b98e8e8dc198d979481a012e71090e25
SHA1 5909c90793d84af55d7185ea48dd81c7dd1c9471
SHA256 ce231fbe45cbf6dbbf2353275ac94ed55b4e8bce025cf3780dac413a08490be1
SHA512 860d558982828890d8d6b894fa6bc383490d98cf4a5f56e4cdccc8d76d50dc3ef8a76569699e7356727e01526225c10cd70dd45600bb5bc9d824b3ed153d62e7

memory/2804-135-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0c73fe8f09ea3403f6cddb4b5dd545b6
SHA1 41efebaedb2349c721186490a617d966386cc189
SHA256 518afc4dcf7e493c32b6682c4e8ee955c6c768a253ac6f2f2fdc561dd91be126
SHA512 047e5f3159e4cab2a22e20aee550424a33f767178c29472770eeafef438569212d1a1ebc97565b4210ca08348392b1197541304790453ae0cffafe7ed5738009

C:\Windows\SysWOW64\drivers\spools.exe

MD5 924e6c2cc8671d500be6fe0ca69023ab
SHA1 938ae030575e826ad2ab97f641b3da1442289ded
SHA256 346304b37ef3a5f8d53d371cb76253ea336976ddc13ee32ad58b00126d23c110
SHA512 ffdbb0dfdfc47e1d8831bc0a52b60babf7d471d2b737806d6ab7d7a7edd5f026ab243f17c855e9b6936e0f6aa71079573880cb0e7aa3bfecd7e36afa53d2dc24

memory/1592-147-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 45bc16fe04c1c578e61ba13b1231e9f2
SHA1 5a3751d30530054bf1b24173f493ba3d5ff6f854
SHA256 af5597a7d1567a079e7eb9ed9f87dd6aa3101794670963eac71204a35be28708
SHA512 6c343396e12e23a1828259301a9d19839d9edc74d3b6025cfe5e210bdfc960a335b4d6c9aac0f74363152f844184878229fba165c4b70cd4ee3cce3a8e151079

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4c2debed117681d6e69547e4964e1432
SHA1 5d214f4ae4dbf4abc6aa5940fc5cdfd15901b3ec
SHA256 44ce65530c2b498744c07d80930a3a3625a2cd9c81ba3d5d075b86ef50fe0971
SHA512 dd3139895dbb837ea2fd59b5995d76ae6074ac899ef7d3a4af01c4d628223cc6e53fc88058dfc8604daf5a4c7f4e6511de5b445f783ac5eb5c09cffe2b04ce83

memory/4516-159-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b0ec21498d5188b9701c0e5e1a1c0aa4
SHA1 f5824f9b841f5c9abc05f55b6dadb06d28b4a4e2
SHA256 560b284d961ea69fab6a6dff9837c3189891be2c120b8546237348083578afd7
SHA512 957ee3f8c67afb3e47331d39739d3de5ef7624d3c19a7aee9b89196108ac9f89de213bcc2fa4290de8e589f1dad10fc758deab8175f86524902f4ae1341a4137

C:\Windows\SysWOW64\drivers\spools.exe

MD5 41bad8a8d38ec948c6a68c22e08c8d3e
SHA1 535e28ac031440d3820a7652b1d2f29db2cd0de0
SHA256 9e260f052d8278d2c51c3c2ee8749ba7f39656d349fb24d7afc03f97c0b92bf9
SHA512 c621464fa4421dfdac9144f072ea82e14c4915c03898b574cd56fc1a7c43a23f31be8a1ccbeb3cf98b3a156982533ee2847ec51dccd8ad8dee541cec6cb5766e

