Analysis Overview
SHA256
26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc
Threat Level: Known bad
The file 26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Detects executables built or packed with MPress PE compressor
Sets service image path in registry
Drops file in Drivers directory
Modifies system executable filetype association
Modifies WinLogon
Installs/modifies Browser Helper Object
Enumerates connected drives
Adds Run key to start application
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-23 18:43
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 18:43
Reported
2024-03-23 18:46
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
"C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe"
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
Network
Files
memory/2228-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2228-1-0x00000000004C0000-0x00000000004F8000-memory.dmp
memory/1976-6-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3fe2f5005aa9707dbd9a48e819b64d71 |
| SHA1 | 0a3f5e9056a2695934192da63e0620aced728394 |
| SHA256 | 21935be87c124f3f2090cf194da009b871cd6bf7069a544f922272577b5b3a43 |
| SHA512 | 7ac141cf48ade45ab83230f48adeb52026c33504403635a675c404e9936712e9f3037cf3e4522881db98b248899ca4e627c5f3ff5d01bb313bf762c07a82abe3 |
memory/2228-11-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1040-10-0x0000000000400000-0x0000000000438000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4d9a24161a0b0e7b34e0b1f3e802081f |
| SHA1 | 2a25a45f6f4211046e7238f5edf649b7659f6eb2 |
| SHA256 | f7eadc6b12a11c3ea6638740e9029cd9b4b9353ac37c9a74608eb5b52f78e88c |
| SHA512 | 8a0b57985b8fe7c466d3b049ea3800c6b0ca6f34c723b39fd3349230b34c60cfcab1f98078c86fe98fca0bc59f1aae991c30646c277041d0628324af94d3648f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bc1954c49a177f8abc09dc1b6de225bd |
| SHA1 | abec58b80ab5a29ccf38f8a5c470860dea1a66ed |
| SHA256 | a26c86be31eca1a0ecebd08ae55e94611234936341e0f432f0cbaa8ce8dc1e90 |
| SHA512 | f5295ac2c536c4de73f3ebd72013d709ff10974ec4a9ad9a4593dc1acf1027b85032a34b469c88a7855a824788e080a34bdf40a77ce042a8272838f5e2c7e26d |
memory/1976-15-0x0000000001D10000-0x0000000001D48000-memory.dmp
memory/2248-16-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1976-20-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2329d680848b1d36d2e34342d22e9b1a |
| SHA1 | a7814f9bef315f5a0ee03a4ee06d6fd74bcad2f7 |
| SHA256 | f0073bc31276794e050591f6c89ba38c9ba1ba6efe012922fe7792effccff9b2 |
| SHA512 | cb4b3767a66585db5af5c95d103045e61a516586d686437c050333c6a946b97f51f3717749dc5387be4f994e08571ddb6a252c3d96308db7821dcf97c6149c80 |
memory/872-29-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2248-28-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6e5efd0ac829ddbf1b83a8446a917fa9 |
| SHA1 | eb0825b3a3fdee5792fd5480f3b51c96887a53cf |
| SHA256 | 71791ff6243b3b7be345d1229bfb08d27c49536b45303ecc2bbebcab3062bc69 |
| SHA512 | 704f5cc4f9aa836804c234930ede77e3d0769d4e332c5f5347b45aca8d40dcec86303abb3d4e7ade5c2ed3a1da65adf22319237e2f4d84167b9a93401d1d41e9 |
memory/872-33-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/1152-36-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 68a40cd1d179d52825d7532070621cf0 |
| SHA1 | 22fb7b1d90ace34414db6efbc7feb1af324fe0c1 |
| SHA256 | 4c028563604752cffc43174b51ea9e181e45fd65911377748e302d223c9b9a27 |
| SHA512 | 6317336736d4dd36a308b2ab4155b4a05176b01e261d3f43f3b1dfba3f3d71005247636dab35e9b7c5f10602d9e89ce65318d30ad9781bd6d0fad00d10bc4494 |
memory/872-38-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 29dd93abee537136c1f880fee6330a24 |
| SHA1 | 0a5a7276a0659f37bb75831703c3838bae8ce132 |
| SHA256 | ed4a5792579151bcc304f8767a3de09326fb559b340cb28c36941d9d7f097581 |
| SHA512 | 4fabdebbe4d9cd9e5ba9855b6fcd9943f1b5da00d1cd5f4d0e0e3f7f936a0514a088d6da7506a1332171aa52a392d55aab4903e19dd0c185bea661ecbc1e89e1 |
memory/1152-43-0x0000000001E40000-0x0000000001E78000-memory.dmp
memory/840-48-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1152-47-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5277257ad8307404ec353748e8629bda |
| SHA1 | 1e458eceb8654a66ff5d86462e1a997175a8d538 |
| SHA256 | c2d6b7dd9508d9402cc165050dac384757da3e28f07d0ac527c1227c329cf4a9 |
