Malware Analysis Report

2025-01-18 21:20

Sample ID 240323-xc5kjaag83
Target 26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc
SHA256 26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc

Threat Level: Known bad

The file 26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Detects executables built or packed with MPress PE compressor

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Detects executables built or packed with MPress PE compressor

Sets service image path in registry

Drops file in Drivers directory

Modifies system executable filetype association

Modifies WinLogon

Installs/modifies Browser Helper Object

Enumerates connected drives

Adds Run key to start application

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 18:43

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 18:43

Reported

2024-03-23 18:46

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2228 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2228 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 1040 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1040 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1040 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1040 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1976 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2248 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2248 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2248 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2248 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 872 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1152 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1152 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1152 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1152 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 840 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2660 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2660 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2660 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2660 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 680 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 680 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 680 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 680 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2848 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2848 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2848 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2848 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2692 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2692 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2692 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2692 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1828 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1828 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1828 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1828 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2936 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2936 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2936 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2936 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3016 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3016 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3016 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3016 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2100 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2100 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2100 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2100 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

"C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe"

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

Network

N/A

Files

memory/2228-0-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2228-1-0x00000000004C0000-0x00000000004F8000-memory.dmp

memory/1976-6-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3fe2f5005aa9707dbd9a48e819b64d71
SHA1 0a3f5e9056a2695934192da63e0620aced728394
SHA256 21935be87c124f3f2090cf194da009b871cd6bf7069a544f922272577b5b3a43
SHA512 7ac141cf48ade45ab83230f48adeb52026c33504403635a675c404e9936712e9f3037cf3e4522881db98b248899ca4e627c5f3ff5d01bb313bf762c07a82abe3

memory/2228-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1040-10-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4d9a24161a0b0e7b34e0b1f3e802081f
SHA1 2a25a45f6f4211046e7238f5edf649b7659f6eb2
SHA256 f7eadc6b12a11c3ea6638740e9029cd9b4b9353ac37c9a74608eb5b52f78e88c
SHA512 8a0b57985b8fe7c466d3b049ea3800c6b0ca6f34c723b39fd3349230b34c60cfcab1f98078c86fe98fca0bc59f1aae991c30646c277041d0628324af94d3648f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bc1954c49a177f8abc09dc1b6de225bd
SHA1 abec58b80ab5a29ccf38f8a5c470860dea1a66ed
SHA256 a26c86be31eca1a0ecebd08ae55e94611234936341e0f432f0cbaa8ce8dc1e90
SHA512 f5295ac2c536c4de73f3ebd72013d709ff10974ec4a9ad9a4593dc1acf1027b85032a34b469c88a7855a824788e080a34bdf40a77ce042a8272838f5e2c7e26d

memory/1976-15-0x0000000001D10000-0x0000000001D48000-memory.dmp

memory/2248-16-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1976-20-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2329d680848b1d36d2e34342d22e9b1a
SHA1 a7814f9bef315f5a0ee03a4ee06d6fd74bcad2f7
SHA256 f0073bc31276794e050591f6c89ba38c9ba1ba6efe012922fe7792effccff9b2
SHA512 cb4b3767a66585db5af5c95d103045e61a516586d686437c050333c6a946b97f51f3717749dc5387be4f994e08571ddb6a252c3d96308db7821dcf97c6149c80

memory/872-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2248-28-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6e5efd0ac829ddbf1b83a8446a917fa9
SHA1 eb0825b3a3fdee5792fd5480f3b51c96887a53cf
SHA256 71791ff6243b3b7be345d1229bfb08d27c49536b45303ecc2bbebcab3062bc69
SHA512 704f5cc4f9aa836804c234930ede77e3d0769d4e332c5f5347b45aca8d40dcec86303abb3d4e7ade5c2ed3a1da65adf22319237e2f4d84167b9a93401d1d41e9

memory/872-33-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/1152-36-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 68a40cd1d179d52825d7532070621cf0
SHA1 22fb7b1d90ace34414db6efbc7feb1af324fe0c1
SHA256 4c028563604752cffc43174b51ea9e181e45fd65911377748e302d223c9b9a27
SHA512 6317336736d4dd36a308b2ab4155b4a05176b01e261d3f43f3b1dfba3f3d71005247636dab35e9b7c5f10602d9e89ce65318d30ad9781bd6d0fad00d10bc4494

memory/872-38-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 29dd93abee537136c1f880fee6330a24
SHA1 0a5a7276a0659f37bb75831703c3838bae8ce132
SHA256 ed4a5792579151bcc304f8767a3de09326fb559b340cb28c36941d9d7f097581
SHA512 4fabdebbe4d9cd9e5ba9855b6fcd9943f1b5da00d1cd5f4d0e0e3f7f936a0514a088d6da7506a1332171aa52a392d55aab4903e19dd0c185bea661ecbc1e89e1

memory/1152-43-0x0000000001E40000-0x0000000001E78000-memory.dmp

memory/840-48-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1152-47-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5277257ad8307404ec353748e8629bda
SHA1 1e458eceb8654a66ff5d86462e1a997175a8d538
SHA256 c2d6b7dd9508d9402cc165050dac384757da3e28f07d0ac527c1227c329cf4a9
SHA512 117ff972d22fbc46537451fdf590da7fdee998d39982f880a15393b58b1b23399ef652bde83be648f512b330688f5a71de273202b07b12dbb4de2b06294772fe

