Analysis Overview
SHA256
32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8
Threat Level: Known bad
The file 32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
UPX packed file
Modifies system executable filetype association
Modifies WinLogon
Adds Run key to start application
Installs/modifies Browser Helper Object
Enumerates connected drives
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-23 19:15
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 19:15
Reported
2024-03-23 19:17
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
"C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe"
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/1888-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2552-8-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2988-7-0x0000000000220000-0x0000000000250000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3cd21cc48859dd97c49c87fcddf15500 |
| SHA1 | f6051eaa53a93a735e7deb7df95cf29eba8d66e7 |
| SHA256 | ff02ebb379aa36891a678cb37df0ae09d492551eadd2d6f00ecccdd6e7d798cf |
| SHA512 | 0a7018597746c91efdf0d7286c355c340c2d26d662f9512201b624e75f5f93a3b481f4f0b3aedc21c124c56ea328dabf264ff4c0050585f5d027ede72e74989c |
memory/1888-11-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2988-10-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cc60a7d03b516f7a07f1b98c53cea35d |
| SHA1 | b85d183b2a417b17a23486db5839b173d15736cc |
| SHA256 | 2702c74e1786fd31cac6729266b707bcb23a36f24f5a82449db3a9fc4ccecb85 |
| SHA512 | 70138db2334fbecb5f48c1383ea04465a58384d9d143f54388e665945ee7e73997c0cbd149f15bc2b40836025fcb3bfcb3cfc1f931e5c23f82520312232fc92e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8ecd402fba80de2860c17a932896e88c |
| SHA1 | c987a6c0b7513c4f385da902bd1d2458c05f6d00 |
| SHA256 | e900da0b6fcf0802e59c1865421f69b9c5506eff9fa91fd8f3acb92f4668608d |
| SHA512 | 4e26676336d312633cdc3b9e3cc2b8509a1429200627f22c07cc004682d718a667aa69101400732afdcec0e64873e571e724554d01b4d3f4dacdb307ae7c63c0 |
memory/2484-18-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2552-15-0x00000000002A0000-0x00000000002D0000-memory.dmp
memory/2552-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2484-25-0x0000000000330000-0x0000000000360000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 82eb0c1ba8344a296f462663251356f8 |
| SHA1 | 76cbab697bc2bc4782caf8800dbdab8898d51e6b |
| SHA256 | 7c46df7aa9f16a163a856e00d98fa4365c6ee440ba3bb1ff2d4c7e6c9ca5b9ad |
| SHA512 | ab4e92396aad44fb086676dc1d7d149aa67c8139eb8ce0c6c95e8c367763301fee9b69ee523ebd57a23db3ce998f9725348b93440c19a2d0b348302788a43264 |
memory/2412-28-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2484-30-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9b54d107d4aee74e29a48b0f633d20b2 |
| SHA1 | c92eabce770a78456d505120aea4f9d5f8b57b8b |
| SHA256 | 30ed1a6357165920605cf0b991c4644432acc4d150f24c64f72a657fdcde3682 |
| SHA512 | baaa790d4ce7cb47153e32c65b678cf471c147149a6d1577a79e7f02877e3f06c59f5b40827a86850304d3ea6b77fcdc1a3fb70b2514327927ce358d7455d0cd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e0ba3312261f2b468ee3738fc2b9b2b9 |