| SHA512 | 117ff972d22fbc46537451fdf590da7fdee998d39982f880a15393b58b1b23399ef652bde83be648f512b330688f5a71de273202b07b12dbb4de2b06294772fe |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2ff4b7021d4eff30f0010052cb1324be |
| SHA1 | 20a9d8241b4a13442d030e4f7dca7aaeb9c09d21 |
| SHA256 | f87f64ebac22025e28e9fdc325cb6c9cb24ba0f7a00677131c9399c991c53ff2 |
| SHA512 | 4d091eb0a0d6f2892e7024e37ff97ebaf6ecf07fc6e215d547c9e1debe38828f454c2a4e687b87907db3aeae60fbfc1b64701502001d7eacd79dbabd694bec3f |
memory/840-57-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1c5012968e2bee3a8c5be3a102c67529 |
| SHA1 | 963164704c23fdf22b8afd1a557ab79909f8cdb9 |
| SHA256 | e018a4468fc61f1f538ac0ced9a914cefd2ca051f94c333248a647c0d8969415 |
| SHA512 | a8c2a085b44a2f44b7fc10a9cf50202799aff8a0cf7aea51dce571647014ddaa11dc3604b3e791473bb7def04cbac13dcfa6d614b77f970f9e0308c166ec6cd3 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4fed41b016e699094055b4b15bebd495 |
| SHA1 | 62e8151af8ea612458e6151ffdc5fb187ecfe225 |
| SHA256 | 68f8c9019a922e0293a8dcc306699c9a3593306a46deb1e1fcd83ccfa12cc2f0 |
| SHA512 | 168b28d0789300954e98caa1561456643932f84d84b869c1f62d7d3fb770420bebbfdc98ad01c7d3a91abf686afcad9066d3773e4ccdc2cdbea4bbefb3e68765 |
memory/680-63-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2660-67-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b84abd611165e8769ce6046e66a340b9 |
| SHA1 | bc4859df4d8c2d8044ab4539dab118025ec649a3 |
| SHA256 | ed727c88967861104855e7aff65669eacfda3e21677681eee5dbbfff461827b3 |
| SHA512 | 3dac3400212d3bbde0db3e53aac63421d62d2a90ace7137c796d574df4e60d534cb401f984a129f8fc412655d18ec131e77ef2766c0a82d4e89d392207787898 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | efc6d0e3dac9bc07f2709537e155406d |
| SHA1 | 8ceee640e78ee384e998978b02e16eb236e40880 |
| SHA256 | af39052c7f5f6c6df225736d5ba4ea9c263909e01ee95917e3cdcabce6408e53 |
| SHA512 | cc3e63d426b7f3b6446337395e297857b336ab571110aedd51135d62b4da7cb1e30980cb2fd865b09c7c8db9a455b8d1985ae8583413744de0b1c305231cddf2 |
memory/680-76-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a1747a44c956d9e31846d0e493a35524 |
| SHA1 | b29764f4d42c2549a75868355653ead69f5df311 |
| SHA256 | c053106555f6f7edf8a22f667a869fffc4a98f1bfc369aaf6703cb72b208baaf |
| SHA512 | 4f9f00395bc27b98edc909c140ee7773f481f2a31c7b3316bfe7088d0a82d2cdd2a4126795794acdd6de4a363c87f7c0d8320809c81ead59c9fd66835714892f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3157ac97a3107d5d1444a2466f0a6fff |
| SHA1 | aa1163a2b84c9451bf3a3c88a8a2321a720948b6 |
| SHA256 | a42b6063e4d6ef0bfd58a951e8431e3de2adcebedac77667874676e77bc3d918 |
| SHA512 | 49a24cb253550268690318f8daafcbcec7f1f273dfb47cd2c22c132d8d1017501f10b297a1a5a11837223004c11536cd0bfb55f4120113a113f5bf1073bee816 |
memory/2848-83-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 662798b361267cd0fc9ff8ce12bc3266 |
| SHA1 | d8962533338bada8b6d863cf1362c00b8c1d6339 |
| SHA256 | 42f865a7040456b2eb1066a494cc624413223e481aeaf7891602060fb7db627d |
| SHA512 | 68f87d9c19d7fd0cb9fc95186fe44b4b3167b5b17bf1a458c38e7ca8d64c472c211cd583e3753298c68bd9b0834ab0f03a0fd4967b36d509ded717c2396fef12 |
memory/2692-91-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1fff42ed290f553385a39100a4ce5fab |
| SHA1 | 948865394559f5754ec197a72771737927cdf736 |
| SHA256 | 3efd068da54c498a23b792c8e98db7dc7553bb1b5b811780a585599e4e2c94c8 |
| SHA512 | 6a79b7270de287ecf3c06f44d6c3f1b4b069621bd26ccc66d4140c6efda3b2346d2fbc09764f1fa0cdf91c3a3439ae170a41a8398c9927ce82c5b85109bf7ae7 |
memory/1828-97-0x0000000000440000-0x0000000000478000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 891c3f0c50fecb2dae2e80973fe6ac05 |
| SHA1 | 27fbf4f0732403a92d9fc036f99aeecfd6d23250 |
| SHA256 | 9696cbec2dfe1f021e0111dcf7c99edeb8bf2ade16c69893391f419ce43bc514 |
| SHA512 | 3ed536ec0a829c4305b0fff88107e18fe10923c83f7fcc538ff6527ee0c14d69c47d26208bee53109bd0c70562338b7f11d2ae349c1405d54e3cbf4252575d09 |
memory/1828-101-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0f4564e50bb3ca382204e2f4402795ca |
| SHA1 | 72eb5ed3396a7e9952e06a943b6936c75be8eb4f |
| SHA256 | 4da8888aeda5f6a30417027509e2180b487a2db6880801e97c97f4513b3f923d |
| SHA512 | a7f1ba55a2a6e6a3b593c2f614108c8aafbaf5d8751de19d18f3aaf46443bb9b2a7789623bf633e3f1f426d0f8cfdb7eff05d0ba38255abcea78780a41915004 |
