Analysis Overview
SHA256
dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c
Threat Level: Known bad
The file dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Modifies WinLogon for persistence
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
Modifies system executable filetype association
Enumerates connected drives
Adds Run key to start application
Modifies WinLogon
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-23 00:18
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 00:18
Reported
2024-03-23 00:20
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
"C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe"
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/1744-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1744-1-0x00000000002E0000-0x0000000000318000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 57e3d23c33c08c247b867135e7c645be |
| SHA1 | cce3fb747b66bcdbaef28e8f8cd0c2cb37e81da0 |
| SHA256 | 67f9369febd13869239c1f45598695a95cde862cf917a750a6cdc2ea99b6caba |
| SHA512 | 541b9d40785d05245de6dc1e962023a26f27924a2c70a8a378705c2398f597f4ca35f4689807ac19a98242e20aec6fb29182a38434f48e19bac8b7b2381dcdb3 |
memory/2672-6-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1752-9-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1744-10-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 720d7fd5394e79d0dc48cc536c1a8b41 |
| SHA1 | f43991522845d8091d9f7355b237f8afb040676a |
| SHA256 | 29e0cb859f6a07e76c514d156d7efdb15033c1dfee53ec4dc759651b3560076e |
| SHA512 | 698dd508bf924752db84703d9d8cc0cec8a96f4833ac4f04202b41553d89181c01de900ea3fcaa11d507267a0af20ccda66ed10b78ead443d6a54cb235ee6d9a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 34834e46c4a1c7038154630a339f2bf3 |
| SHA1 | c2683c028acc2fe9390e1fcedcf48fb2de8b044d |
| SHA256 | 32c67cd5c3b1e5d79c5070d79535f2191d0fab3835f07e0a186f06e896f4895c |
| SHA512 | 008a50e92fc6ab52977f42756937887b155424f5a54b44ba55d8b1bc186818800e84441cf1cf269c4c2be74be316dc14e728628a0124453bdd55f69482ef96b0 |
memory/2684-17-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2672-19-0x0000000000400000-0x0000000000438000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c8b7cd53ba77d1082e69dd2d70e4802d |
| SHA1 | 0b4cad95c23465ec8e48dedfeaade75be4306f30 |
| SHA256 | 4d88ee99b5e4e952809a92f4790e458d31a1a9eae08f3c867b841b3304a6b6af |
| SHA512 | c45ee2d69b4e4298974beba10f1973c139fee665ae7d35167a29a5358f0717e5030d595f383ff4c95757d7a650152f3b02c09205f3b0e0b76a1065b6f14f2641 |
memory/2684-27-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2424296b212a0ec90c5ff590d427a005 |
| SHA1 | fa50b3b0a813fd765e5f1304410920f2214708e5 |
| SHA256 | 0b71dbad52c5974830d1977812d990d82ac96ac1e1c8bd25baed371a05cbf03d |
| SHA512 | 5b971247012626ba0ecd7cbac280d71352d2780738fdb35ec1f787b831d1bb3ad027b13b7bc53ead412058c9f3c54bc9bd558e33280831037656e9aadc637b16 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7e8c505b00676247805a97cf45afdea7 |
| SHA1 | 8d8c2f5cfd9578354d2dbe2895c2f3fea36d4bab |
| SHA256 | 0d8c87c3fb6af75ed32390cecd41a8b5d8bb5b88276e25acee142024a7f0a15f |
| SHA512 | 154119ba8658aad0c297fa965bede3d00bd84dce20b2348ccfa983ec53985fbbb72dd978c8b1cce23e544991e905c9da66c0e63db425e7c40670218bab06a6c0 |
memory/2476-34-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8fb1aa1015286deae39958d1b60b2aac |
| SHA1 | 03d717b01953d21e2ac33765f09526dfbcbbac41 |
| SHA256 | 4eb58a6c506325018576cc6ff5799b1a27e5cda18832aabd5912cf47b3fed7d0 |
| SHA512 | 9047632fe91db02b13905b66e5107857373cafeaaaad473d828f47eff2f381697620fe1f3bc56e67f119a6cb3371cf5bc32e87f94cbe5fb1b2a54ce13e559368 |
memory/2496-42-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bb6f0355e54a09ef7ee93eb6f0e55c56 |
| SHA1 | 1a500577458e208decaa36f5a7ad945f64579ca8 |
| SHA256 | d7a5d1dc918cf0557c4f95ae21b45ec0a386b9878778eb97fd6114eaa7ccac5e |
| SHA512 | 1239670e9e936826787c9acfa9450a088381f4c749e0fdb220e1312ec0bbb64f8c34e3e6f586b6881862235bd261146be71c53683ce3d7571c452cc368baf393 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1e1d50885ce89bd28f956e2e2f3d8537 |
| SHA1 | b0a9e78cf202f14138b539ebd639ee14567fb224 |
| SHA256 | c3f63e08f66dd4f839635d6d1c14602ba59163c31783c099fac3c45a2842d068 |
| SHA512 | ad7aab4908d876effd7ddd3dd5b152ab0afdc86489c026a5211a88c29395b1630744dd11edc74e22d2d89f61e9123c7cb63696feda8024392a85c61ddae01506 |