| SHA1 | 973d3f245a1fe0af8c8bf5dcadd7d56725bc69f6 |
| SHA256 | ed4cb806f9c0c7d54f8973b0914ddf7d61295f1c1d99d5aa52b1a9a724ee9828 |
| SHA512 | 21837e82fff3c137c68a98d4e2df3dfa09d0a582f0b12f685c18748c95a19ea25d06dbca6216921f8c66880cbf59518b1f1c9ab93915faad6514f80a440464bb |
memory/2412-34-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2412-38-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1852-39-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | db445b64d758560b3a730e352606d7fb |
| SHA1 | 586ab6ef24dadc302553de1095b1806f5e55993b |
| SHA256 | aa4e14e03432c3c29d009997f84f8acacd9e52e626c8d549ab4df8b09969748a |
| SHA512 | 768a0c64088c055a2cb57488654f6f26e23c3cd89faacb2cb230963aeb372a96ca354d216db0f9f61e74d5441db4a0cd44f48ac34b3a28a5e99535db370e7a9d |
memory/816-47-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1852-46-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/1852-49-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 63667f718468036b45eaf0005fe13196 |
| SHA1 | fd582fb642f5a5fd53c5d2a0b5ac7f4c0b2b0dbb |
| SHA256 | 9ccd73a36a535b9e04dbb3e902ebf8014845a49a258264547baac92037cade4b |
| SHA512 | e21d365f7affaacdb51ea1950dc4172ec78cbebb6e364f155cffecade99470002229c2818417d1c70c3454d53956d3fd5d308b3162b541841e328831af9cb0e5 |
memory/816-53-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8fcb9a118a071de11d6dcd184a9bf0cd |
| SHA1 | f682a9406de39b2f2ad3e04d6bce2df919dcc1b3 |
| SHA256 | 025228a5d54047744b890e3b1dd4d488d4a7f52fbe367fb7fe89c96efa62d7dd |
| SHA512 | 9910d447938485106a762f4fcb151a0b49ea10f3b06a74cd8fffd61af656923f856eacad4fe92797405545a8c2a26ad227fbdfb49d419650912e9bab5957b160 |
memory/816-57-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9990124154670daef1916e64af70e051 |
| SHA1 | 9fc613bb93d3ff25a189a134e23445355bb2273e |
| SHA256 | ab0e13845d58071b1f98fa4fceb2f6670186ff9d29de650cfcb1e3bc1143cb31 |
| SHA512 | 1d6824f4fe387cb76ac7fac261ed4942f90809a538dc1450339a197af7e7612ffe86c3e9bfe1379f60a0f686b8c739f3d3a47364a1f93f146f3b895e7a032822 |
memory/2644-64-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2652-66-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 26642fcadfc1bd691ecb1f19108b91b6 |
| SHA1 | 74b7a39a584e4b98201c0a832b8de6c2e344502d |
| SHA256 | 839971b437b755cc5466fee08c7adb6e74b3e649f25f33ef6edb0ec5e34fcf0a |
| SHA512 | f7da633dd5ae9bf2247ba3ad5de18c74bf2cec55c8c057dded55f615d64664addbaa048c3eb102ea35b37199c3c3bf863a9bb42351fa20c9da187027ba3ea7d7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b4c1425becbe0472407cd142d88330d4 |
| SHA1 | ab618dc5e2b476029dbe4d0c30b2db1b3338ce80 |
| SHA256 | e829d28b5d322a6397efdd9a9bd5909e62e5a3691276e3a1cccab252e0dd1351 |
| SHA512 | d7714f608a9027d9fc26040625d8937a9338f79129f097c2c16930b65b4c708a8661b95a84e8ae4d0418532333907e543953bc56ea4af8509234f613bf71de65 |
memory/2644-73-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1864-82-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a80125b654a5fc988843f05f62752976 |
| SHA1 | 837eff1f6cb1583150477591c8bc6f8c2d3c6c21 |
| SHA256 | 8396bf2b59adeee0333352d4126a8bafe32a963c1627b65b674a90b5b4853d3a |