memory/2936-105-0x00000000003A0000-0x00000000003D8000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d67a03f8834f26cf5d210b76fc6647ac |
| SHA1 | 6d423c26201bc165c237415b72922645697f954b |
| SHA256 | 88b3f7d6a315db3e40bcae1acaace919d0298d871e7c7cf074304baa236e64f4 |
| SHA512 | f682daabc97e022bbf83c72617ee5a711c1427981c67289f6b47722bc28fc09120dd4f682bdac33a80162a5ddbb9a316a5cd4ffdf329e85d193e2f7c241f8d5f |
memory/2936-107-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6c720bc99a4d08496e0f6f10af930120 |
| SHA1 | ad748879fa46cd39a95fe8bc97a2ca8b75b40eda |
| SHA256 | 5c7d5db6d7860ba4be16d82030d1ddf624c8680689b4f4cb246441d1f2518dd5 |
| SHA512 | 12bb3844375bf4d392431970803708f81f51e9a8030662eb262849c83d6f42c731d387f93c2feaed81e1c67a7afeb4fa74171f10d561765a17942e35494b8da7 |
memory/2100-114-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3016-118-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e57abdd5666f30669560c763f9e42470 |
| SHA1 | cd982079a068f4e6bcebddd93c32efe158b1b74a |
| SHA256 | 7f8079a767428f422188c2f2f2fc3a30e21e16e0b303abcfc33ce51d9b97b474 |
| SHA512 | dda246969d2beb03034558093f1485b42066abf5eab46b18a4cb2c362492e63bcf4af62ce8b5110e07f70c135e155e0e013871c63ea525e76c702c93013a64cc |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 97c56d548a54298485bc20a6a40801af |
| SHA1 | e72cff7ca740968a4a3cc42210b67644366986b6 |
| SHA256 | c1cb99c2fcbc9908d15da618837817b1875ada44b54155804d830b7b8c6459bd |
| SHA512 | d4da019f47458b0f73abf59d26baa3c193131713e6e684aeb0c2e913936ea2f06033a1e16e82391bbc194caf1ef83729e7b049ddd038b8f7e355303c613d0407 |
memory/2100-125-0x0000000000400000-0x0000000000438000-memory.dmp
memory/796-132-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5bef17baf6acacd825b029b5a5afa10d |
| SHA1 | 50d0a74bafdf299f2b40e4426a8ed589a348e36b |
| SHA256 | 4164a5757b8e4fd4dd3eb5b12b5ccddbd5e80c11af84fdb46897b0c666d0d79e |
| SHA512 | 1d35776c11487880f3b6785519684eb6db140b67c0d12cc8435b00dd4d7ce57bfb0ba8b9892f951b3edf43b21a62089e1cc450d73c06e753d7b23cb2495cf6d5 |
memory/864-134-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2c5632539df76b1002c5eee6fc6fd9f9 |
| SHA1 | ae5f80e05f0440e70ae0da50b57c84c8e2735da1 |
| SHA256 | 763afcdd41ef06a9d6a090c97f1a14b26a4219729ff310e11ba8cff9866dcc5a |
| SHA512 | ff4429241fb9bfc50f51051b0e394ced92d636a2fa5b558dd8982ca3d05f6ac896e69eae6d6eb922a8ba42774fcca3a7da3ded752e8174b9efbbba8cb42a3a84 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1a6ca898ab013a02370572f7ee9fb611 |
| SHA1 | 701e73473969bc5957a9629500daddc9df4120b8 |
| SHA256 | 37d7cff1b53081c943b056e2de02edb33a7cd079f02d43ac7919ae22ebf44b4b |
| SHA512 | f327edefdede9b1905fb8778bf7ec001a388ad17644f552487ad47c88ba4c25df63f1f8ae7a59c46a7b91606a3c3c58c40cb466599b079a4ff593991b5c6266c |
memory/796-143-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1b81a1d17247a81da07e43f5bc42a809 |
| SHA1 | 8bf7922c21eae8a040b1291b5345b1f23af2c094 |
| SHA256 | a642506dd45a9a5554e74b5cc4c7a4b7c15841c49ac6da61a180042ad6f7873f |
| SHA512 | c9b2a20c876094d9f8eaf0a65c9eda951c46578aa9e7f89af563961d63350b563e9be7593a12205d42ba5f9a4414ee730ddee6026947c9b08ea791f01d493401 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2d875fb6648ef2fcdd732158b9a120c3 |
| SHA1 | 1f46aacd189bc27729c5772b3c208a8851eeced7 |
| SHA256 | 40e8bd377025cb886610c48a7a4b85896ff821026310cf6634277f037e051814 |
| SHA512 | 6bfad4e3ca68dbad7443e4ebe614890915362feecc725107e8dc03835cd1b16ed711dadf692a064724aa1f08693ec0f8b6057648b963c49c31f323512ae71524 |
memory/3044-150-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a2a5362582a6f48f5ad7d918f578d6b9 |
| SHA1 | d0e8fd6a137fb784b448efda58fa5449f206d835 |
| SHA256 | bf1480cd15ca0d10f7585b87461968c09d0e4a87463c26828bf2677403dbb446 |
| SHA512 | 6318d92576fc0101d98702f2f0b89a36ecb1324cbc908df424488acf5a25123c4301420eb3496b4714aa02a4a858b67feca82384ed34bd25685186a3f4ad5f21 |
memory/2880-158-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4657d2a5e6e20635c5852c647e46cc19 |
| SHA1 | 683f855970b3ef922f2a15be42a2266fbf92c68a |
| SHA256 | 8fd85d652ab5c776ddd1a1d0452838c2e8926300c079e99c6e70bb4cf2617a75 |
| SHA512 | 2afa1725111f40f8303695d8d20e8a942c89fb22afadcb11eb8d86d6c2bcd9d39e4364d2f3e4698cbc48a3e4a502bc3ce1525de2d0259c034aa780ac1842bed6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3618293579481220b5d9434c8fa97d1d |