memory/2700-52-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1644-51-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e4410ec9ae1fe4501ad13a534a7a55d6 |
| SHA1 | ecdb92f9ff40b13e05f1994c1b98aa503509930b |
| SHA256 | 31cd967552d174c2d2b4290427864393c25d75d26b39daf38760fa0c2d4f3c13 |
| SHA512 | 8d89fa9b79f6330d333fb36406208ed14edaa0d2f6dfcc9b3fe42a48ce9584ad1464728035edb2553249a571f0ed8472f55dae7b42047fb90acfc8b0b41d3bbf |
memory/1672-58-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 56594541327922c64e33409707838bc4 |
| SHA1 | 00f4d57cdfb8c632ac10c4356111bca832f2e0a1 |
| SHA256 | a6ac40c1f25d03f521d11e207b8eee950f2ae7b27c39f6514ded59cd13b543d0 |
| SHA512 | aebe351c9e3fc82e44434a37604b7322571f0b407f20453383c5ebea1e103fb0ec185c47840ad206c0372e106a60078f5f31a49a8cd2dc4115f47c5cbae8a347 |
memory/2700-62-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5a6ec759359375d1cc71ac9434c0e2d8 |
| SHA1 | c1fb2c518adcaaccea77b8764fc4073c9fbc8cc1 |
| SHA256 | 46bd8404a5cb3218bde31017901bb89d3eadf83cf23091cb8d9895dd9fcba339 |
| SHA512 | aff1f9b73653b25b7fa2ed7f3fc35f5364a2c1baf42602ad3eb24e538e358ae93c2df7cfbfecdc49aea91e7fe2560644337fb87878db1d4fc62374bf54838f8c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5130da8c66e1d5c3a240c6d00b65f2d7 |
| SHA1 | 241a6555c25599c6a7dbc44d2ffd600bc871b577 |
| SHA256 | 57e1c1b9666841d662d658992ab0db6a03c2620bad9fd3cc58d963612116a3f5 |
| SHA512 | ba538afa2670fee740c18e3e236f6371add834fea575e6e79124eecf1305de8769c8f8c735298eea193578225731c30d7c1e234c38d50a8663fe73a2cbb7a51a |
memory/1672-69-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2324-70-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ab84fb3f501126f33f56f8153b80977b |
| SHA1 | ff649f036d6f17671a6c0d3aaefd32f09bb2ee54 |
| SHA256 | e7361bb4e2dbe46dcb371173f54fd510c96dc6a9b523fcc7142809efc9f48e4e |
| SHA512 | 04705f52dfb0aecf23a4bc5ff010a5d4483580203dc11914008e47263681a8f6ae7c86f87c20ddff6c6a2ac78c035f90a9059e023a165dfb54f154e47e24179d |
memory/2324-78-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8f2cae32188e29e5e89892d2be43d43c |
| SHA1 | b065b49df79558e69c7448d5321d36b2e060a35f |
| SHA256 | 8d9e3db3bac177a9765ce9f6e33fb0f793e22bd74c136c7c2723a63c2527d79a |
| SHA512 | d50ee3988d8e461ad0d69ed850a438bcf4e8af3be883d82697c12e8111f99d3d1d926f4e32a3534f2d197027b28b6ff6e53b1a7cec1ddfa14fefd30d9edc1650 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 07268952a2f842225a86edd6b85d7dbb |
| SHA1 | c07671e7845f86d38f4f9ff83f1b73a9c876eba7 |
| SHA256 | 3ce4f92fab3469e312cc600508197109840a799ebf8acd2e9a941b3109934ae9 |
| SHA512 | e8b562c1c614b2f0322682d02fd16c9d297009a1ac933af5b05856d3f2d7369da83aad01ebb9f157af95ba7aa5f37849d25a6153893de78984e1829d1629a969 |
memory/1620-82-0x00000000004C0000-0x00000000004F8000-memory.dmp
memory/1620-86-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2352-87-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 17adffb834f4befc5e60a17f11ac0532 |
| SHA1 | 7d490ce839762958f27e6fce81d419cc38b497c1 |
| SHA256 | ff4a28ca9372e875bc3f410bb1bb79ed04b4d1fc4a16714c55e11133d02e3a3e |
| SHA512 | 9ba3a030d0879cd4b700c4ce6ddef8d7c5f17ce6b55e997160c93c22beeeff0995a13819e987f98a5bbfcdcf1ab0e1dcce9572b81418a607eddb5dde619d0fb3 |
memory/2032-92-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2352-96-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4f8ffd08950fd750814001a14a0c4648 |
| SHA1 | 0a26755fa71af0ef9f60d4c6cfb6b12b99cb4f6c |
| SHA256 | 0e96305c81752f068a9f1f75ba55652e4869a61bb5f2c2e5b0eec275d16b984e |
| SHA512 | 77e2abd8e592503c2946cb18e199cd38519961cbdea9a558e744d828ab4542c568440260a818defb262808843c18930633e64db2a483f4d5572b649573fa403a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0805bcb62f4c3e0a0efa327b5715d2ea |
| SHA1 | dc2faab350b2cdd1d149a11148f5cc78f7d931aa |
| SHA256 | 501327a965064408645ad963a079e8bf653b68e51c1555a90615c5e6e84134b7 |
| SHA512 | 799c67806f5e3f54367d03aaa6937f9967e369997ca5c53f22e390965b48a636acab7a8fb58021cdb01285794e0ba1f73dfaa8e42447047e38e799d25d89d1a0 |
memory/2032-102-0x0000000000830000-0x0000000000868000-memory.dmp
memory/1212-103-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2032-105-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 44bf8aae44b006754d83122bda9c94de |
| SHA1 | a80bcd7364999f7c7d3a872af2ab1ff7a9d11c1d |
| SHA256 | 950c24a3712bf5de59b4547339065b5a67793f3b9dbbde70bb23f397700c06ce |