| SHA512 | 5fa462b3c36899f21162f0986a9de043acd002b5dde4020f7f5491fcea26bf5d5c1342018cb42a2a9f4c3feb7aa3ca1cf510eccfed013ce4ac35c72e9af0027c |
memory/2780-78-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9350c7d11c18fcda82d07ca84d374ed9 |
| SHA1 | a968abb01ca3326274c1ba3782ad210693f48ea2 |
| SHA256 | d1806e796d79a1906f7ad7f90109b55f6da10ad876b98d773fe491698325c287 |
| SHA512 | acbf11940445435541e1bfd35219f04ca99c9cd3e25a2f5892bace49594cb3871bab2e2563f3a1401d0d6ce8e448ea3344a56ca98c4f36b4169def22af395f0b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c78b8cbd913ff5f35f773456f48f0a00 |
| SHA1 | 744636bf96c42dfc6c7ac3e3d1f0d2ec0922eb86 |
| SHA256 | a9049cf52e3b339c428b682890a107cf11cf3aec311a5b5fcde9c136f28cb0a8 |
| SHA512 | cafbef7af55bed0b12619ddb872b4066211a15ff9f02cd4942db41a3eb3e2707ff4f75d94b78a6115248e75dd26c67041330d1c1de2e1970a12e38eebedf3d3c |
memory/2780-86-0x00000000003D0000-0x0000000000400000-memory.dmp
memory/2780-91-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2340-89-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 385ea5534d0d80db153baf4daafeec3a |
| SHA1 | d94d22a363a8f02020fad1beadd3dbd3b6a676f3 |
| SHA256 | af4ebd647abb83688aa4c41baf90f268de62c56b71052b694d8c05d7e2b11091 |
| SHA512 | fa30ed952c38c5091f522267af0e4e66ae0fd6caa671f79f72fa7e10083b5a2b58c8fad121d6e9eee049b680dff91dbe18ce9916ef3e7e12ae4d4dc29986ce08 |
memory/2340-99-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2ccd4b2066aeff79a79f4ae5ff3c286d |
| SHA1 | 11e993107ed28b53284e45b0cb81a93be2a6c736 |
| SHA256 | b00f577c64ec5be59ba7feea7a7a0dc04aa893d1da846a6b72682b6f6b238927 |
| SHA512 | 64f94c6cdabc878493d834b4281e651d34d9d2072f5539f18e20b98c2d35cb5c131dd35e6401b2fc3c49a3f34b5efc1085fd32df224e18ad95a9032398d4fbfd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3c289446cb9233d327fd44041001298a |
| SHA1 | 8d72b0f1a80b321f2c9a70c7b556bfcc501c2185 |
| SHA256 | df245ac8b6f28b34297afb8f0de13035885574444e34ef2e3254ee6c381aba5e |
| SHA512 | 33169f44ca5633b2cc1265ede0f1ce9f2e851a4e5632c3fc6b9659f21c9a45142d4a7dfcfde0a04f70026c7442c989b84d4c750925652ddfd22e85a740d2b03e |
memory/2884-106-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 11364c6341983a4ea9fbb663c534e48d |
| SHA1 | 6b8b0489b2bfb9d9188ac299b014eaafebd5aa5c |
| SHA256 | 175cc3e0247ab2c82277800117c112d0f5aa5509a4c9b85243f39c84e3e04016 |
| SHA512 | 2ef768bd113888eddf96866e890d54ff1b548c13c302c02518b962b7606cdad1142aca4ec2e027d39606d2671bf77e3f980c653c46e90418be7b1f741451e132 |
memory/2960-114-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2860-113-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/2860-116-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d8469e138ec699c99b67c9a96347d876 |
| SHA1 | b2c7afe0bdaf5ea7f2a01453d6298e10c13b377a |
| SHA256 | e6134297e1217cf80715a4524ad54dbcd5b0b73f6064874b674d5c49c4c8e70e |
| SHA512 | d8016e149b70e93ff0c95422f743563a6d5d858d7b50ea440ea6773849a81508ef44e6514fb53f30bcc04bba506139db7d36901f68b3dc720ae2d75d4c4df2f5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 08e6610be5b4f74b06f065de5482ef5e |
| SHA1 | c4c076f1e6ebb520ad3c4c9c235cc405dc7bfcb1 |