| SHA1 | 155736d764956cb29c56b55c0ece70b135ab711a |
| SHA256 | 5f8191d36bd384894e8d7cf681e7b0ddfc3b91c8373ed0415b806b21d283e4f9 |
| SHA512 | 1e7d842b37f3ec9367dc77a506c6441f26b1868b06f451100ed226b1349d15886729893137121a3047245a92f0e9ff16a81e440a9719466dc1695bf1eba08244 |
memory/1572-165-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1d064381aa73df95ecc4104fb9eeed25 |
| SHA1 | f5b85418b2c08bdecf380d5ffcf45c447111b9f0 |
| SHA256 | a48b619c03b47f3b07158d96e44d925a7baa1eb2722d15f83b6a91e331689d46 |
| SHA512 | 55c37b03c2eb1ddde8285741c2dfed5aa1bdafa1eff3bdd70359f1fcf2dcc5c1d0de18d642c779086168e53d43e8d6d874a734721fc02f9971a6a2fe31e6b8b1 |
memory/936-173-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d7b98a43c3e08dee028d674a978bab22 |
| SHA1 | c8d112233c1fccd01e9f417b5775d436d956588b |
| SHA256 | 0dfc5ebdc264d787a0f1971c406ef3dbf9b0318581dc20039c3e38edb61f271a |
| SHA512 | b441a153dc3c387ce6e05dc56e1afaeb29a7c6a3f9bd1edcbce1e613a29e40de2039ff0dc334d87fb247f2a619b513ea5c08b9775b9d9de36cf34a3755113e09 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 225f83bdf73bc12f2b5ed1fda2960a54 |
| SHA1 | e0a83c29d64f3e1aae6a571783f0df1bbdbef14e |
| SHA256 | 86a5bd5f8147aae809ec718a051ac6fd38c267e6a75c405ed71b5a7fed992db9 |
| SHA512 | f91c1de474a8da9c08ebc40ed1b2d5e22b86c54f263a34f6a6034573afdda51b8ad2b46af5fe278646d0e76dadab93c25b1cafda1e0c7d55bfd1f6b029f82067 |
memory/2276-180-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | db4575f3fad93de9a84db1e4ad496158 |
| SHA1 | c0e9c698183e881a899506bc567c6487fb6e544e |
| SHA256 | ae1c19f46cda64ef5c01a0a7ab5c204cc010e505e511b817ea8b94c87ccc6d51 |
| SHA512 | 107629219270a317d27fabeba8909394b5888a3abece7ddaca5cd066be9a9d52962d46a73d8a49be533688ab09c42667e8f66a09f208cb8f586b667b0dfa6a8b |
memory/2364-188-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f5d2e885ec78cba7f9fd9d1b7901a7e6 |
| SHA1 | 53539062f89aa2105ed43885ba67c0617d6fc54d |
| SHA256 | 78f0f8284c7556449c52c2e97769ec1540eabb2a8469b1262b8a5ab6c4b89790 |
| SHA512 | 0a9b71913263461337e8815cf6fead52a3f59c14997eb0730e739f8bcb7a17817cfb1b74b927e8f22fb03f8b9c24e5bb197f80958b31f9406628973ac3d82bff |
memory/1208-192-0x0000000001FA0000-0x0000000001FD8000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a3b57a4d6216ef676e5f1a1bf96694b6 |
| SHA1 | cecf6b3fa13c771633d97bb40bc2e76d43c3c1e5 |
| SHA256 | 0efac1d568d55a6f162ed6495ab46a829a2047452988cbd428d8c3e07001e3a7 |
| SHA512 | f1b002912432d5679fe5038138d1a8bf68d110fe0bfe1b8465a7d9e35f230b014dce9dda3d8bef0a2755b06b0647697db2cbf89a36e8a5b96afef33e8b397fbf |
memory/1208-196-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8aa9bb6e24a5f9dd0e1f4e143a1a3d58 |
| SHA1 | 071b8d860eba9f0fc10518cfc44e625ca8f14b16 |
| SHA256 | 483f70caae4a395584b4190eee430687ac80d3f1c430b7e2f388787d8c8c9641 |
| SHA512 | b2944b2132b8832d333e01f462b5afe16c6c599f472350a1449f5735f6ce29cd44daa5bede7791414289983c850ba3aad120a61a1c4b9b324f812507f2650705 |
memory/1252-204-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b1cf71429e34aff00142ddffd64b39f1 |
| SHA1 | 9a7757d84b74cb1739affb45d0ee0e298340243d |
| SHA256 | 1ac7652fba99e03a487473f917834bc351ef8c6294c7c955d62b8b3c81725da2 |
| SHA512 | 43eadedc6ff772dbe3b386cf506724600daddaa3bf046d9c55f6b15203c72e7eedd05bd94abd6445eff09ec111d5375fead52c7a123b560226f652a20ac0c9be |
memory/1344-213-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2416-212-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8957bc194f8dc67e4409acf1a62bbfe0 |
| SHA1 | 503b9dbf2e50bc2fd45bd33e463acf49a15d2453 |
| SHA256 | 8b3708dc2effe3efcd7b06ea44771eba0cbcc051827c7e62df2e36d861cb95c2 |
| SHA512 | cbe94bb314c28ea1bcf33146f4e5d88312798563ee3480630bdcede6ca1de5f3cb55944f376bb8197a16929402b6670c9536c7d87809b0162edd4a788ab6f6ab |
memory/1344-208-0x0000000000540000-0x0000000000578000-memory.dmp
memory/2416-219-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2232-225-0x0000000000400000-0x0000000000438000-memory.dmp
memory/548-231-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1884-237-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2488-242-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1520-244-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2488-250-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2872-256-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1700-261-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2548-263-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-23 18:43