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2ff4b7021d4eff30f0010052cb1324be
SHA1 20a9d8241b4a13442d030e4f7dca7aaeb9c09d21
SHA256 f87f64ebac22025e28e9fdc325cb6c9cb24ba0f7a00677131c9399c991c53ff2
SHA512 4d091eb0a0d6f2892e7024e37ff97ebaf6ecf07fc6e215d547c9e1debe38828f454c2a4e687b87907db3aeae60fbfc1b64701502001d7eacd79dbabd694bec3f

memory/840-57-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1c5012968e2bee3a8c5be3a102c67529
SHA1 963164704c23fdf22b8afd1a557ab79909f8cdb9
SHA256 e018a4468fc61f1f538ac0ced9a914cefd2ca051f94c333248a647c0d8969415
SHA512 a8c2a085b44a2f44b7fc10a9cf50202799aff8a0cf7aea51dce571647014ddaa11dc3604b3e791473bb7def04cbac13dcfa6d614b77f970f9e0308c166ec6cd3

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4fed41b016e699094055b4b15bebd495
SHA1 62e8151af8ea612458e6151ffdc5fb187ecfe225
SHA256 68f8c9019a922e0293a8dcc306699c9a3593306a46deb1e1fcd83ccfa12cc2f0
SHA512 168b28d0789300954e98caa1561456643932f84d84b869c1f62d7d3fb770420bebbfdc98ad01c7d3a91abf686afcad9066d3773e4ccdc2cdbea4bbefb3e68765

memory/680-63-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2660-67-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b84abd611165e8769ce6046e66a340b9
SHA1 bc4859df4d8c2d8044ab4539dab118025ec649a3
SHA256 ed727c88967861104855e7aff65669eacfda3e21677681eee5dbbfff461827b3
SHA512 3dac3400212d3bbde0db3e53aac63421d62d2a90ace7137c796d574df4e60d534cb401f984a129f8fc412655d18ec131e77ef2766c0a82d4e89d392207787898

C:\Windows\SysWOW64\drivers\spools.exe

MD5 efc6d0e3dac9bc07f2709537e155406d
SHA1 8ceee640e78ee384e998978b02e16eb236e40880
SHA256 af39052c7f5f6c6df225736d5ba4ea9c263909e01ee95917e3cdcabce6408e53
SHA512 cc3e63d426b7f3b6446337395e297857b336ab571110aedd51135d62b4da7cb1e30980cb2fd865b09c7c8db9a455b8d1985ae8583413744de0b1c305231cddf2

memory/680-76-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a1747a44c956d9e31846d0e493a35524
SHA1 b29764f4d42c2549a75868355653ead69f5df311
SHA256 c053106555f6f7edf8a22f667a869fffc4a98f1bfc369aaf6703cb72b208baaf
SHA512 4f9f00395bc27b98edc909c140ee7773f481f2a31c7b3316bfe7088d0a82d2cdd2a4126795794acdd6de4a363c87f7c0d8320809c81ead59c9fd66835714892f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3157ac97a3107d5d1444a2466f0a6fff
SHA1 aa1163a2b84c9451bf3a3c88a8a2321a720948b6
SHA256 a42b6063e4d6ef0bfd58a951e8431e3de2adcebedac77667874676e77bc3d918
SHA512 49a24cb253550268690318f8daafcbcec7f1f273dfb47cd2c22c132d8d1017501f10b297a1a5a11837223004c11536cd0bfb55f4120113a113f5bf1073bee816

memory/2848-83-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 662798b361267cd0fc9ff8ce12bc3266
SHA1 d8962533338bada8b6d863cf1362c00b8c1d6339
SHA256 42f865a7040456b2eb1066a494cc624413223e481aeaf7891602060fb7db627d
SHA512 68f87d9c19d7fd0cb9fc95186fe44b4b3167b5b17bf1a458c38e7ca8d64c472c211cd583e3753298c68bd9b0834ab0f03a0fd4967b36d509ded717c2396fef12

memory/2692-91-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1fff42ed290f553385a39100a4ce5fab
SHA1 948865394559f5754ec197a72771737927cdf736
SHA256 3efd068da54c498a23b792c8e98db7dc7553bb1b5b811780a585599e4e2c94c8
SHA512 6a79b7270de287ecf3c06f44d6c3f1b4b069621bd26ccc66d4140c6efda3b2346d2fbc09764f1fa0cdf91c3a3439ae170a41a8398c9927ce82c5b85109bf7ae7

memory/1828-97-0x0000000000440000-0x0000000000478000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 891c3f0c50fecb2dae2e80973fe6ac05
SHA1 27fbf4f0732403a92d9fc036f99aeecfd6d23250
SHA256 9696cbec2dfe1f021e0111dcf7c99edeb8bf2ade16c69893391f419ce43bc514
SHA512 3ed536ec0a829c4305b0fff88107e18fe10923c83f7fcc538ff6527ee0c14d69c47d26208bee53109bd0c70562338b7f11d2ae349c1405d54e3cbf4252575d09

memory/1828-101-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0f4564e50bb3ca382204e2f4402795ca
SHA1 72eb5ed3396a7e9952e06a943b6936c75be8eb4f
SHA256 4da8888aeda5f6a30417027509e2180b487a2db6880801e97c97f4513b3f923d
SHA512 a7f1ba55a2a6e6a3b593c2f614108c8aafbaf5d8751de19d18f3aaf46443bb9b2a7789623bf633e3f1f426d0f8cfdb7eff05d0ba38255abcea78780a41915004

memory/2936-105-0x00000000003A0000-0x00000000003D8000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d67a03f8834f26cf5d210b76fc6647ac
SHA1 6d423c26201bc165c237415b72922645697f954b
SHA256 88b3f7d6a315db3e40bcae1acaace919d0298d871e7c7cf074304baa236e64f4
SHA512 f682daabc97e022bbf83c72617ee5a711c1427981c67289f6b47722bc28fc09120dd4f682bdac33a80162a5ddbb9a316a5cd4ffdf329e85d193e2f7c241f8d5f