| SHA512 | 3064c93e58cf5c4addf73ffeb18b5c8758d6eb3c7fbf2b9d7b7e400d7407dbad6af9ba255b123d93c5052a6100b0299c339cee8e5a0ffe3a0d24a0fceed86882 |
memory/1212-113-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2c03b2cd71abe99c53e21c1bc4dfe46e |
| SHA1 | 2febc2a126c86edd493d67b80c081ec1dfd1578f |
| SHA256 | 0e82cddc0265d887d323ca4f18018d7e0e74ec06a8bfa9e380bcde3460dea050 |
| SHA512 | 14a5f244583827187424059fa9bf2ba5bfb4168561a903fc12892ebfffe04844313591901190db86f78c565493a0a45ebb8de5aa484113b3253cd092c2e91e42 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 45686464fd68464ba343c4e629799417 |
| SHA1 | 4e475d8aac230939774dbe847ed160ee388bcef8 |
| SHA256 | 4e323a7c3254c117d633cb10faa7f689a510c3e96260ca8a33a7cec2727862d5 |
| SHA512 | b942b6b861f46f29f62e60a389af06af7af59e7a1fc04736bfd6c0a347b7cdc766344db6ec75bab75adeb6fe73c8a69e380271a25dffe52cc76f62585748d538 |
memory/1060-120-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1060-121-0x0000000000370000-0x00000000003A8000-memory.dmp
memory/1200-122-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1200-127-0x00000000003A0000-0x00000000003D8000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4b5a0fe0d31ac5939b76b5143d595741 |
| SHA1 | 8fa9e2e51a6c5e02ed1fc28a98c912ab7610d84a |
| SHA256 | de2e9b70cfc4751f9a7264043ebe8d78604b6efce5174d644ee0ec8d63cc57f9 |
| SHA512 | 982f2812efa43c77a7241111dd98958d656954b1db09fda442e17ca9f8b6878cac855a296fd82ca9377d4ec04a036b8dc2db09e5a55c055b69eb183759d3784d |
memory/1200-131-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4c542c2f7d803b7841abf28eec4e6210 |
| SHA1 | 750c8319a243d5926457e4b7f0eec4768702ab34 |
| SHA256 | 245dc9b429f2681fe628d04bd5ebda141d50d5d136c6e6c9066d502e19e8632f |
| SHA512 | 1570efbe93889596eb97d99bd556e1327e34aadc59884006d28e68176d737378cc2a7438e62bcd46fc7551749ffa93ab04385f440a4fb1c0737a10775daa6ef7 |
memory/2316-135-0x0000000000360000-0x0000000000398000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e5c8ccaa7e3ef4b7de71c3c7f29934a0 |
| SHA1 | 9e6c0d4dcfb7a4e6e6a493f94129b77f37f7996b |
| SHA256 | 4ace11868e3cea285645b45266ace12844d54e0836c5bfae9d4469b101d8d0ae |
| SHA512 | 99f279fbc83724e511c298b7c0a9192520ad0c44d01a807b0e34cc6211cfa4e07dcaa3b850d58f3f968541db076b0176caccf9da5ab85f3de935abbf1f375982 |
memory/2316-139-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 27485a19998cc3c8c8e6678bcea4ff4b |
| SHA1 | 00e1c963e5000acd06bf063a95a070ab93b3748b |
| SHA256 | 33eeffd8e5ace789589fac4764a169628c73119036903aaa6846a43f4a4edb59 |
| SHA512 | a23b916369639d85af6a1e1dd5071850a032df18bb72ccd92ba6d98814c445ec6ff0aecd0a025dbb2e3d49e9f35c2c48731fda2d5db639999ae9eb7b0c4717e7 |
memory/1648-148-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1792-144-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b2cb5e5ab94e7f991559e11d4077b5ad |
| SHA1 | 7d4c9e633da361d0372bab6bcb9ee664df30fab2 |
| SHA256 | 2496528df3773a6f7aee5030328090f9aaef0e44422b1233a3abdc8da33a40fd |
| SHA512 | 2d6a4d1ed18fc584709c85869ca964339e2aa1fec4e109b331a74423dc08599a0389f8c84fd7fe6c1c1ce3f20f61d1f82b3c9e8341af7819a633dee34ca92ed8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 323678f48a53d93e2f69560e6d97b3e3 |
| SHA1 | 42600700d2245b58cc460eae9ebc811111ea76fa |
| SHA256 | b4f09f9dd419ff90d2177ceab9d5d880f2780130668ea73a0f16a07325f93de0 |
| SHA512 | 77ab9a257802cbeba47ede4620cd54217f1d1b89cb311be203e4c4432ab0692ac4607b5d9af211c3f90b934c94ca659e867902459c84b765b701db72dbdd6a96 |
memory/1792-157-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5441c1e6590eec941f56658b61e75e6d |
| SHA1 | 0fe9d37a8186db92945a728cdca17a5b62e77069 |
| SHA256 | f8e32f4ef4c173eb3f6dd8fc408a9ea0244543c4c8f22225e6467e87de7f25b6 |
| SHA512 | c790a56d587e7034539938eaf54b4a1a3d78379ec2e798ea74e67bd19256ac1864a0f16a7e76f64453187757d6f53a3a6215002eeacaf838726241ce7379669f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4cbe65eebb556693c94c5d33cab5fabf |
| SHA1 | b274c088b0bc2cf71da81f28f968bdfc527f72d8 |
| SHA256 | 86d80c15ccacf46ef51618769b850769e39aeb203b72502704fb3b742af330dc |
| SHA512 | f9eed8f2c6104fe74dbf47243e6a1970c826fd61540f038522295d11a09e072deac6ed91c3037c90ca2cf67f3e778b3ee0eddf4330bdc865332a36bd42ba93c7 |
memory/1320-164-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 481b5a40d5a4f69ecd5b39f8889c1199 |
| SHA1 | 2d29d21a0d304270bd00b7a63da81745061de426 |
| SHA256 | e4eeb99d92a804a1ac21c58eb2b88244b570801a1e79d48a6d6e821d56e3c779 |