Reported
2024-03-23 18:46
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
156s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Modifies system executable filetype association
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
"C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | bublikimanager.com | udp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/4076-0-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4bd1b316622b36bf6d1f79ba3caafb0a |
| SHA1 | c6204741ad10cf8b9ef61a41659b4705fdf5562f |
| SHA256 | 5a0755396a5d6275a08760db3c1fbc7ff3ff29517c8af73b3b0bf357b1e908c1 |
| SHA512 | e4802d5feea2ad927df06530776fa68d477d9b5a35ebe8860c0bfcdac9470a738992558bb5b8dff7735784a490cee84b93906f419220a425b5589c92e1ea7296 |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4076-8-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 69c2a2397c651ebabbf229b34e689162 |
| SHA1 | b41a20bc000144f631265ed074f2be08e4d08d14 |
| SHA256 | 6e50d1dfea5d7ec1a3b7492d6a167aec869cb91c69aae512f709c1c040923776 |
| SHA512 | 1612a1d9896eecf8c64951e4a883711f7f00f9708c87c6010146cbc7865c1783bbd31dfb6123f807c42f4a81922a3d6ef4a677f0ced0e3b058ffe9f30b9d1958 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c1a2ee293dbb64936308aa40f4219098 |
| SHA1 | 956b08f55c8fbf05d3e85c7c8af227955e55c653 |
| SHA256 | c295ca1b632adedbad68394c109f658fd70fd7ddc36d3e72dcc685f1b531ede2 |
| SHA512 | 0818b8b7005251a334600e52d0bd87eebd520697b8b9617801f9f61dcb0c0331331804bfb6b4a872cc61e4b184eaa9942ce3bdedb3e2db2cd6726be504992e33 |
memory/3936-20-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3bf41077f74bf8704d12afb3cd03277b |
| SHA1 | 0e4293a3eec99b9a576d80930be4b59c34501d09 |
| SHA256 | f2045834f367834e3115a5f10ad01388e7112080926c863df0e5e2583c8ae32d |
| SHA512 | cd4c63b072b38582eeb9d3e6028f4e38136bac4a4a21b2a6b1901a4ca86ff84c27b75a3bf45e1f722e1ad8dfdbe85b618cda645b16623cd10631afb6794fbf69 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 78906762200487faf06d6291c7430e0d |
| SHA1 | 6d54c12b285f1e0274bbc150460af41b696cf567 |
| SHA256 | df70efe19bc942d075a5149b573e17a28105a3e571a967bda2d61bf9202f2df5 |
| SHA512 | 6ffab12d3019651fd9609f7d48ee1046a99b7ddf4c4fe46726956e146f3a0e94bb50ba7cb1dca64af5e2140cd5803a357707a02b029fc8b43a9f683ba040c4e3 |
memory/2732-32-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 60d007fe5ba7f42b6e126c94748d3e28 |
| SHA1 | eb792e5fa31dbc9b8dfe35f91ca8b3476aca9391 |
| SHA256 | a0eee0ed2cf21a46c66aed63446b97fcb27e2c1135993befc909aa97cfaf7c22 |
| SHA512 | 81447a6b2cb9809b183d33e6bf8e0c74c92607c20518b99aa03f514a5ef79ce90878c424c1af87f00b53d16be587a45bfe26d7b8361eee655091a6988184259e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c06795fdfa7fda00dabd14c7be0df1c8 |
| SHA1 | e58e8b7ce4cd656e4d3cae703db0299907ce5bee |
| SHA256 | 3e98d9b92fe844637137cba625eaf607db9198e49d23664b7c2d63f6cf2b3763 |
| SHA512 | f26468f888b1c0f3971693220fba228d044713a8feb0e78b5b5aa716197d101f6745d135904da992710a7d7187ac191e0e6685b7994dc3ba97c803c533283622 |
memory/2000-44-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3249edea9d812bc98749c63b2ff80a10 |
| SHA1 | 707e885225eef8b8c120c5525a87116c4bfb1533 |
| SHA256 | 8d901f4dea22de9ec3458b92fbc377ac22cf7b7e770c9496cd3e507a8758d8d5 |
| SHA512 | f806df36fc37990db09937c773ffbfc8827700e79bd032c0aa6f17c5f53c506ac832608be86601ce9b402e63c52b25a00c04b90cf3b6df84f20158a1681bb40d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 98556ece0f43245aa58f89a743480cf2 |
| SHA1 | 8dce211eb36b1ea21fa29a22c2f5e99d34d3937c |
| SHA256 | e9f86c1f1f2593b42c7468e00b4798acb1cd1e97d415dddee427c13b8b1105ec |
| SHA512 | 338e9825cc25db0557103da68cfe1dac848913f3cfae85543c21edb72dc54cf0ecdc2d13e2f5af6d54800c7a9112137dbcf3b77646319474fc40ffc3b4d5f532 |
memory/4628-56-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3e6e65bd063a83d5c9f19daa47e12efd |
| SHA1 | cdaef4a235eec8dab56c9fff61eb5dc51c3cb86f |
| SHA256 | 8107ca927b39c78f0883629fc4f69b3976dfca75b09b8ad5e280a56169520fa5 |
| SHA512 | 259f1460262646b3e1a098eead97d329d133925ffa2741d58524da663f17fca20b2110356113830527cdf50dd6808b0230712688c632f6056fe547cec4b05433 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8204261e69e79817babaffd5816052e9 |