memory/2936-107-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6c720bc99a4d08496e0f6f10af930120
SHA1 ad748879fa46cd39a95fe8bc97a2ca8b75b40eda
SHA256 5c7d5db6d7860ba4be16d82030d1ddf624c8680689b4f4cb246441d1f2518dd5
SHA512 12bb3844375bf4d392431970803708f81f51e9a8030662eb262849c83d6f42c731d387f93c2feaed81e1c67a7afeb4fa74171f10d561765a17942e35494b8da7

memory/2100-114-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3016-118-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e57abdd5666f30669560c763f9e42470
SHA1 cd982079a068f4e6bcebddd93c32efe158b1b74a
SHA256 7f8079a767428f422188c2f2f2fc3a30e21e16e0b303abcfc33ce51d9b97b474
SHA512 dda246969d2beb03034558093f1485b42066abf5eab46b18a4cb2c362492e63bcf4af62ce8b5110e07f70c135e155e0e013871c63ea525e76c702c93013a64cc

C:\Windows\SysWOW64\drivers\spools.exe

MD5 97c56d548a54298485bc20a6a40801af
SHA1 e72cff7ca740968a4a3cc42210b67644366986b6
SHA256 c1cb99c2fcbc9908d15da618837817b1875ada44b54155804d830b7b8c6459bd
SHA512 d4da019f47458b0f73abf59d26baa3c193131713e6e684aeb0c2e913936ea2f06033a1e16e82391bbc194caf1ef83729e7b049ddd038b8f7e355303c613d0407

memory/2100-125-0x0000000000400000-0x0000000000438000-memory.dmp

memory/796-132-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5bef17baf6acacd825b029b5a5afa10d
SHA1 50d0a74bafdf299f2b40e4426a8ed589a348e36b
SHA256 4164a5757b8e4fd4dd3eb5b12b5ccddbd5e80c11af84fdb46897b0c666d0d79e
SHA512 1d35776c11487880f3b6785519684eb6db140b67c0d12cc8435b00dd4d7ce57bfb0ba8b9892f951b3edf43b21a62089e1cc450d73c06e753d7b23cb2495cf6d5

memory/864-134-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2c5632539df76b1002c5eee6fc6fd9f9
SHA1 ae5f80e05f0440e70ae0da50b57c84c8e2735da1
SHA256 763afcdd41ef06a9d6a090c97f1a14b26a4219729ff310e11ba8cff9866dcc5a
SHA512 ff4429241fb9bfc50f51051b0e394ced92d636a2fa5b558dd8982ca3d05f6ac896e69eae6d6eb922a8ba42774fcca3a7da3ded752e8174b9efbbba8cb42a3a84

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1a6ca898ab013a02370572f7ee9fb611
SHA1 701e73473969bc5957a9629500daddc9df4120b8
SHA256 37d7cff1b53081c943b056e2de02edb33a7cd079f02d43ac7919ae22ebf44b4b
SHA512 f327edefdede9b1905fb8778bf7ec001a388ad17644f552487ad47c88ba4c25df63f1f8ae7a59c46a7b91606a3c3c58c40cb466599b079a4ff593991b5c6266c

memory/796-143-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1b81a1d17247a81da07e43f5bc42a809
SHA1 8bf7922c21eae8a040b1291b5345b1f23af2c094
SHA256 a642506dd45a9a5554e74b5cc4c7a4b7c15841c49ac6da61a180042ad6f7873f
SHA512 c9b2a20c876094d9f8eaf0a65c9eda951c46578aa9e7f89af563961d63350b563e9be7593a12205d42ba5f9a4414ee730ddee6026947c9b08ea791f01d493401

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2d875fb6648ef2fcdd732158b9a120c3
SHA1 1f46aacd189bc27729c5772b3c208a8851eeced7
SHA256 40e8bd377025cb886610c48a7a4b85896ff821026310cf6634277f037e051814
SHA512 6bfad4e3ca68dbad7443e4ebe614890915362feecc725107e8dc03835cd1b16ed711dadf692a064724aa1f08693ec0f8b6057648b963c49c31f323512ae71524

memory/3044-150-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a2a5362582a6f48f5ad7d918f578d6b9
SHA1 d0e8fd6a137fb784b448efda58fa5449f206d835
SHA256 bf1480cd15ca0d10f7585b87461968c09d0e4a87463c26828bf2677403dbb446
SHA512 6318d92576fc0101d98702f2f0b89a36ecb1324cbc908df424488acf5a25123c4301420eb3496b4714aa02a4a858b67feca82384ed34bd25685186a3f4ad5f21

memory/2880-158-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4657d2a5e6e20635c5852c647e46cc19
SHA1 683f855970b3ef922f2a15be42a2266fbf92c68a
SHA256 8fd85d652ab5c776ddd1a1d0452838c2e8926300c079e99c6e70bb4cf2617a75
SHA512 2afa1725111f40f8303695d8d20e8a942c89fb22afadcb11eb8d86d6c2bcd9d39e4364d2f3e4698cbc48a3e4a502bc3ce1525de2d0259c034aa780ac1842bed6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3618293579481220b5d9434c8fa97d1d
SHA1 155736d764956cb29c56b55c0ece70b135ab711a
SHA256 5f8191d36bd384894e8d7cf681e7b0ddfc3b91c8373ed0415b806b21d283e4f9
SHA512 1e7d842b37f3ec9367dc77a506c6441f26b1868b06f451100ed226b1349d15886729893137121a3047245a92f0e9ff16a81e440a9719466dc1695bf1eba08244