| SHA256 | d68765b0615ffd7921a9aa775faffbc792994620aa832ef65d893d8f4e3abc0c |
| SHA512 | 54ed1a6f79eb24333a71e4d504d6abd59c92256ac1b5b22d167607a684ee8beb19d5f3a5bde09209cbcdccdef9e1002ac6bd509b4058054512b1d5932008e376 |
memory/2960-120-0x0000000001C00000-0x0000000001C30000-memory.dmp
memory/1988-123-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2960-125-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 72e4680e394c4e609ff99301e910a47d |
| SHA1 | 871743aa2ee0d74074b5803df54c9e397f57c292 |
| SHA256 | d3ab2d5ac33507c2176f6e3d1ec0964c4a4b97ba65ec518e300378b342c5393a |
| SHA512 | f74aeb738cebb89d8213e153ce52a3fd50e9dbdbb032a5d6c1bf31061d8de4e26896de66ccc8759b9f7ba2b0b9dce0c2a1fbd1f6811a9aaca1c1e8be57f3ceef |
memory/1988-132-0x0000000000310000-0x0000000000340000-memory.dmp
memory/1592-133-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1988-135-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8ea8255a28f619931367b597fe011cdc |
| SHA1 | 1ad2f69801ac81f9a4b737f28fff4acdf6e8bc44 |
| SHA256 | d16bfb26cff412cfc0a7e4ed661b2f18c92817c8bda5481153fbafc85557aef0 |
| SHA512 | cb664076a34b603e6a456a714a67f5fa7f30fc285bd3612feb918444ee423052427a526072c185d3d08d884450633290123b2cf271da285033f825a2d0397e4e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cf61475d5892d49ebd8551e30d05e338 |
| SHA1 | db3036698ca39a3540156b318c13b11d299972ab |
| SHA256 | 3eeecc4a759520d6fcc4b1a5b968bf43a3e6782a0d9c769b7d13f02a5ef4e1f7 |
| SHA512 | 467278279d6c9b87f309d7563f84ffac6306cae95847024c4a62e3431e3e08dbd3919529dc159dc98ddc2c15c7b6718d6b6e1ce312ecfa717bb38c8769685db5 |
memory/1592-144-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1056-142-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1592-139-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/1056-149-0x00000000003A0000-0x00000000003D0000-memory.dmp
memory/3052-152-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 17ec6a932c021ff945559babfc1f0587 |
| SHA1 | 9c5face2258c1631d8601d5d67aa3259082dfdd1 |
| SHA256 | cde16f311bec92494d9c98f2067b27da61fae7631333d4851d0a5de201c7055a |
| SHA512 | 585f99151d114545caaff3e2a8f6a7f5088a9b42dbec0d52f00b30eeba2dc61061e2a449d6e052386e84a80e9931a4f9d4b1b72ded55a0fc0a455ea1ffa17ebe |
memory/1056-154-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7a7b6d319a55077e8e1c10487fea6e38 |
| SHA1 | 1c45619ff0e794f89aabf60e23fc1e1ffb30bb21 |
| SHA256 | 62690c05acf5b1dbacbcbd1129fee821aeb63c525af4df628ea4b2d0b2856f7e |
| SHA512 | 12dcd1cfddab2de08d1f67640c8dd942f1c97c2d5e0b8f104b796fd6aee5bd96c084225b511df71941dec8072705ed504876509cf9ea3740af1fd278e71a64b5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b297dda0ca40e2e972096d91ef1ec4d9 |
| SHA1 | ec59f0da2a1524a8478f4006383f965cbc04c4df |
| SHA256 | a5fb795914541e3bae6ee518fed4eb5bef5233c1a008e8e27876f75587ecd263 |
| SHA512 | 328db01e22bc7f022664c88a11233f836e6e6ab4d9abab9b729088d9519491904725457a8c533f8d1db108db42542968a7c20756312490b0edd45fd52c838f86 |
memory/3052-161-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e88add4ddbfc37c90387bf35aaa1a79e |
| SHA1 | b158321dc9e05fc75797f3169cee70df0d7b4991 |
| SHA256 | 5f80381aa26b8d33c51579323196272ac71be30db45dc42118848abe7d284d28 |