memory/1968-170-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3124-172-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 800f12f99ee99e56f67375d71db4dd9c
SHA1 a2de550536059807bb5af8da5cba2e017720dfc6
SHA256 f0e5e9d8c2c8b9ce09f9753e6d07cc7e99a29d8591e98f6276a1c451d890b528
SHA512 1609182f01a2874082c2481d9c2d4bf20f8d38aa29407f95d82d37d3071ba7513b254b63599363530d32c3bc11c273ca75b83a2ff03c9d625bc214342751c70b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5966d7824cf395189955f21c956e5420
SHA1 0308bd0e16490fc3ec6df5724413d3532ddce7b6
SHA256 6efd573cc00c8f305c41c903bbee1f4d95a6c52ea2bdd7f1b8b5f5289c0e4639
SHA512 71083c9e83662b80e23db18ac1315f96b13bf72d297623de7a6dda7ebd8e881234049f2138f84604833d710920116d18f474c4343391740881e7ff0c61075973

memory/1968-184-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d80fbb7f8a269c7689a2c0568272e3ce
SHA1 6d28fdfb217408b86d699e5c8fa0b0aa91f967a1
SHA256 ca5d22038263382fb1449aed150990dcdae151da7ae2e25a8e9692cb6fa8d025
SHA512 d56a733addd2012c7b4f692439129a9ffce8cbe0f8e131898138c28201ecb71ea586b808ee979147133bac1b9b2601f96134f8d3da2abbd416315d7176b0ae2c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 513783e2b7d1cb6e53c2ac56aa84a60b
SHA1 ee32458d48b8e4dea503cd0676992c6c4bf4ff99
SHA256 7c5935fe6b1581f8154e34588f63a0065941c85807caa85718158c368ab81ad1
SHA512 998114b2c57778d4ce39e4a8310a085609def32f80225e4b336ba3cdccc7e64d2d188b14c8dc29d28613bfd9b4c1526464fa8133e08a2fe5be4adc0a102618b2

memory/4484-196-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e02185f40dbf2400f4b791b09fb48838
SHA1 d6cc8173071113a0f4a8ae6684330c36b84f04e2
SHA256 7cc64b1394299957c3ed3d5c2309261379326d69218b89c101b15fd8bd4ba2d0
SHA512 efce4177aae55c7960572c6541ab87333195766029a2cc829846ecd9204563a2bb4628f11fd83ae3d983b7ea01f705e7fa7d455abbdc3b734b99aad0321c7acd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 559659e3739489b53463f4b5670bed25
SHA1 a5f9d56b75b4bb163bb38dc0aa91dd9dc5fa4c5c
SHA256 1ece0cab51f9742ef01ab9f5872f6a52a78cc9194c21b3bcbb07b76415cbfc68
SHA512 9b50512e8bc46aefe530d789faf4cf9f450c3fa19976e6340c8101b90d0fb6bc6fdcfdd514e14815af285b91b56bf1e0d62a2d7789bc42d5d77c150c55849875

memory/3248-208-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4520-209-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d78d7e77e971cb2685d16ef705f5db81
SHA1 d2eaa9e789b5f4a45df896ed802b62dc79260975
SHA256 59c91a4eb7956c1aa640c8f25ae62683432b5901793b76c2e9d2a56233eceb75
SHA512 3f72f35dad630b266f373bdd30a7c91542ae2e0a89f9fcd5069798dc9a049651bcbc1a563f4269e202ff5aee8a341fabb37e3781a73812eb8b251a8a67d5359b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5e3976ae064222342fcff6ff46aa4967
SHA1 0d05ed782c3cd0c0a4939cd00e8a26020829f6b8
SHA256 db0b0cf96dde30f7d8acd0b4c0a2dadcd00a5aeb7669f58ade19865a5fd6a820
SHA512 08f4c690b13a6b026c145c1d97a47641bf0b7addfd717d81c39b42ce0055a36bfefb462c7bf4fba4224424174a4f6f6366eb470dba937ae108839d123282a010