memory/1572-165-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1d064381aa73df95ecc4104fb9eeed25
SHA1 f5b85418b2c08bdecf380d5ffcf45c447111b9f0
SHA256 a48b619c03b47f3b07158d96e44d925a7baa1eb2722d15f83b6a91e331689d46
SHA512 55c37b03c2eb1ddde8285741c2dfed5aa1bdafa1eff3bdd70359f1fcf2dcc5c1d0de18d642c779086168e53d43e8d6d874a734721fc02f9971a6a2fe31e6b8b1

memory/936-173-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d7b98a43c3e08dee028d674a978bab22
SHA1 c8d112233c1fccd01e9f417b5775d436d956588b
SHA256 0dfc5ebdc264d787a0f1971c406ef3dbf9b0318581dc20039c3e38edb61f271a
SHA512 b441a153dc3c387ce6e05dc56e1afaeb29a7c6a3f9bd1edcbce1e613a29e40de2039ff0dc334d87fb247f2a619b513ea5c08b9775b9d9de36cf34a3755113e09

C:\Windows\SysWOW64\drivers\spools.exe

MD5 225f83bdf73bc12f2b5ed1fda2960a54
SHA1 e0a83c29d64f3e1aae6a571783f0df1bbdbef14e
SHA256 86a5bd5f8147aae809ec718a051ac6fd38c267e6a75c405ed71b5a7fed992db9
SHA512 f91c1de474a8da9c08ebc40ed1b2d5e22b86c54f263a34f6a6034573afdda51b8ad2b46af5fe278646d0e76dadab93c25b1cafda1e0c7d55bfd1f6b029f82067

memory/2276-180-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 db4575f3fad93de9a84db1e4ad496158
SHA1 c0e9c698183e881a899506bc567c6487fb6e544e
SHA256 ae1c19f46cda64ef5c01a0a7ab5c204cc010e505e511b817ea8b94c87ccc6d51
SHA512 107629219270a317d27fabeba8909394b5888a3abece7ddaca5cd066be9a9d52962d46a73d8a49be533688ab09c42667e8f66a09f208cb8f586b667b0dfa6a8b

memory/2364-188-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f5d2e885ec78cba7f9fd9d1b7901a7e6
SHA1 53539062f89aa2105ed43885ba67c0617d6fc54d
SHA256 78f0f8284c7556449c52c2e97769ec1540eabb2a8469b1262b8a5ab6c4b89790
SHA512 0a9b71913263461337e8815cf6fead52a3f59c14997eb0730e739f8bcb7a17817cfb1b74b927e8f22fb03f8b9c24e5bb197f80958b31f9406628973ac3d82bff

memory/1208-192-0x0000000001FA0000-0x0000000001FD8000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a3b57a4d6216ef676e5f1a1bf96694b6
SHA1 cecf6b3fa13c771633d97bb40bc2e76d43c3c1e5
SHA256 0efac1d568d55a6f162ed6495ab46a829a2047452988cbd428d8c3e07001e3a7
SHA512 f1b002912432d5679fe5038138d1a8bf68d110fe0bfe1b8465a7d9e35f230b014dce9dda3d8bef0a2755b06b0647697db2cbf89a36e8a5b96afef33e8b397fbf

memory/1208-196-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8aa9bb6e24a5f9dd0e1f4e143a1a3d58
SHA1 071b8d860eba9f0fc10518cfc44e625ca8f14b16
SHA256 483f70caae4a395584b4190eee430687ac80d3f1c430b7e2f388787d8c8c9641
SHA512 b2944b2132b8832d333e01f462b5afe16c6c599f472350a1449f5735f6ce29cd44daa5bede7791414289983c850ba3aad120a61a1c4b9b324f812507f2650705

memory/1252-204-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b1cf71429e34aff00142ddffd64b39f1
SHA1 9a7757d84b74cb1739affb45d0ee0e298340243d
SHA256 1ac7652fba99e03a487473f917834bc351ef8c6294c7c955d62b8b3c81725da2
SHA512 43eadedc6ff772dbe3b386cf506724600daddaa3bf046d9c55f6b15203c72e7eedd05bd94abd6445eff09ec111d5375fead52c7a123b560226f652a20ac0c9be

memory/1344-213-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2416-212-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8957bc194f8dc67e4409acf1a62bbfe0
SHA1 503b9dbf2e50bc2fd45bd33e463acf49a15d2453
SHA256 8b3708dc2effe3efcd7b06ea44771eba0cbcc051827c7e62df2e36d861cb95c2
SHA512 cbe94bb314c28ea1bcf33146f4e5d88312798563ee3480630bdcede6ca1de5f3cb55944f376bb8197a16929402b6670c9536c7d87809b0162edd4a788ab6f6ab

memory/1344-208-0x0000000000540000-0x0000000000578000-memory.dmp

memory/2416-219-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2232-225-0x0000000000400000-0x0000000000438000-memory.dmp

memory/548-231-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1884-237-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-242-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1520-244-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2488-250-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2872-256-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1700-261-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2548-263-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 18:43

Reported

2024-03-23 18:46

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 4076 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 4076 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Windows\SysWOW64\reg.exe
PID 4076 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4076 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4076 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3936 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3936 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3936 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2732 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2000 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2000 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2000 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4628 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4628 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4628 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2268 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2268 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2268 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 852 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 852 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 852 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3060 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3060 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3060 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4788 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4788 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4788 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2940 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2940 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 2940 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1392 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1392 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1392 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5008 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5008 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5008 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1520 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1520 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1520 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 988 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 988 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 988 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4904 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4904 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 4904 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5016 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5016 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5016 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1916 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1184 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1184 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1184 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1304 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1304 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 1304 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5064 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5064 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 5064 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe
PID 3536 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