| SHA512 | 9037881df3f57775ea045bbf7692a7a7bdd6574e5d894c02fc68aeda97196a71728777c33bb2d89d2edeb56895628aa18e4bcd45f66db977cb23cd5b392bc8ae |
memory/2884-171-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1004-173-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3f70ab0b218061d895fb19ca80ffc7bb |
| SHA1 | 59227236d5f91fc7f7aed93cb888e5b63b62f53d |
| SHA256 | 8de4cbd9efd5017f7afe4fdababe409059dc9be794d034b1cc68f506ebdbf309 |
| SHA512 | 84f0a09c8ffa3f9167f0c34df32448888978a2b28fbf6f5d55b777718d315d289aa2f7c0721501de91fc53a5b88491adb6e424d0acffc6d4e7dc0639f4a62ed8 |
memory/2884-179-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9e7f55afd6c81201cd7e48f1c3f74b9f |
| SHA1 | 1940d9d918a29d7498c638951d903e331283f214 |
| SHA256 | 4dc0aa09996730eab6de9cc208c14bd6398bfcfb1413ec1cd886ba21866ffb0d |
| SHA512 | 10e02901679ac2a9a67d3bfa652868bc4ca253ada65c26c898fdb05ff1e7973fbb3c826ed48642dd837bc0e27fff916dcf96c745723e7abae4385f11b22386e0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f2ddad87ef892a8ade8e04ed6713cfaf |
| SHA1 | 79a0a653076aff159c95532cdf19b209c07eac4a |
| SHA256 | baa9cd871d6f35924fcf11b91b2cd1983f9968208daa14e04e0ef647fc25d2ec |
| SHA512 | 326885ea5866d9ce6c8a2f91ecec7df1bea065dc4016df3e80e2013203cf83d56e81cc399dc7d950dcc73e4abe44cd31d5a770aba0bc9697b920e3008baaca7a |
memory/2512-188-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4208ac3fed6bdeefc772a152da476653 |
| SHA1 | 7e9f91913a504c630d2c4b524609bb4879f68d71 |
| SHA256 | 4beac7ebe14e49554837f3df7a2a60d846c248183e8e08df3bbe92486f6d08e6 |
| SHA512 | d809f073b5eaa2ca62d57c929b304cd7263275900842fdcb8ed83d86154d9e8f9139bba58a91efd436d69186fe45ea8c1f67d9c189697b058bb1ba5400b8d7a5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d65ee1047482c6465314875b2d0b5a28 |
| SHA1 | eb4587f772b80454cd517707bd38927f0d447003 |
| SHA256 | a6a9b630548da64f1bcb058bed4ef4eabce517facddbcfe0b110469f3f0a1c94 |
| SHA512 | ca61ea56e382f48eb9fc916ff0e7e7c5e587a39aef5c38c615ff1b8c01fca7da4bedae1ee236850385c53330068d8ef67ee338db15b2f5f08867ce51272c78e7 |
memory/936-195-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2f80d0a517a881d319a0218e5f6e954a |
| SHA1 | b80a355cb227a417e92362c92b4734d7c1d6c3cd |
| SHA256 | f1cf0b3bcdbeb404a931fd76d94876279fadc393336f960cfe4722ade2e35d73 |
| SHA512 | 1084710c73205078766b63d0b2a035a94ad943030e21e1e120141e7228ab5f020bec256ed0f51cae93854259bffe48a5bedbc59815f3d67b26fa8c4e07903bfc |
memory/2628-203-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a5f33b382ae1b91489a8d656a05a618c |
| SHA1 | b0462c2319adf75bb780897193a172cd8df5c058 |
| SHA256 | a2b7d589687291bf547c7f7958fd5e03a6211e07578e69c3c5322f75825f25c7 |
| SHA512 | d6a87b7f83a3b5d9b9a7f1a6c5f1379725a384cc02a84e9c9cd9f96cc775a6d93429e774bc9681bf400b65cd5e0cefff9fa1446db0d4609c5bcfd8217ec061f0 |
memory/2472-207-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d519001aa1892541480beecc0c208426 |
| SHA1 | 2d2419ade639bae6b05a55e8d9824c453fee9037 |
| SHA256 | 7eb475652bf812e83e18be845ab075b0625a668979c819054be6f46fa8ce0ef8 |
| SHA512 | 5e2b926ba17d7ddcf671850b4e055507ea69350861c572bc2390e5d5eded5c8f82031dc44323144f216727df14cafb0bf04a35dc75f78ea66143f32c89422894 |
memory/2444-211-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3d8b4663ed7bc0fc85be5cf05b6b0fef |
| SHA1 | 9ea0ec371be97b749d89b14797f4cddfa1187e54 |
| SHA256 | 3b245322830bc3697001c374a0c45ea07d62cb7184b77026ca85c9f4d71fa942 |
| SHA512 | 3341205fa6a4af8fd14e94ba663419967347266fb6cb61d4eabb4d137c7ec7ff1be41cd48617d8e3d73aecbb74811f7286c00ca845d8914b02b594d4be0bb9b2 |
memory/2472-219-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2888-224-0x0000000001FB0000-0x0000000001FE8000-memory.dmp
memory/2888-226-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2708-231-0x0000000000400000-0x0000000000438000-memory.dmp
memory/660-233-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2708-239-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1712-245-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1904-252-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1904-250-0x0000000000310000-0x0000000000348000-memory.dmp
memory/1928-253-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1928-260-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2600-261-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1928-258-0x0000000000820000-0x0000000000858000-memory.dmp