| SHA1 | b44d90ef8fa6530b869189cc448e966331e3fad4 |
| SHA256 | e2f79cbae25edbcd419969346de7ab228ae18dfe3a158591a398de0a616b6b3a |
| SHA512 | efdb42fa272329f54eead30e142892a671d63fce380496130743fdf078b1a9f41353236eea117892892b825b342f9a367e433fca59f0d9d2454508a6573cce38 |
memory/2268-67-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e49920f36d804b2365caec17216c81ed |
| SHA1 | ef0d609dc1577b7006ef94b85a532a8cf167ca21 |
| SHA256 | e214de384214329d0736191b7fb2f8461d9846e81511e99f783910026a726199 |
| SHA512 | 76bbe21c36c5c8111b41ecde9cfc93bf0b6ea3e2337fed5287607c521b2e6e1a39596d8c033e0b9cec1611d5a1125948762d635c22c03b287b5e8623847010f5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5fcd5c0facccd95f26993ecf0678b759 |
| SHA1 | 771d8857cded6b8c43735d58473c6bb5baed0114 |
| SHA256 | 98fba6f3663df6a2f87fac97f008ea4154aac40436a5a51d5f0349ced829769f |
| SHA512 | 2d05d282abfee5a679a723b42fdda5675b57340468d785af03efa4ffe43b44a98d5da8deec4cdd4036dd06460e898e78d655b80288190e713e7d72e9309b1e17 |
memory/852-80-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 42a918b2bda2b6e465ecea6dda5ec009 |
| SHA1 | 2a9289010c70bc80c5541f4934817e70102589c6 |
| SHA256 | 070bb7fb4040b5945f24410ae11e48f37a1b6a3ca5051c36c5ca0a1114a5785f |
| SHA512 | 3998bd10832bd6a7fe7cb5a4d6e97d3806a72daa8e6979dacee9a37d28a7cb097074d228dea6e4dfc7863120fafc3953b3a79e6062c4ca8d3328404c2746d8bf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7dcbd29799fec8225bf7c42411d0ca59 |
| SHA1 | c7a8ff879f573e5d706a9c416f5a6ef3a3dcb4ff |
| SHA256 | 8423c7a85a64cec4dad1ea9088b442bfb5897719a99638da613dfd93ae1acba9 |
| SHA512 | 6d22a61d1261f8f3942d1b1367a3eccbf8137acd8c6f4740d1617fcbf5fc899f6466921db09525818af4b306e1e0f7a15f749d37493ec1709d4c389bf8480bf4 |
memory/3060-92-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cda7246782fc2e5984f188e09b3e3964 |
| SHA1 | c3ed9a63f49ba5f96928d569453db2049d78b1f0 |
| SHA256 | de7c32945ec3e0c8c91b1bc165bdc51ee48b4c82f1683707374c435c496fde38 |
| SHA512 | 13ba2c0e3a71555179648b530662a8a81bb994830db6f964eecbced2bb5942871745fb70c7467f58582d99785cb3e471040263945ab4bb7b565ca7806b93dbf7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 62d2d93f326a9b39478bcf4578bec16c |
| SHA1 | 0ac355807eaf4e35c5dad4169b57c31566108419 |
| SHA256 | 933cba6c74e0c7d2c2584c4b932856181c3adcc603c4763058540c1af2f3987a |
| SHA512 | d0a230b16578bc8738ecbcf7f0177d510ae587eb4736099f4f9de081f4cc0a5a1884ebcd1e8f546d1a645209b4b299650d8fc0fda9c08d50913fdf8b8ddb1822 |
memory/4788-104-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 767d548e682af9f4af620e4db207eb4b |
| SHA1 | 90bdd0e9a06b3aae307a30ef81a043beb3d8724f |
| SHA256 | c9cc8deea9f1c28ccdd28a4cfc36d2d74bbb8b0784ecdf86cf11ce72fdc896bb |
| SHA512 | 476660b4090e3322d06b2bfcfb1749ab938b391cc2ce7877235a29c392b863870d10f6875806e66de8f717ed0b540441edbcc2c9f0b2a43159838c3889f1c9fa |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4eb5f74e4becca9ee2dca2498882066c |
| SHA1 | 3db2fa95524a832cce9d8dfae3581dd3979702ba |
| SHA256 | 3564e09d366b0c5fa1401d63cd95e7d361e33aeaea828e7a32a896ecdec96817 |
| SHA512 | 69a9bccc02040819e2c14d6764f17fec3fa23038dd903fb141a3f4a818fefe91dc37c301c34ecef017b8ded4e40a645aa33b4752418ddf662672709d57c14dca |
memory/2940-116-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 244f3ed5dbf2060a3fe58706090cc288 |
| SHA1 | e593ddf8dd51fc333d37a86f4274d235f2b74135 |
| SHA256 | 58c2b625f034ca538ccab3a60e4b17c0080f466d3dc28bbbd4eb28e616444d69 |
| SHA512 | 4ceeabc4df8bdf780ba58364f43bf3cc4deb0de076961ec6eb0c0e2706c3dbb5acb80cc5e0f97900521e83c5eddd0bfc1de81fb5619c7d9a1458afe18fe84a5d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0066a4909431d4f28affa0337d82f5ab |
| SHA1 | c587c90482b621f4315a998c339b528856a8632d |
| SHA256 | 36f441719cf4206d4de19d3b1bfe89b6466e701875dd55d175184ccce91a5691 |
| SHA512 | 53c85e6675435f0d6c0ed416f750391974a3350d62e2d90db9755eade2883a4525e26a272e6ac13458de0fe71d8a05a256569708d33143775290e6232593faf6 |
memory/1392-128-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5456ae8c1b8b9bb0c472bcc291b41fa5 |
| SHA1 | 76468bea5ff5b7991ed4f28dd0eee6db5e30a5dc |
| SHA256 | f37db89a9657e4e0c9b9903af106f3c7157356ca5750682c1f3c36989c803b83 |