"C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

C:\Users\Admin\AppData\Local\Temp\26f795c92ac7bc73af028c9f4a8597617413704d533dd468769ec34f2f5ef2fc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 13.107.253.67:443 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 bublikimanager.com udp
US 8.8.8.8:53 171.255.166.193.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/4076-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4bd1b316622b36bf6d1f79ba3caafb0a
SHA1 c6204741ad10cf8b9ef61a41659b4705fdf5562f
SHA256 5a0755396a5d6275a08760db3c1fbc7ff3ff29517c8af73b3b0bf357b1e908c1
SHA512 e4802d5feea2ad927df06530776fa68d477d9b5a35ebe8860c0bfcdac9470a738992558bb5b8dff7735784a490cee84b93906f419220a425b5589c92e1ea7296

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4076-8-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 69c2a2397c651ebabbf229b34e689162
SHA1 b41a20bc000144f631265ed074f2be08e4d08d14
SHA256 6e50d1dfea5d7ec1a3b7492d6a167aec869cb91c69aae512f709c1c040923776
SHA512 1612a1d9896eecf8c64951e4a883711f7f00f9708c87c6010146cbc7865c1783bbd31dfb6123f807c42f4a81922a3d6ef4a677f0ced0e3b058ffe9f30b9d1958

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c1a2ee293dbb64936308aa40f4219098
SHA1 956b08f55c8fbf05d3e85c7c8af227955e55c653
SHA256 c295ca1b632adedbad68394c109f658fd70fd7ddc36d3e72dcc685f1b531ede2
SHA512 0818b8b7005251a334600e52d0bd87eebd520697b8b9617801f9f61dcb0c0331331804bfb6b4a872cc61e4b184eaa9942ce3bdedb3e2db2cd6726be504992e33

memory/3936-20-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3bf41077f74bf8704d12afb3cd03277b
SHA1 0e4293a3eec99b9a576d80930be4b59c34501d09
SHA256 f2045834f367834e3115a5f10ad01388e7112080926c863df0e5e2583c8ae32d
SHA512 cd4c63b072b38582eeb9d3e6028f4e38136bac4a4a21b2a6b1901a4ca86ff84c27b75a3bf45e1f722e1ad8dfdbe85b618cda645b16623cd10631afb6794fbf69

C:\Windows\SysWOW64\drivers\spools.exe

MD5 78906762200487faf06d6291c7430e0d
SHA1 6d54c12b285f1e0274bbc150460af41b696cf567
SHA256 df70efe19bc942d075a5149b573e17a28105a3e571a967bda2d61bf9202f2df5
SHA512 6ffab12d3019651fd9609f7d48ee1046a99b7ddf4c4fe46726956e146f3a0e94bb50ba7cb1dca64af5e2140cd5803a357707a02b029fc8b43a9f683ba040c4e3

memory/2732-32-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 60d007fe5ba7f42b6e126c94748d3e28
SHA1 eb792e5fa31dbc9b8dfe35f91ca8b3476aca9391
SHA256 a0eee0ed2cf21a46c66aed63446b97fcb27e2c1135993befc909aa97cfaf7c22
SHA512 81447a6b2cb9809b183d33e6bf8e0c74c92607c20518b99aa03f514a5ef79ce90878c424c1af87f00b53d16be587a45bfe26d7b8361eee655091a6988184259e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c06795fdfa7fda00dabd14c7be0df1c8
SHA1 e58e8b7ce4cd656e4d3cae703db0299907ce5bee
SHA256 3e98d9b92fe844637137cba625eaf607db9198e49d23664b7c2d63f6cf2b3763
SHA512 f26468f888b1c0f3971693220fba228d044713a8feb0e78b5b5aa716197d101f6745d135904da992710a7d7187ac191e0e6685b7994dc3ba97c803c533283622

memory/2000-44-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3249edea9d812bc98749c63b2ff80a10
SHA1 707e885225eef8b8c120c5525a87116c4bfb1533
SHA256 8d901f4dea22de9ec3458b92fbc377ac22cf7b7e770c9496cd3e507a8758d8d5
SHA512 f806df36fc37990db09937c773ffbfc8827700e79bd032c0aa6f17c5f53c506ac832608be86601ce9b402e63c52b25a00c04b90cf3b6df84f20158a1681bb40d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 98556ece0f43245aa58f89a743480cf2
SHA1 8dce211eb36b1ea21fa29a22c2f5e99d34d3937c
SHA256 e9f86c1f1f2593b42c7468e00b4798acb1cd1e97d415dddee427c13b8b1105ec
SHA512 338e9825cc25db0557103da68cfe1dac848913f3cfae85543c21edb72dc54cf0ecdc2d13e2f5af6d54800c7a9112137dbcf3b77646319474fc40ffc3b4d5f532

memory/4628-56-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3e6e65bd063a83d5c9f19daa47e12efd
SHA1 cdaef4a235eec8dab56c9fff61eb5dc51c3cb86f
SHA256 8107ca927b39c78f0883629fc4f69b3976dfca75b09b8ad5e280a56169520fa5
SHA512 259f1460262646b3e1a098eead97d329d133925ffa2741d58524da663f17fca20b2110356113830527cdf50dd6808b0230712688c632f6056fe547cec4b05433