| SHA512 | 5508dcd4719e646a10791549e658ab031ad32d7a97f081a94a657fe3ecb95efa0591809bf9712f4a44219a5ed1a0721bd94de0fa3700f1779bd79757f265a4ad |
memory/884-166-0x0000000000400000-0x0000000000430000-memory.dmp
memory/860-170-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0489d57d2013894dcdd10b67477242e8 |
| SHA1 | 7b71ee74f91d4d1ccca1711cb2f6f9b03f3cef58 |
| SHA256 | c6946d8bf1b0b9ff39aa61c6aa064554492d940e6265be6995bb72549d1efe3e |
| SHA512 | 12ce167991833ca891eb9ac41facd50cc1ab30d064f9823c07da28e3ef520cefc1082ec38927974b45bb5b39a36b1d738414476f20b23d8a1c32620953d0eeba |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9a41521a9e94e32c0545135bb48ccd47 |
| SHA1 | 812b46ac0b0ab23e551ffec4ddc01c7614964f8d |
| SHA256 | 4cdb0968741a74d954c58681829a2c53d61b09622559fa3391e322d6c081564d |
| SHA512 | b815f9c55daffb33bb067a735a2cb4a6a39b15df88b55db19faef699584c8c2bc31577e3a25e16b4a6a807f61328e0b8a57324e94e52d8d3ab052577946eb947 |
memory/884-176-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 665af751cfc1961371216cbf7a13e3cd |
| SHA1 | da1610b3e901fc634d1c3dc85b77815238a40e0e |
| SHA256 | fc222613e64f5d216d3fe180adb1918841ba65ce10d19f9a204f86243635f600 |
| SHA512 | d0864b1f749b594cdb284a7df636d2bb2fa2b1cb0f87f32ce8bd0a40ad8828105316303eeac036a42d5a5019a057704883d43584b49d2adccb594f3bcfdf1bc1 |
memory/2684-184-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1700-186-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5b4725671f08b20b3675c03a128adbde |
| SHA1 | 5592627a4c3a530337da531c6390482cf2b1c4b5 |
| SHA256 | 1e6f71ccf8ee15e84035b7a29497c5b0868d563d0d9031108dac9191168aef53 |
| SHA512 | e55f16b925226d847fc8530c4ea15b128b0065cab70b1a8b7e58b5d42eecc1635fe82f1648ec3dc235fbca9f3d545c4fcc61265d3d6ec518346b930b347ce9ec |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f1f5f9cff194825e701d64bde8ec4234 |
| SHA1 | 7153d66926352c15fcb81d7927278d31065feab7 |
| SHA256 | 71a7249966b028cde43d7dbaea8918dafe8c60bbc73613010dc6d9adbae2e1eb |
| SHA512 | ed4d3a9bad5fa812ce609e800df540e880a6104e747658f401c548ee5916cfb55c6b2bd5f4c0ba9d28a798ac9b5352e780cf36960050eb99dda5f4fd0bae181f |
memory/2684-192-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 152025da71a5e289f5fcc5614ec38cb9 |
| SHA1 | 77c27256795bed72ab6cd42ac5a5c2c859116d6b |
| SHA256 | 7bc69274a0320715809eac3ae43cde4ffdeb046ca9601a984afdf10681d44b21 |
| SHA512 | 8f70145ce8d0ef9d1f999b2ada5ef2a6daacae28e15bd2cf0f700d6cb97d67b931b8afbe3188bd55cbe8eb3457c0a84cb84d67f6d63133043c60943b7958ce8c |
memory/2784-199-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2620-201-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 365688deb11465596a38a10d191718d7 |
| SHA1 | 036751e7832b3bcdb385a397c49084530c24971d |
| SHA256 | c6877eacb9e9d94e0a0460395513d0743972d8faa06bcd4edd9f9cc84049cc9b |
| SHA512 | 833105b0b4536a602506abe5233e932a6350519b682ed1d29de81bb25133a75d7265b830e68b2748355a0a92fd09f4f32305b12c626ef8b49a93835ac49d05e8 |
memory/2784-205-0x0000000000330000-0x0000000000360000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | dc1e55e54e023f10538b70c36daa3bb0 |