memory/2600-267-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-23 00:18
Reported
2024-03-23 00:20
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Modifies system executable filetype association
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
"C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
C:\Users\Admin\AppData\Local\Temp\dc2ab5eddbbe80232875c7ae122fc9867f557fc44a5f46aac8eceeec9918f43c.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 45.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/1300-0-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e3d0e90469e585a0e5bdc46141da297f |
| SHA1 | 5f4116b033af2edb734f3f07a1c2c71062c62941 |
| SHA256 | cf578afb2744ce7736a18688ee37bbfcdc57ba5a49db1cdba8027fb51b76a5a0 |
| SHA512 | 6fc32a8fa21d82197e9cecc056b32f56679536584ac7a48eaa11ab552db9b3d729a39205aa413d9ffab5e256b0a98d2c8f53362f00f863ae1517da0e035e9c00 |
memory/3300-7-0x0000000000400000-0x0000000000438000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1300-9-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6f6c6a9b3ad32a0581bfb4f34313e601 |
| SHA1 | f33301958e5ccbcf2494a29226ca0aa9f1157e27 |
| SHA256 | 1179bd8e5a95eeb5de8aa222e411d0c97364b31467bec421b67201415f0e97db |
| SHA512 | 2ea28ccb1c1cbfd1e278e2565a108e2a2b2cc43b2b9b8e310ff12236dde4f65e0821ca441b1559f8e333df0cea2f76749473d2dde55d034e4d676321b82bcc62 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 893f59e79db5d2527165daac1bb79117 |
| SHA1 | 52ca05cb0893fdf6f79eb5a3756ad8839036cb89 |
| SHA256 | b4491d06f66f931861624f228116a3bd4db2a36db74abf34f08285f764919bb6 |
| SHA512 | be51c59d6f005f70b2364eb786e3264c5d9bd81aa526ec59efffb03380b94294e7e99723516ad35e3b87005af821759cb54bd93c0a0c690a503d7dbdff621089 |
memory/2680-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3300-22-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1ae423d9a2f2f5629588c835c1e44e08 |
| SHA1 | a7355d8e54b8a14f4f88628dc53d01e631dac5b5 |
| SHA256 | ba67776eee7b8d97e035c3939d87364bcd7876cd862b9c04dd2f1fa7a54ad333 |
| SHA512 | 9e38ee5e44b0a96a5f4c5c2b4c2a796b55012230320d7ac2c8e15d3cc14d7093df5efa70060f9adb47c23c2ed39f5cee33020c3780ed97bb2c0ae29c785d2270 |
memory/3756-34-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 691f51288ae28e583c824419da3346c6 |
| SHA1 | 1bc44c2d448781a34abb72311658025458b56a5b |
| SHA256 | c5d8d4f78982b6786d47a4cb3ac5c799364e73f2aa810a5931a59bc049713ca5 |
| SHA512 | 076d85178f48b9e16d87cc50ecbf3e64dc8fc52eb016aea2d1b4977e56107399fe075f8b4353ea567282fdb0db46634eb05094b1a464cba6f7cf85c31adf814b |
memory/2680-35-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 905ff7bc1dd1a6b7a0c031cf106a8cf8 |
| SHA1 | 8e34ef1319e797f284db2fd8035509d870adc713 |
| SHA256 | 376fe2ed1a63916ff673a9b2c08938609389185eb1c087db40a325f9ceac9ef9 |
| SHA512 | 04749df11749b859a98bbb4ed658c170366d027ea9108fdefd604948f9062de5df649440ec474a9a1a32a8965a3b4ed239d2ccc5ea50fb031d3d81746a4607c0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4593cc513e67c30bf0ed7bc52e0b0455 |
| SHA1 | 71b47b88ee421e91112776908eb62f3d668b7fa0 |
| SHA256 | 6af74d7f7a0c8aae2fbd1191e1c4dd93c1e258a6885e80066360c5a81edac02c |
| SHA512 | 1b0502b90e76e40993eef7ba711801f207b759d72d087c5c24400fedb92e2f5d2042251d9b7c3c211252b7308bd61830cf81079d09faa5317562aa3ec48ad684 |
memory/1720-46-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3756-48-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 44876bc968801a77d3b762a780c7aa8f |
| SHA1 | d4be391b2388b9c22a52080077b83f352f69de8b |
| SHA256 | 005681a157abf5d61902e3917b190d51a7dfebcf0141416bf2e99c98ef892856 |
| SHA512 | ad4374bdf4618d704caa286424a96f82386dc00aed23f2702a16d27f5a43cef7e75e7ed53e07dda7be53bc577d015039d9409182b66440920bb107900df6249c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 924c3f1e242dda384f4022f291ab7805 |
| SHA1 | 5e50d38474f2f3caaab30f5a7981bdfada3d91e3 |
| SHA256 | a8c9e01ac59c8b22c4f5168b379593bf96cc07a573db505f33a2d0b31ca6293c |
| SHA512 | 6b3d4eaa3a29fd84b04dfb38cecb28e08942b43bfd4e0162fd8f50dfce65299684185fe1b538cb5d79019ca52c6c90b8be5193e76bf8518f922656c2868c04b1 |
memory/1720-60-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1d58ac7842b165c3f70426292167e38a |
| SHA1 | c4fadb3c7c3ee061af336575426d05725d184d34 |
| SHA256 | 666a3e6ee5579c27268f48922dd67f353b4a9d8e80912f16d3994223230c1409 |
| SHA512 | a84405545307813c8ad73e0f24082ae9d98573aa0553790b871d995b36f20e2b466b3332cf8b50fa0ef8dbc0429a6c17a6a50a998bf18bd6f29ae6c026c698de |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f7636b99ef25b4c8579c24a08948dbe9 |