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8204261e69e79817babaffd5816052e9
SHA1 b44d90ef8fa6530b869189cc448e966331e3fad4
SHA256 e2f79cbae25edbcd419969346de7ab228ae18dfe3a158591a398de0a616b6b3a
SHA512 efdb42fa272329f54eead30e142892a671d63fce380496130743fdf078b1a9f41353236eea117892892b825b342f9a367e433fca59f0d9d2454508a6573cce38

memory/2268-67-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e49920f36d804b2365caec17216c81ed
SHA1 ef0d609dc1577b7006ef94b85a532a8cf167ca21
SHA256 e214de384214329d0736191b7fb2f8461d9846e81511e99f783910026a726199
SHA512 76bbe21c36c5c8111b41ecde9cfc93bf0b6ea3e2337fed5287607c521b2e6e1a39596d8c033e0b9cec1611d5a1125948762d635c22c03b287b5e8623847010f5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5fcd5c0facccd95f26993ecf0678b759
SHA1 771d8857cded6b8c43735d58473c6bb5baed0114
SHA256 98fba6f3663df6a2f87fac97f008ea4154aac40436a5a51d5f0349ced829769f
SHA512 2d05d282abfee5a679a723b42fdda5675b57340468d785af03efa4ffe43b44a98d5da8deec4cdd4036dd06460e898e78d655b80288190e713e7d72e9309b1e17

memory/852-80-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 42a918b2bda2b6e465ecea6dda5ec009
SHA1 2a9289010c70bc80c5541f4934817e70102589c6
SHA256 070bb7fb4040b5945f24410ae11e48f37a1b6a3ca5051c36c5ca0a1114a5785f
SHA512 3998bd10832bd6a7fe7cb5a4d6e97d3806a72daa8e6979dacee9a37d28a7cb097074d228dea6e4dfc7863120fafc3953b3a79e6062c4ca8d3328404c2746d8bf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7dcbd29799fec8225bf7c42411d0ca59
SHA1 c7a8ff879f573e5d706a9c416f5a6ef3a3dcb4ff
SHA256 8423c7a85a64cec4dad1ea9088b442bfb5897719a99638da613dfd93ae1acba9
SHA512 6d22a61d1261f8f3942d1b1367a3eccbf8137acd8c6f4740d1617fcbf5fc899f6466921db09525818af4b306e1e0f7a15f749d37493ec1709d4c389bf8480bf4

memory/3060-92-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cda7246782fc2e5984f188e09b3e3964
SHA1 c3ed9a63f49ba5f96928d569453db2049d78b1f0
SHA256 de7c32945ec3e0c8c91b1bc165bdc51ee48b4c82f1683707374c435c496fde38
SHA512 13ba2c0e3a71555179648b530662a8a81bb994830db6f964eecbced2bb5942871745fb70c7467f58582d99785cb3e471040263945ab4bb7b565ca7806b93dbf7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 62d2d93f326a9b39478bcf4578bec16c
SHA1 0ac355807eaf4e35c5dad4169b57c31566108419
SHA256 933cba6c74e0c7d2c2584c4b932856181c3adcc603c4763058540c1af2f3987a
SHA512 d0a230b16578bc8738ecbcf7f0177d510ae587eb4736099f4f9de081f4cc0a5a1884ebcd1e8f546d1a645209b4b299650d8fc0fda9c08d50913fdf8b8ddb1822

memory/4788-104-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 767d548e682af9f4af620e4db207eb4b
SHA1 90bdd0e9a06b3aae307a30ef81a043beb3d8724f
SHA256 c9cc8deea9f1c28ccdd28a4cfc36d2d74bbb8b0784ecdf86cf11ce72fdc896bb
SHA512 476660b4090e3322d06b2bfcfb1749ab938b391cc2ce7877235a29c392b863870d10f6875806e66de8f717ed0b540441edbcc2c9f0b2a43159838c3889f1c9fa

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4eb5f74e4becca9ee2dca2498882066c
SHA1 3db2fa95524a832cce9d8dfae3581dd3979702ba
SHA256 3564e09d366b0c5fa1401d63cd95e7d361e33aeaea828e7a32a896ecdec96817
SHA512 69a9bccc02040819e2c14d6764f17fec3fa23038dd903fb141a3f4a818fefe91dc37c301c34ecef017b8ded4e40a645aa33b4752418ddf662672709d57c14dca

memory/2940-116-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 244f3ed5dbf2060a3fe58706090cc288
SHA1 e593ddf8dd51fc333d37a86f4274d235f2b74135
SHA256 58c2b625f034ca538ccab3a60e4b17c0080f466d3dc28bbbd4eb28e616444d69
SHA512 4ceeabc4df8bdf780ba58364f43bf3cc4deb0de076961ec6eb0c0e2706c3dbb5acb80cc5e0f97900521e83c5eddd0bfc1de81fb5619c7d9a1458afe18fe84a5d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0066a4909431d4f28affa0337d82f5ab
SHA1 c587c90482b621f4315a998c339b528856a8632d
SHA256 36f441719cf4206d4de19d3b1bfe89b6466e701875dd55d175184ccce91a5691
SHA512 53c85e6675435f0d6c0ed416f750391974a3350d62e2d90db9755eade2883a4525e26a272e6ac13458de0fe71d8a05a256569708d33143775290e6232593faf6

memory/1392-128-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5456ae8c1b8b9bb0c472bcc291b41fa5
SHA1 76468bea5ff5b7991ed4f28dd0eee6db5e30a5dc
SHA256 f37db89a9657e4e0c9b9903af106f3c7157356ca5750682c1f3c36989c803b83
SHA512 0013da1115f96e2ad35d774c2a9ce5fcb39b07deb899b50d7667e1b3b95bda2345be6848202a8479a9ef855349b5b073caab35ae5d845560f8f874d377c4bea0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 80ab149f53ef83e73dd8158537d23c19
SHA1 754128dc1ab329f9d410e29bca10fe28dce125ec
SHA256 076717147636b4b7ae6027fc47130267e5a1291ae80425d633dc371b0bd97a62
SHA512 04e44f151f63bea6c51db8934095716d1c560d92a488e9e9a2b59555f61afcd87fd94e10e8f2929c5550ac6b341f15b97cbf41f813490891ee5f79717488633d