| SHA1 | 490ac17a63d6008d9c46141e4d12df753963fb80 |
| SHA256 | dac1e0ae9b3d9232f3cb8bf2f26d75162bfb67dffa3a73142245225c3ea5cd21 |
| SHA512 | 5a66e3da11fb2ada8a35ada330663aed0bd420942368dd96131a00876e76f6396d7881702a3685c559e0a77f4c53683f6b7f210ce86f1c59b4d8fa287d5c1972 |
memory/2784-209-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d28bac258cfc58cddb0d27a17582fedd |
| SHA1 | 4c314bc3f90bf6065b59e23538e05b977fd78835 |
| SHA256 | e860c420f5fe8cb989b26dee9ada3ddbab1a3bdbc4d921ac58b77f8a0b67939e |
| SHA512 | ee41bc1aac4892f6c3cb54c16ac5fe63daa2c043ecd1d9ff267818b513a1e34ac803afaa24764fe64dda0be213967e1791cfe9a0ce362351efcc50853015b4f8 |
memory/2408-214-0x0000000000470000-0x00000000004A0000-memory.dmp
memory/2116-219-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2408-218-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e39c3509b7648a5a63f46a32fe08a601 |
| SHA1 | 9a57f8f544f1fa647ffbd08613e84df7b8bc0496 |
| SHA256 | 2e4ada19f9daec6a93ce08442bfd5b911001227b8a9baf3a31a648f97ed883bd |
| SHA512 | fda038d03ca4192ebc266e8ad2c58d305b1ea37e020edcd3cb5b47b6b57c3970894092a29a818f55931dcecdbe4a5ac815e57b1aab43fc8884dccb6c1a507351 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ac337b938228accde4df7b404f5195de |
| SHA1 | 5f60cf7fb3c918925f006f1caf290e31cfcb3648 |
| SHA256 | aef8189093352dfe0d6c329a4e2ba78f249161b764d81a7062fe68bd39419d09 |
| SHA512 | 8e2504e9696b8a9773fabb706cc445616cb6b20bd0bbd19dd21becaa2dafc0a3e83e68134b1eb1604d8074670a16bca29ca06c394a69a78421bf272a89fbb362 |
memory/2116-223-0x00000000005C0000-0x00000000005F0000-memory.dmp
memory/1576-226-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2116-228-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1576-233-0x0000000000430000-0x0000000000460000-memory.dmp
memory/2648-235-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1576-236-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2648-241-0x0000000000300000-0x0000000000330000-memory.dmp
memory/2760-243-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2648-244-0x0000000000400000-0x0000000000430000-memory.dmp
memory/624-250-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2760-251-0x0000000000400000-0x0000000000430000-memory.dmp
memory/624-257-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2348-263-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1840-264-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2348-270-0x0000000000400000-0x0000000000430000-memory.dmp
memory/764-276-0x0000000000360000-0x0000000000390000-memory.dmp
memory/2492-277-0x0000000000400000-0x0000000000430000-memory.dmp
memory/764-278-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2492-283-0x0000000000390000-0x00000000003C0000-memory.dmp
memory/2492-285-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2088-286-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-23 19:15
Reported
2024-03-23 19:17
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
"C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.230.140.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.178.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/3200-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 44fabb24a73c639b8fa5692edec55dbb |