| SHA512 | 0013da1115f96e2ad35d774c2a9ce5fcb39b07deb899b50d7667e1b3b95bda2345be6848202a8479a9ef855349b5b073caab35ae5d845560f8f874d377c4bea0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 80ab149f53ef83e73dd8158537d23c19 |
| SHA1 | 754128dc1ab329f9d410e29bca10fe28dce125ec |
| SHA256 | 076717147636b4b7ae6027fc47130267e5a1291ae80425d633dc371b0bd97a62 |
| SHA512 | 04e44f151f63bea6c51db8934095716d1c560d92a488e9e9a2b59555f61afcd87fd94e10e8f2929c5550ac6b341f15b97cbf41f813490891ee5f79717488633d |
memory/5008-140-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 43282a3afca4f9823a262c59de6f7a75 |
| SHA1 | beb042362febdc9dacacf32d0cf433768d69cdeb |
| SHA256 | fa840bbbf13e5e27a1fd0b8230845cb44a39c0e5f1ce19c7a30a3494c5a99717 |
| SHA512 | 516e1b9e7ba4d6bc0d7a15bad6825989180b4f0d09f8bfb02196cd20f6028c46f873abf35be89ebecc387dd95803d6943513c87dc1f638a7f951be3080d7fb5d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8c129e7e04ec2b8f0cf1a52fdc1f9cc8 |
| SHA1 | 06919a4f44e0b96531f5ff8ec81d5d022a42c73a |
| SHA256 | f73497f7d0326b519f25a0028d81c289adfc31f456d181e076c7492dae154dfd |
| SHA512 | 4b5cf152670d3679441a51a367cfecaa55df4537de1d01798ba13d6787c3a6a7db47625c5253bb4ec04a940445a1e4d5813ddd610b8a2d9400b6d7a406446376 |
memory/988-149-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1520-153-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b9984f4cf94c83774df6a2ea6bd3929d |
| SHA1 | 0c64a2eaa9b82dfd5d4306a33927cfa9a9d58973 |
| SHA256 | 1a862f67fa7c1418066546f871b2a92b43a41e8d0353cf7e739f08ac95e44d18 |
| SHA512 | 6aade24e6f13d4d6e1ec0d7cb70b42e832d3b0010531278753ab5b1a495306f1f6da65a4c2c61d146955713db3223ef27b9ae365f0588fb9eaef81d7672d7001 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 88662aa5e09f2727652c9d05e987ebd8 |
| SHA1 | e8c857b76f89f7faa7c2453b1e51c2581d574903 |
| SHA256 | 334d5a9b13f06e806b958d3d568b6345bfc9cc78ba1f593ccbca2cdc68bccf1b |
| SHA512 | fce8d9f5c195b6cb66a0cbe51e96f5161e3b651fdd0596736518446b8826e5f72cc20038b9e7e5720ae13b896647e97f3dbf5a5bd104282a39f6f53161b75189 |
memory/988-165-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5f9f661d63d725a2cff4a2d33b6a6421 |
| SHA1 | e5e184440cf92dc093dd1ed9fa39285899117740 |
| SHA256 | 69c02cb831697550a3a63d6ee035ecdb2c5419c74e14e56782fb2b5fe91ddf3e |
| SHA512 | eb2dc6df67a1d0132662ef18e185e2ed24d23055bb578ac226e938b128e9a5eabe7b92be98da675d25c81c29c4d3376dd0f2af1195e18bf03aa4f78ed242f7e0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 06b7fc761c09d41692d94630f2ed8179 |
| SHA1 | c7f5841ac51a1fac3ce890cc21a593ee594adcd2 |
| SHA256 | a1753a23fd672003c73dc9e39e19473210e2e0535bcab63782858fd832240058 |
| SHA512 | 9aa61ea563639fc7b66d763726ec71aff629bb07eeea73a9a6a95699eb445610f038bc5779cb34ff545fca38d95b3ed620ca2c0e7255db890276cd6b71608201 |
memory/4904-177-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fbf5c4a67fd529989767c49adcce9d97 |
| SHA1 | fa4c0e5fc97950aeec368379e509b3bfe0b29d13 |
| SHA256 | 40176bc95f9997972a0c1533e10661951938528245332065f97f8406d497ea9e |
| SHA512 | ce6d6b6af5f5815b1b76dbaf7e1d1d51b134a0612275d6689d163fb903e0ad69e591f68b637d870f6aba76a8a33f512e9aa5ed47ed2c7deca95143a90d5b05ca |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a80f6684188d3c8b282fa78522c3bf50 |
| SHA1 | 95047a409ac9b248b83ca7fa5995d94ed60ddb3b |
| SHA256 | 813b04c1b65af9348e23c191c56403769b921e115e3930a8e839a57c5c3bf607 |
| SHA512 | 76d796555ee3819b12b02f4e25c6a42eece41aa5eb065f64ad7addc2d916c779791c138c79fc2fc4ff4abff241c7abaed64ef637a5f01345852611ff0f079526 |
memory/5016-189-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c549a9b1cf8ca1b03280c1059da02539 |
| SHA1 | a62e9192378507034b91e9327a01bbbe1f4a8e38 |
| SHA256 | 43f94d8d508f803ec9f2efbad985ce57a510b77d0de54dd1aa79cbf2d84a31f1 |
| SHA512 | 2c9517465d087b92b5fb940ca96f3f22d9ac36f256a287d51c2948935549b3a01b8cdd65315124f872dd893e642258c7e49a97d18b2f83a5ff972f86deea8521 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a2f7db4db0e4ccce9de01a806b5f53bc |
| SHA1 | 147ebc1ea59a069c483a304189c026fc23741d9c |
| SHA256 | 0e8fb2382c87af055b971fb8a7c9bb1d1d562f4528e38ebc17d5dc100208768c |
| SHA512 | cfc7154ea07f6d5c52fa4bbbab427488a417f916fe84d28652ae1b168f8318bfcec83df9f396d6aff270f87a51dbffeb4d3069b88719264a9f092d67734b7605 |
memory/1916-201-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c8e2f99b9ed5a78edf0c62e23ae19a00 |