memory/5008-140-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 43282a3afca4f9823a262c59de6f7a75
SHA1 beb042362febdc9dacacf32d0cf433768d69cdeb
SHA256 fa840bbbf13e5e27a1fd0b8230845cb44a39c0e5f1ce19c7a30a3494c5a99717
SHA512 516e1b9e7ba4d6bc0d7a15bad6825989180b4f0d09f8bfb02196cd20f6028c46f873abf35be89ebecc387dd95803d6943513c87dc1f638a7f951be3080d7fb5d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8c129e7e04ec2b8f0cf1a52fdc1f9cc8
SHA1 06919a4f44e0b96531f5ff8ec81d5d022a42c73a
SHA256 f73497f7d0326b519f25a0028d81c289adfc31f456d181e076c7492dae154dfd
SHA512 4b5cf152670d3679441a51a367cfecaa55df4537de1d01798ba13d6787c3a6a7db47625c5253bb4ec04a940445a1e4d5813ddd610b8a2d9400b6d7a406446376

memory/988-149-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1520-153-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b9984f4cf94c83774df6a2ea6bd3929d
SHA1 0c64a2eaa9b82dfd5d4306a33927cfa9a9d58973
SHA256 1a862f67fa7c1418066546f871b2a92b43a41e8d0353cf7e739f08ac95e44d18
SHA512 6aade24e6f13d4d6e1ec0d7cb70b42e832d3b0010531278753ab5b1a495306f1f6da65a4c2c61d146955713db3223ef27b9ae365f0588fb9eaef81d7672d7001

C:\Windows\SysWOW64\drivers\spools.exe

MD5 88662aa5e09f2727652c9d05e987ebd8
SHA1 e8c857b76f89f7faa7c2453b1e51c2581d574903
SHA256 334d5a9b13f06e806b958d3d568b6345bfc9cc78ba1f593ccbca2cdc68bccf1b
SHA512 fce8d9f5c195b6cb66a0cbe51e96f5161e3b651fdd0596736518446b8826e5f72cc20038b9e7e5720ae13b896647e97f3dbf5a5bd104282a39f6f53161b75189

memory/988-165-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5f9f661d63d725a2cff4a2d33b6a6421
SHA1 e5e184440cf92dc093dd1ed9fa39285899117740
SHA256 69c02cb831697550a3a63d6ee035ecdb2c5419c74e14e56782fb2b5fe91ddf3e
SHA512 eb2dc6df67a1d0132662ef18e185e2ed24d23055bb578ac226e938b128e9a5eabe7b92be98da675d25c81c29c4d3376dd0f2af1195e18bf03aa4f78ed242f7e0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 06b7fc761c09d41692d94630f2ed8179
SHA1 c7f5841ac51a1fac3ce890cc21a593ee594adcd2
SHA256 a1753a23fd672003c73dc9e39e19473210e2e0535bcab63782858fd832240058
SHA512 9aa61ea563639fc7b66d763726ec71aff629bb07eeea73a9a6a95699eb445610f038bc5779cb34ff545fca38d95b3ed620ca2c0e7255db890276cd6b71608201

memory/4904-177-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fbf5c4a67fd529989767c49adcce9d97
SHA1 fa4c0e5fc97950aeec368379e509b3bfe0b29d13
SHA256 40176bc95f9997972a0c1533e10661951938528245332065f97f8406d497ea9e
SHA512 ce6d6b6af5f5815b1b76dbaf7e1d1d51b134a0612275d6689d163fb903e0ad69e591f68b637d870f6aba76a8a33f512e9aa5ed47ed2c7deca95143a90d5b05ca

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a80f6684188d3c8b282fa78522c3bf50
SHA1 95047a409ac9b248b83ca7fa5995d94ed60ddb3b
SHA256 813b04c1b65af9348e23c191c56403769b921e115e3930a8e839a57c5c3bf607
SHA512 76d796555ee3819b12b02f4e25c6a42eece41aa5eb065f64ad7addc2d916c779791c138c79fc2fc4ff4abff241c7abaed64ef637a5f01345852611ff0f079526

memory/5016-189-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c549a9b1cf8ca1b03280c1059da02539
SHA1 a62e9192378507034b91e9327a01bbbe1f4a8e38
SHA256 43f94d8d508f803ec9f2efbad985ce57a510b77d0de54dd1aa79cbf2d84a31f1
SHA512 2c9517465d087b92b5fb940ca96f3f22d9ac36f256a287d51c2948935549b3a01b8cdd65315124f872dd893e642258c7e49a97d18b2f83a5ff972f86deea8521