memory/3248-221-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f7b9c96c2cc0cc3dd89c192f369810cd
SHA1 058819db848ec1a3edf68962354271e32105ed57
SHA256 da6ba3a3ead05a101bc42b40c5c9e7217c0cbbc778aaa78ac7d754d75615fb89
SHA512 9650b102ba3cd4ea91f08cfe8c2e7fec535caa51d1a995216214a82452c85a871337ee2f0151928edffbdb08bb0a2c56e263eabdebe9dc828185f04c908a859f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7a4c87e746e9e4d846dc2a62fdcebfbc
SHA1 a78cebe72e23a959a728ac1a2de5abbf49b70538
SHA256 ba5197ae4d3e0af3246dfdc28777ec6203a00062e14fb14c0588c1d1d91db9a8
SHA512 8b8fd9c14dfa42dd03e20d4c74290823749cd04ee8f704bbff8ac069e22f712f661abd27e0df471f86bd245401822ffc2c63cd8318622a73dab2ab4d4c8b535f

memory/2372-233-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fc67d43387bf6a8c37bf00c6001450c5
SHA1 65ca60d1aa7dfd90946ab428bd65286c76c44c43
SHA256 e8b51aa9c32651308296e285b842e209a4d2b10e3fb929a4e1f6db802791d782
SHA512 a002823a74ecd21e827dff59ff92df62a7af19f53007207e33ad46e0638e8c83dc0e91aaf7c20399300bda690414c02303a2cfb3a0e108006e030bf8ad4c0b74

C:\Windows\SysWOW64\drivers\spools.exe

MD5 11bcc92a00c55e93132dbf4052529078
SHA1 02c9b057357166219cbef29aed80fce10ed1a2d6
SHA256 b6d9aaba08033300dd0e049e5d3ed4930df2b8865f470c52480ba1585a866d69
SHA512 c8859634c6bde0df7843de4b08f19a00272e24370df5c6ed1b5b59b306305d75586b65241268cef953115b925b87aa8e32309aca7549ea1da11a7ff69399c014

memory/3744-244-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1784-246-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e842828b99c939c88c2c5d89df877108
SHA1 fcb870194f82143790a5c6607d9e73c1208ac88d
SHA256 f0cbdad7734d98351e829486ec906fb1f0bb99e6afac68d2fbf9ac61bf96f932
SHA512 71a483be87d8a4c7a4eaba2bbd22a71111918273f6e4fa8ba27f3abd33883fbb3f1abf7674a31a609fced7f41f3ed3a373e83aa7b33aaa1398a19dcb93721914

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6d38014459bbe3d5f9a50fecb8ffb24e
SHA1 2370cb0e1c8d1566a69ce66f95358520cccad929
SHA256 2dbf3b74ba99a88643ee92110ab296a1339da5b2483950d37db5f5993936b522
SHA512 a4a4c778e734ebe9f75aa87ad5f818afa9358c0eea00fb5ad8830462d898770d169b36265c189fbacb00a8e10dc35f99031bb77685cf8d2ee4b17247cd907334

memory/3744-258-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5b47ab6f240a4bdefcc3941c389065a6
SHA1 778668a67241bb97adebd499fc35f41fb3bf21c8
SHA256 1f8fda709fc072c1b2c65b2ebaa7885c078477e01885f04e8190e8a48960d70a
SHA512 72f7641e8a8d001dba77f1c46ee3db60cf5e7e5a43f2f031d5ff04adc5f92ee2946b27872057b6a6fafb1beb92ab4a69d110ce5d167eb6bfab12c21137285749

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ab4b26df29c98572ff5bc5f93a9393a4
SHA1 5cdea2102cd2e2b45a742d49551042c364d0bffd
SHA256 5df76fd8862c07cb7759f1cd7f5eece8e020e716b7be458f9ec67f6170d806ef
SHA512 8fa1c831c4f81d013ad839ac5b3fb68f15909c520c6d0b36d0992a390be340855933491f5be52eccebd989956e26634d4e7f953c98bc234416e400302580d7b1

memory/4992-269-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1428-270-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4992-279-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2956-288-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2272-289-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2956-298-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2628-307-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-316-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4676-317-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1228-325-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2508-327-0x0000000000400000-0x0000000000438000-memory.dmp