| SHA1 | 62e23095cceff88d12aef2069a235ccb7c2a1711 |
| SHA256 | a1b9ff3f74402e3ef6061c524aaccafc35a69d7b4a6b66725266bb8a7bc97171 |
| SHA512 | 36fdfb462987e44f0b774d1c337286fb858df2dc1aa4bca3537ff15b22203faa6d0ae3e8b6238fe4a3c68c5c3d6eb82a3fe454cff6476358831a6c7dbf429a7d |
memory/3976-72-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 82e71100efe139251ef586cb5a992c92 |
| SHA1 | 9584c188a04852f006c0f0bc7492388310618e49 |
| SHA256 | b95a18a7e13979a77227bbb7eaeb83f246fd6132bd2fc2851e8a9a6f028c4f9e |
| SHA512 | b863c59d0478d34f6ef7095de69b3e702d672bc62b29e60e818b061654692abf0e62d9c5482f384fd01ce5c2b24d7a8e2172f8a6ca4b4211a7cf93d181a1c02b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 57058e693ce752c0d1022a8492069eaa |
| SHA1 | d003d39e03a15fce6c099316dc289e0b98fdda8c |
| SHA256 | 2c8adf529ff832911666eb76b9ad56d568e052d37dc19a2898d7e31e7f4dc0d2 |
| SHA512 | 625679f750868c8ae79ff022d33ffe03f828465f9713f96a75fbd4fb14e82977ead68657ad78a656a79e5787298d8424bc91f6e88bf4c7b7a25ccaf0cb07abb6 |
memory/2248-83-0x0000000000400000-0x0000000000438000-memory.dmp
memory/492-85-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | af9f5b2f7cd919bb7fbfa41d39b23c3e |
| SHA1 | 296a17ae02104d333c24eae902df0dc3c317261c |
| SHA256 | 6b4fc64355f5d35fd960114361910faab288365601a78dd94b3d11ec647b618a |
| SHA512 | f3e465f78666d24af7802c1b75b22b3f7c3aa53f46772a1d6d505840ed6333d7778f06a2f89de9d4e08f3c8fa915efe038e570f275ee793f10a86e7abc480c40 |
memory/1572-96-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9857d17303cfd5d858eaabc4dc9a9065 |
| SHA1 | c9ae3ad21caac412991d88e8cde0ca0148f353bd |
| SHA256 | 88fa454415a5ca1d03f19d0438cb44044ee34e4fcb9d071d0f8fc583104fbdf2 |
| SHA512 | 19a7d743b6e6efc2dc7006ebccea64488bf25b3fa078299bc5168adfa0532d7611b4226c8270f77e2a3ef65fe64832f19ad9de7851382285800879cde06bc1ec |
memory/2248-98-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2429e5524c03e3ab29158499242faa3e |
| SHA1 | afdf934106627f02c7f89d6c88dd03abf5de968d |
| SHA256 | 09e3676bcc5027ddac8263813ee9e1b43120d018865fc98459c075bd7007567a |
| SHA512 | fee4c78bf63552c1c08135c894594d0cd034a3cd2e5f89b152f824a0c2195b3d16052f4082a6eeac06574f433b9476d46dd2b189d707c362818a0fd5a5d8a736 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 47de5d53503de0bc0ef1e2a060294231 |
| SHA1 | 6f48c924bd9df4b829f426efee965e55d37e29ad |
| SHA256 | 93b9546936ad9bfa1abf310817519de6d41ad20ee0cfd5e85bbca6e7172af393 |
| SHA512 | da77df9a52fe812d35269883fff8f407f6d1bfc2e97a0af37fe855036caf085751619c359f09e5d66a1bc1f6d1e4964accafa9ef714775d9b9c462eb4317775d |
memory/1572-110-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 95fe9034ab4323a00442f0b323e5094e |
| SHA1 | 8435cbd8fee37a074f4de2c9432a7339638dfed3 |
| SHA256 | eedc87341ddb1e52992d844e3f759da2167f60a5b178694cd96f0bd0a6a36118 |
| SHA512 | c1028c0cc2af0a64aa3fb1fe8a1574330c6e7dae62d980b44843c2cccf095f9ca800500a06437fa6a8ad499436e02a8324ee6c9cb0e0db4acfdde3b891f95025 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bd9f53555268503d04becbbbbfd557da |
| SHA1 | 9d3a1dd6b90e1734fb2d35b83f369a599000990e |
| SHA256 | 578897110925f2d13bd373d739ce079a64ed6cab3b12de6ee5fecfa36f4bea7d |
| SHA512 | 8c15dbb7290d3ef277510d03a2c7bea8351787956bca030ed9c58a7cfb9e30bfaa8641b5c1395ee800d4d2e28deb556951a2f9ce848246d5184f14afc568540e |
memory/2804-119-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2896-123-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cec3b88655d46058f3bec84bf85a6605 |
| SHA1 | a7add73343a7129fca4e2dfe897a82b9d6dce9c5 |
| SHA256 | 4629d91f72ac2430ebcfd3f8e41cc7eda751e98ea67d89b18036397df2a46f68 |
| SHA512 | 8ea700aa43631c2eaa953fdf8d88ef0265e3bfd0ef31ecef6b5c2833292f521e3213fcd47449d39e00a88f8722d09270e69a3d1bdf377ecb27090fd390865609 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b98e8e8dc198d979481a012e71090e25 |
| SHA1 | 5909c90793d84af55d7185ea48dd81c7dd1c9471 |
| SHA256 | ce231fbe45cbf6dbbf2353275ac94ed55b4e8bce025cf3780dac413a08490be1 |
| SHA512 | 860d558982828890d8d6b894fa6bc383490d98cf4a5f56e4cdccc8d76d50dc3ef8a76569699e7356727e01526225c10cd70dd45600bb5bc9d824b3ed153d62e7 |
memory/2804-135-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0c73fe8f09ea3403f6cddb4b5dd545b6 |
| SHA1 | 41efebaedb2349c721186490a617d966386cc189 |