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a2f7db4db0e4ccce9de01a806b5f53bc
SHA1 147ebc1ea59a069c483a304189c026fc23741d9c
SHA256 0e8fb2382c87af055b971fb8a7c9bb1d1d562f4528e38ebc17d5dc100208768c
SHA512 cfc7154ea07f6d5c52fa4bbbab427488a417f916fe84d28652ae1b168f8318bfcec83df9f396d6aff270f87a51dbffeb4d3069b88719264a9f092d67734b7605

memory/1916-201-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c8e2f99b9ed5a78edf0c62e23ae19a00
SHA1 9334f3b5dd2ed341e254c53ab54296fc8cd3408a
SHA256 51c063108057e0e7f10a3a3fc9c25af6421730bc5cc37b94401cd9b3082bf3dc
SHA512 bad718b7b5b6273d685d9471ab679bc67ec3077b6a9acd4bd8187e7b4d692010772a015184e862cf86659ce9f287aec3d27d944326ce26ca577e74e3295bbf2f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0ad9fc5f98b2c1e983b68a3ce7b951f2
SHA1 5306c841d6a71117bb30f8767f06c1f7af74d30c
SHA256 22ccb3e42a0b819084894dd8a6c2cfd7e4d6e7be46f57b0c2c9bf5ee908c02ba
SHA512 1b4c8ba340f6d3d7d4292113c485b476fe6f41ad6cb7c112d072edb8968f88101f04d6e5e3524d7945fb08fd95df063e6292a2752a19884b7a58d3f449d33524

memory/1184-213-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a8e9dac969ce7dc862067217059187b8
SHA1 2e6993d15392dd47bccac23f4051ec02e2981b42
SHA256 e68820c846a4391e6c47254aaf4b6f03bdbf8f6854fc00515eb762fb0d90a606
SHA512 c7c110d1d27329e8bf0894bdde9715ce4a4ce8120c106772aa96fa5605203a576cbbb5a5a609a43e03197a2e198cb9cc7ecf0df8385d86a3d36d4d0d9edf3659

C:\Windows\SysWOW64\drivers\spools.exe

MD5 56cc67b46dac1b7bfe2fbb40613c399a
SHA1 2ca872a0038367e335f608008700c1279110976f
SHA256 d3a8d8085b8cada68827e1c05edc048502272f79cc1721f1411609678bda1da0
SHA512 97bcac87c244ad4b32f6cc4c8cea6b522c89c4060ff11c8c4f0117c49c34bb653cfdd55b7da33a21584df25128a5978229895ac55dc5256ece77baf5ac863eff

memory/1304-225-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b65bc8f3def6e34f0788b14009823e31
SHA1 2fd7f7ff5cc1777b950eb65d11593d7d81e54879
SHA256 d20a7a2830e1b0aec82e8fe55e9b87f8f9f970bb324dc05db8e3af9a6233d354
SHA512 c00e914c0d912cc74ba7a90700dcf68310889002112328f4e5e15e8202351de5d15574f0e6ebf63b330ce68853a60dd8b19b3a1a376dcb9659b77a574aafaa66

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6f521f80ca30c91247353233962578a4
SHA1 b73267ce88e8fe982231d75cdb6987545d2da337
SHA256 3d1f11b62fb27f49959e7d7e811e740eefd1b7cb6088f50b357012239119ce1f
SHA512 452f327b0c0bf0ec889f721693eb476074e50ad1248ec149b72f86fd22aa67057202297cd4a8194e99251e19b5fc7a3d9d6416383a7d2b8cdc29a618e5adaa17

memory/5064-238-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c3b31555089dfd8184a274ea22d54f41
SHA1 0018a84f09e648b4ff06b6ff98d8c3a95b74fd31
SHA256 9f927340fe8c2546c28804990aca2b8d5fc75cc23d0173ccbaef08ddf47476e7
SHA512 de88e80a96653a24d37dcce9be40cf5139077bfa5e779643da08e155f25006403c1c527832f020287fcb4a2a3cbe9a3fd69c4e306baeb62dec91ca092c314283

C:\Windows\SysWOW64\drivers\spools.exe

MD5 27b8eee7d572b11ad657d0af4a2785b8
SHA1 266cb64cb30cb669ef5b8d29762bb78726a30aec
SHA256 8b2a6ef8ded9d5fce443d494056c2de01a1edc533b491841aabd9ac92a2c8cc2
SHA512 93aaed8696896c58add6d6f2d94e5f481fae69581ab71d36b92adc49b9a87d5ca4f8e940c6d9b61edec2701883065fe19d9cba47b66a611a8fbaac77dc2b88eb

memory/3536-250-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 caf1e487dca129d1fc7823bc92feab06
SHA1 c798afc25dda122e6e6d58afe77536e5db42fab2
SHA256 77d7754d501c1dc78668e26ed1024717a669d3073adcf1e2096da5c8351f61b4
SHA512 78ac0a88a26eb99b728990d1e9f11142609ec8a614b2d859368456be137cca8ba619eb6bdbc71af87fe724002f4e7e97833ed7c36f615fe4222ddb4a71abcb39

C:\Windows\SysWOW64\drivers\spools.exe

MD5 43f4a7f36c4578c75943ff5d1370f4b4
SHA1 4b2e8f44f30d2d8dc43d4c27d340477a61ce3206
SHA256 1345de325fd73d72e892e97667650d335005a9f1702f0610e58216b753c83f7b
SHA512 b7f56862e13060e39dce322bea0d3e99fc30d6be90c72033ba497fd1cebef8edcec1c7fd9c7102fc9e024c6e65f5a8e1368e683c59f80143efd23e3d52eb247e

memory/3768-262-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 38ff3cdda239e7666e529102aafddf06
SHA1 ba8e7610bc2b9dd13caf234fde2b5dac4b9c5024
SHA256 87b863e0b3fd6cfd1878fb5c93ce4bda7a73589ebb83adabf4155a39d99c2ba9
SHA512 04cb8a67ddcf0985120e81cc113fd504440140e87622b8c6c633667f803ea5d312f738c81921092463086fa04777a57f4533a445e79277a418464d329145fcaa

memory/2096-272-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2348-281-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1084-290-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4108-299-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1364-308-0x0000000000400000-0x0000000000438000-memory.dmp