| SHA1 | 9334f3b5dd2ed341e254c53ab54296fc8cd3408a |
| SHA256 | 51c063108057e0e7f10a3a3fc9c25af6421730bc5cc37b94401cd9b3082bf3dc |
| SHA512 | bad718b7b5b6273d685d9471ab679bc67ec3077b6a9acd4bd8187e7b4d692010772a015184e862cf86659ce9f287aec3d27d944326ce26ca577e74e3295bbf2f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0ad9fc5f98b2c1e983b68a3ce7b951f2 |
| SHA1 | 5306c841d6a71117bb30f8767f06c1f7af74d30c |
| SHA256 | 22ccb3e42a0b819084894dd8a6c2cfd7e4d6e7be46f57b0c2c9bf5ee908c02ba |
| SHA512 | 1b4c8ba340f6d3d7d4292113c485b476fe6f41ad6cb7c112d072edb8968f88101f04d6e5e3524d7945fb08fd95df063e6292a2752a19884b7a58d3f449d33524 |
memory/1184-213-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a8e9dac969ce7dc862067217059187b8 |
| SHA1 | 2e6993d15392dd47bccac23f4051ec02e2981b42 |
| SHA256 | e68820c846a4391e6c47254aaf4b6f03bdbf8f6854fc00515eb762fb0d90a606 |
| SHA512 | c7c110d1d27329e8bf0894bdde9715ce4a4ce8120c106772aa96fa5605203a576cbbb5a5a609a43e03197a2e198cb9cc7ecf0df8385d86a3d36d4d0d9edf3659 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 56cc67b46dac1b7bfe2fbb40613c399a |
| SHA1 | 2ca872a0038367e335f608008700c1279110976f |
| SHA256 | d3a8d8085b8cada68827e1c05edc048502272f79cc1721f1411609678bda1da0 |
| SHA512 | 97bcac87c244ad4b32f6cc4c8cea6b522c89c4060ff11c8c4f0117c49c34bb653cfdd55b7da33a21584df25128a5978229895ac55dc5256ece77baf5ac863eff |
memory/1304-225-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b65bc8f3def6e34f0788b14009823e31 |
| SHA1 | 2fd7f7ff5cc1777b950eb65d11593d7d81e54879 |
| SHA256 | d20a7a2830e1b0aec82e8fe55e9b87f8f9f970bb324dc05db8e3af9a6233d354 |
| SHA512 | c00e914c0d912cc74ba7a90700dcf68310889002112328f4e5e15e8202351de5d15574f0e6ebf63b330ce68853a60dd8b19b3a1a376dcb9659b77a574aafaa66 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6f521f80ca30c91247353233962578a4 |
| SHA1 | b73267ce88e8fe982231d75cdb6987545d2da337 |
| SHA256 | 3d1f11b62fb27f49959e7d7e811e740eefd1b7cb6088f50b357012239119ce1f |
| SHA512 | 452f327b0c0bf0ec889f721693eb476074e50ad1248ec149b72f86fd22aa67057202297cd4a8194e99251e19b5fc7a3d9d6416383a7d2b8cdc29a618e5adaa17 |
memory/5064-238-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c3b31555089dfd8184a274ea22d54f41 |
| SHA1 | 0018a84f09e648b4ff06b6ff98d8c3a95b74fd31 |
| SHA256 | 9f927340fe8c2546c28804990aca2b8d5fc75cc23d0173ccbaef08ddf47476e7 |
| SHA512 | de88e80a96653a24d37dcce9be40cf5139077bfa5e779643da08e155f25006403c1c527832f020287fcb4a2a3cbe9a3fd69c4e306baeb62dec91ca092c314283 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 27b8eee7d572b11ad657d0af4a2785b8 |
| SHA1 | 266cb64cb30cb669ef5b8d29762bb78726a30aec |
| SHA256 | 8b2a6ef8ded9d5fce443d494056c2de01a1edc533b491841aabd9ac92a2c8cc2 |
| SHA512 | 93aaed8696896c58add6d6f2d94e5f481fae69581ab71d36b92adc49b9a87d5ca4f8e940c6d9b61edec2701883065fe19d9cba47b66a611a8fbaac77dc2b88eb |
memory/3536-250-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | caf1e487dca129d1fc7823bc92feab06 |
| SHA1 | c798afc25dda122e6e6d58afe77536e5db42fab2 |
| SHA256 | 77d7754d501c1dc78668e26ed1024717a669d3073adcf1e2096da5c8351f61b4 |
| SHA512 | 78ac0a88a26eb99b728990d1e9f11142609ec8a614b2d859368456be137cca8ba619eb6bdbc71af87fe724002f4e7e97833ed7c36f615fe4222ddb4a71abcb39 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 43f4a7f36c4578c75943ff5d1370f4b4 |
| SHA1 | 4b2e8f44f30d2d8dc43d4c27d340477a61ce3206 |
| SHA256 | 1345de325fd73d72e892e97667650d335005a9f1702f0610e58216b753c83f7b |
| SHA512 | b7f56862e13060e39dce322bea0d3e99fc30d6be90c72033ba497fd1cebef8edcec1c7fd9c7102fc9e024c6e65f5a8e1368e683c59f80143efd23e3d52eb247e |
memory/3768-262-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 38ff3cdda239e7666e529102aafddf06 |
| SHA1 | ba8e7610bc2b9dd13caf234fde2b5dac4b9c5024 |
| SHA256 | 87b863e0b3fd6cfd1878fb5c93ce4bda7a73589ebb83adabf4155a39d99c2ba9 |
| SHA512 | 04cb8a67ddcf0985120e81cc113fd504440140e87622b8c6c633667f803ea5d312f738c81921092463086fa04777a57f4533a445e79277a418464d329145fcaa |
memory/2096-272-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2348-281-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1084-290-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4108-299-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1364-308-0x0000000000400000-0x0000000000438000-memory.dmp