| SHA1 | 866f5a1999efec936aca9d6877269d6f934ec111 |
| SHA256 | 81d691d95ee53f48ea9dbef5923ca9ef18b22549412641e67463e442bd0ebf87 |
| SHA512 | 26096989ce7ee4e113d3ce25008ffcc3e36756ffee4c26820ea0e472f4a97639430187a3650fa3cd9a696ca3e80ffcb73a176ad5754851b2a5d1d96dcd59fcdb |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3200-8-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 909c67390a1ccaf95440dfe9303dad20 |
| SHA1 | a2553b67d735d140268929c0f59605154aea0f06 |
| SHA256 | b8b9b3f9a83827d017f5c3711525a6cbf2ef71a2b78934cdf78333ee6d2e75e3 |
| SHA512 | 56b80b8484b5cb73f52876ee268695b3ee1659a968e89075687f86041ca227ee55cc943f24cfd8f5a94ca321cc260866113bc3a2e372f583b2170e1fab4bf19c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 62fdd9794f665f203ee2a61ecc350c02 |
| SHA1 | dffdf5e677fe81d644d0a7e1ff1ecca1abe42fe1 |
| SHA256 | 2eb59d153fd55028e58957d3dda83517305904b1e5f64fff21acba1646e62934 |
| SHA512 | 1259e4d1238e82cf322d6ef8cf7960971781ed9adbf3741ac621460b2ef013322a64c3627658626757f7e8ae2e3d06402d1917a8cdf01697a05caae3d6187746 |
memory/1440-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5016-20-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7403259a42b63dd82c7be54e817a9aa2 |
| SHA1 | 4758b3d5c50eb5417bb72fdbecfd0a2b635d6b31 |
| SHA256 | 9935e7a270601aec8df60e63b9fd057b7e860284bc36647f15caadb6cf328dcc |
| SHA512 | a20099be3f7624c979b1dbdfefc8d295b202960fe080da14da9c7812afdd328a960bd3d0680a6c4709bfa1c1a89c9990dd73578ffd6a86dc5b73269bd11bb49f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7d3ecb4f8e2c21e524b8685262c2c88e |
| SHA1 | d8d3b77a7a29b667a768f98ece425162e4dd99fa |
| SHA256 | 7b26e28df763d7fc685fa04c32f51d3dd310a19c3f3f68e49cc10c5d1908c427 |
| SHA512 | 9f3034976af77549d0b06432b21616aad1adae5f71a52b9c0aaf348374a28de4119a92427cdc5885136ae29e81dd508d3db76c5cfd613589bb5fd5562aa42984 |
memory/5080-32-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5016-34-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 881a2c5d9081ac8b4a8558dbb9348dde |
| SHA1 | b2950b97a45ded6c14d321b87702f966fe1d8b00 |
| SHA256 | 2f28e614a7375ddc530152c3e098010d22b6762a45c87836f3813e7ef4276ae8 |
| SHA512 | e285eefe05b687fc618508d9277d19f672825d3289329d94e7a812183dd92877250735343bcc63d6195fdb57641752ef19d72dd0435be683b5226258296fd103 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1a6e1e090f4ce4a073577cd7225a0755 |
| SHA1 | 50827661595503f615a7658e52d091843c07af86 |
| SHA256 | 558ae0101dbb53e265d42d67be641debf35d1f1890a6b847e86cf2431f127302 |
| SHA512 | 535d93ca215bce717199fde243f70ad523459a2b7781ca2a26c30c372da4f62e76e9de64b45238220acfc1dd09cb8d65f804302520acb77152cbfc1412cf7eb2 |
memory/4924-46-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5080-47-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | eebe2bb3e3f49af7b4445b41e4492663 |
| SHA1 | 8c897b530d25323c336e4e8c4b82ca329710b8eb |
| SHA256 | 2a45bcc206a6f062ee7991f4a00e5a4b9f605c4cd5f4ab0979968b44d5cff80f |
| SHA512 | a5b588183e868d3f5520078196e7f8a8f998483923405d2795c4d6e84989b699856f33f3c8c00df0802939c574dc489600b040f2f7746e282ccd6bb20ef0a7b0 |