| SHA256 | 518afc4dcf7e493c32b6682c4e8ee955c6c768a253ac6f2f2fdc561dd91be126 |
| SHA512 | 047e5f3159e4cab2a22e20aee550424a33f767178c29472770eeafef438569212d1a1ebc97565b4210ca08348392b1197541304790453ae0cffafe7ed5738009 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 924e6c2cc8671d500be6fe0ca69023ab |
| SHA1 | 938ae030575e826ad2ab97f641b3da1442289ded |
| SHA256 | 346304b37ef3a5f8d53d371cb76253ea336976ddc13ee32ad58b00126d23c110 |
| SHA512 | ffdbb0dfdfc47e1d8831bc0a52b60babf7d471d2b737806d6ab7d7a7edd5f026ab243f17c855e9b6936e0f6aa71079573880cb0e7aa3bfecd7e36afa53d2dc24 |
memory/1592-147-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 45bc16fe04c1c578e61ba13b1231e9f2 |
| SHA1 | 5a3751d30530054bf1b24173f493ba3d5ff6f854 |
| SHA256 | af5597a7d1567a079e7eb9ed9f87dd6aa3101794670963eac71204a35be28708 |
| SHA512 | 6c343396e12e23a1828259301a9d19839d9edc74d3b6025cfe5e210bdfc960a335b4d6c9aac0f74363152f844184878229fba165c4b70cd4ee3cce3a8e151079 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4c2debed117681d6e69547e4964e1432 |
| SHA1 | 5d214f4ae4dbf4abc6aa5940fc5cdfd15901b3ec |
| SHA256 | 44ce65530c2b498744c07d80930a3a3625a2cd9c81ba3d5d075b86ef50fe0971 |
| SHA512 | dd3139895dbb837ea2fd59b5995d76ae6074ac899ef7d3a4af01c4d628223cc6e53fc88058dfc8604daf5a4c7f4e6511de5b445f783ac5eb5c09cffe2b04ce83 |
memory/4516-159-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b0ec21498d5188b9701c0e5e1a1c0aa4 |
| SHA1 | f5824f9b841f5c9abc05f55b6dadb06d28b4a4e2 |
| SHA256 | 560b284d961ea69fab6a6dff9837c3189891be2c120b8546237348083578afd7 |
| SHA512 | 957ee3f8c67afb3e47331d39739d3de5ef7624d3c19a7aee9b89196108ac9f89de213bcc2fa4290de8e589f1dad10fc758deab8175f86524902f4ae1341a4137 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 41bad8a8d38ec948c6a68c22e08c8d3e |
| SHA1 | 535e28ac031440d3820a7652b1d2f29db2cd0de0 |
| SHA256 | 9e260f052d8278d2c51c3c2ee8749ba7f39656d349fb24d7afc03f97c0b92bf9 |
| SHA512 | c621464fa4421dfdac9144f072ea82e14c4915c03898b574cd56fc1a7c43a23f31be8a1ccbeb3cf98b3a156982533ee2847ec51dccd8ad8dee541cec6cb5766e |
memory/1968-170-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3124-172-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 800f12f99ee99e56f67375d71db4dd9c |
| SHA1 | a2de550536059807bb5af8da5cba2e017720dfc6 |
| SHA256 | f0e5e9d8c2c8b9ce09f9753e6d07cc7e99a29d8591e98f6276a1c451d890b528 |
| SHA512 | 1609182f01a2874082c2481d9c2d4bf20f8d38aa29407f95d82d37d3071ba7513b254b63599363530d32c3bc11c273ca75b83a2ff03c9d625bc214342751c70b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5966d7824cf395189955f21c956e5420 |
| SHA1 | 0308bd0e16490fc3ec6df5724413d3532ddce7b6 |
| SHA256 | 6efd573cc00c8f305c41c903bbee1f4d95a6c52ea2bdd7f1b8b5f5289c0e4639 |
| SHA512 | 71083c9e83662b80e23db18ac1315f96b13bf72d297623de7a6dda7ebd8e881234049f2138f84604833d710920116d18f474c4343391740881e7ff0c61075973 |
memory/1968-184-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d80fbb7f8a269c7689a2c0568272e3ce |
| SHA1 | 6d28fdfb217408b86d699e5c8fa0b0aa91f967a1 |
| SHA256 | ca5d22038263382fb1449aed150990dcdae151da7ae2e25a8e9692cb6fa8d025 |
| SHA512 | d56a733addd2012c7b4f692439129a9ffce8cbe0f8e131898138c28201ecb71ea586b808ee979147133bac1b9b2601f96134f8d3da2abbd416315d7176b0ae2c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 513783e2b7d1cb6e53c2ac56aa84a60b |
| SHA1 | ee32458d48b8e4dea503cd0676992c6c4bf4ff99 |
| SHA256 | 7c5935fe6b1581f8154e34588f63a0065941c85807caa85718158c368ab81ad1 |
| SHA512 | 998114b2c57778d4ce39e4a8310a085609def32f80225e4b336ba3cdccc7e64d2d188b14c8dc29d28613bfd9b4c1526464fa8133e08a2fe5be4adc0a102618b2 |
memory/4484-196-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e02185f40dbf2400f4b791b09fb48838 |
| SHA1 | d6cc8173071113a0f4a8ae6684330c36b84f04e2 |
| SHA256 | 7cc64b1394299957c3ed3d5c2309261379326d69218b89c101b15fd8bd4ba2d0 |
| SHA512 | efce4177aae55c7960572c6541ab87333195766029a2cc829846ecd9204563a2bb4628f11fd83ae3d983b7ea01f705e7fa7d455abbdc3b734b99aad0321c7acd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 559659e3739489b53463f4b5670bed25 |
| SHA1 | a5f9d56b75b4bb163bb38dc0aa91dd9dc5fa4c5c |
| SHA256 | 1ece0cab51f9742ef01ab9f5872f6a52a78cc9194c21b3bcbb07b76415cbfc68 |
| SHA512 | 9b50512e8bc46aefe530d789faf4cf9f450c3fa19976e6340c8101b90d0fb6bc6fdcfdd514e14815af285b91b56bf1e0d62a2d7789bc42d5d77c150c55849875 |
memory/3248-208-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4520-209-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d78d7e77e971cb2685d16ef705f5db81 |
| SHA1 | d2eaa9e789b5f4a45df896ed802b62dc79260975 |
| SHA256 | 59c91a4eb7956c1aa640c8f25ae62683432b5901793b76c2e9d2a56233eceb75 |
| SHA512 | 3f72f35dad630b266f373bdd30a7c91542ae2e0a89f9fcd5069798dc9a049651bcbc1a563f4269e202ff5aee8a341fabb37e3781a73812eb8b251a8a67d5359b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5e3976ae064222342fcff6ff46aa4967 |
| SHA1 | 0d05ed782c3cd0c0a4939cd00e8a26020829f6b8 |
| SHA256 | db0b0cf96dde30f7d8acd0b4c0a2dadcd00a5aeb7669f58ade19865a5fd6a820 |
| SHA512 | 08f4c690b13a6b026c145c1d97a47641bf0b7addfd717d81c39b42ce0055a36bfefb462c7bf4fba4224424174a4f6f6366eb470dba937ae108839d123282a010 |
memory/3248-221-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f7b9c96c2cc0cc3dd89c192f369810cd |
| SHA1 | 058819db848ec1a3edf68962354271e32105ed57 |
| SHA256 | da6ba3a3ead05a101bc42b40c5c9e7217c0cbbc778aaa78ac7d754d75615fb89 |
| SHA512 | 9650b102ba3cd4ea91f08cfe8c2e7fec535caa51d1a995216214a82452c85a871337ee2f0151928edffbdb08bb0a2c56e263eabdebe9dc828185f04c908a859f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7a4c87e746e9e4d846dc2a62fdcebfbc |
| SHA1 | a78cebe72e23a959a728ac1a2de5abbf49b70538 |
| SHA256 | ba5197ae4d3e0af3246dfdc28777ec6203a00062e14fb14c0588c1d1d91db9a8 |
| SHA512 | 8b8fd9c14dfa42dd03e20d4c74290823749cd04ee8f704bbff8ac069e22f712f661abd27e0df471f86bd245401822ffc2c63cd8318622a73dab2ab4d4c8b535f |
memory/2372-233-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fc67d43387bf6a8c37bf00c6001450c5 |
| SHA1 | 65ca60d1aa7dfd90946ab428bd65286c76c44c43 |
| SHA256 | e8b51aa9c32651308296e285b842e209a4d2b10e3fb929a4e1f6db802791d782 |
| SHA512 | a002823a74ecd21e827dff59ff92df62a7af19f53007207e33ad46e0638e8c83dc0e91aaf7c20399300bda690414c02303a2cfb3a0e108006e030bf8ad4c0b74 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 11bcc92a00c55e93132dbf4052529078 |
| SHA1 | 02c9b057357166219cbef29aed80fce10ed1a2d6 |
| SHA256 | b6d9aaba08033300dd0e049e5d3ed4930df2b8865f470c52480ba1585a866d69 |
| SHA512 | c8859634c6bde0df7843de4b08f19a00272e24370df5c6ed1b5b59b306305d75586b65241268cef953115b925b87aa8e32309aca7549ea1da11a7ff69399c014 |
memory/3744-244-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1784-246-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e842828b99c939c88c2c5d89df877108 |
| SHA1 | fcb870194f82143790a5c6607d9e73c1208ac88d |
| SHA256 | f0cbdad7734d98351e829486ec906fb1f0bb99e6afac68d2fbf9ac61bf96f932 |
| SHA512 | 71a483be87d8a4c7a4eaba2bbd22a71111918273f6e4fa8ba27f3abd33883fbb3f1abf7674a31a609fced7f41f3ed3a373e83aa7b33aaa1398a19dcb93721914 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6d38014459bbe3d5f9a50fecb8ffb24e |
| SHA1 | 2370cb0e1c8d1566a69ce66f95358520cccad929 |
| SHA256 | 2dbf3b74ba99a88643ee92110ab296a1339da5b2483950d37db5f5993936b522 |
| SHA512 | a4a4c778e734ebe9f75aa87ad5f818afa9358c0eea00fb5ad8830462d898770d169b36265c189fbacb00a8e10dc35f99031bb77685cf8d2ee4b17247cd907334 |
memory/3744-258-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5b47ab6f240a4bdefcc3941c389065a6 |
| SHA1 | 778668a67241bb97adebd499fc35f41fb3bf21c8 |
| SHA256 | 1f8fda709fc072c1b2c65b2ebaa7885c078477e01885f04e8190e8a48960d70a |
| SHA512 | 72f7641e8a8d001dba77f1c46ee3db60cf5e7e5a43f2f031d5ff04adc5f92ee2946b27872057b6a6fafb1beb92ab4a69d110ce5d167eb6bfab12c21137285749 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ab4b26df29c98572ff5bc5f93a9393a4 |
| SHA1 | 5cdea2102cd2e2b45a742d49551042c364d0bffd |
| SHA256 | 5df76fd8862c07cb7759f1cd7f5eece8e020e716b7be458f9ec67f6170d806ef |
| SHA512 | 8fa1c831c4f81d013ad839ac5b3fb68f15909c520c6d0b36d0992a390be340855933491f5be52eccebd989956e26634d4e7f953c98bc234416e400302580d7b1 |
memory/4992-269-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1428-270-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4992-279-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2956-288-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2272-289-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2956-298-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2628-307-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2508-316-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4676-317-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1228-325-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2508-327-0x0000000000400000-0x0000000000438000-memory.dmp