memory/2200-56-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4924-60-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a9e996c79b2be0dafeb5a19be823bb12 |
| SHA1 | ddc582e99502537884b71b24c7b187e7b8ff70b3 |
| SHA256 | 3c2742595c429022ecd20ca2af87762a622673c5257f9c22af0a300a0f75ad83 |
| SHA512 | fadcbbe16167f9d1bd9013c22c3e105d9246dbe535a974cbeabe16e3f42db0689a46fdfe9b6f0c8d76493f091e1d3c85e3644b45c32ed8e6bcff1e5c1678f5c1 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f99a662afb194ea66610805388ac6910 |
| SHA1 | 0d262d4cbe77fca2eaa239f64633084586ca513d |
| SHA256 | a6ef1750d69aed5cc41020d6d71841bf4354db33ea2376ea6a3c491345d8997c |
| SHA512 | 4dd960ede8536c71011ae0b0ec5c6e0ed33339feb1796569d789652b22f91eecd394368413adf88bb147b0952158fa0363517b1834d6f119d801ea06d493ff87 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4d26d0fded92fc0aa91ba2d7f98da1e5 |
| SHA1 | 170382950d1d357b9584412ded1e3576008d2c96 |
| SHA256 | 39ff89cf6dac80e59bc22cfaf9d358bfcb8f2d3d110252e5d3c29046a030d434 |
| SHA512 | af78065379a8d6e2f538a1bf8dccfca68e3c717cd1434068703ee71e73ac9169348cf21ee05f25186e40f59779588addae11ed6b8235742e788c48b14575c834 |
memory/3108-69-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2200-73-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5787d5ec684cfa45550cd60002fde88e |
| SHA1 | ba6cd645a64f13d21afcbea42622444d7081a58e |
| SHA256 | 48c05f959b97c042e4ba9c3d9f8224a05235f77ba43741d3a6dc099abf364554 |
| SHA512 | 80833f458e311e30c921eac095b7c9b5a1f92ee697c2b2c8295908a687b9d13ca36a9833e36a51b9112f86260cf9147561e0f72d21a8d1632631fbf85912248b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 38a8b8eb69586facb2be6c1a82b73b20 |
| SHA1 | b299f9c4e3e1da3750534bbcd129fe48d2819222 |
| SHA256 | a9a0677eb7ff60d8f3663a177f4d3e43f7fd0ce206d69b8ae8dec61b924ff32f |
| SHA512 | eb795379d46a9d20b104bc76aeaea5d2f13360dbe8829610ff8e4cf7115f7e5dc85da601c5491a910930241c3b6bc1a17d682c62a03a4f5a6b9d314743dc2f43 |
memory/396-85-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3108-86-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2d9c96bd10a67311c51febcb04493703 |
| SHA1 | 27c184a7f28f5ec87498c9c68e40fc01432f94b1 |
| SHA256 | 998668eb311375e3d11075b40962383990ebd7f164c17cebb6b489d01124e59c |
| SHA512 | 8066107f7b2ddf0ae6c50a875112b4f8debca8574f4975a8d057fdc88f8c19686760b3108be87f70700a5966f029e22dfb01131c1c4148e58780dd2993ebe6ae |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 68c5205d6e55e8647dff5067a3e329d0 |
| SHA1 | f2561226cf63ca9aece894b0b5b749362895ef85 |
| SHA256 | aa3ecc2199fda74036ca9bd76f5512983aaa4969a100cf0aedc55db38413cf44 |
| SHA512 | bfa1d4f29594d3b0a8917deb9b37a610c8c912196f29180bf4f7341befacb2d593b01861c56da05ca100ca0de64e39b00c82e1a16ca7cf497f6522537d6d22d8 |
memory/396-98-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 31af50b0f8d753939e454084a9e56e8f |
| SHA1 | 72282f3df91c6c110343eeb75c47b9a496a8be98 |
| SHA256 | 4e437b8e374a179dbdfb220ba4c27b7641107be28ca44cc90b9b5de9b22ca558 |
| SHA512 | 62fa921d307be22f0bcad1ffaadbee489bc40f947d4fb74c90457284572dc55d42783a3686684f2837dd7c7f8bde8989cfcefbe6bc949cb4ec932efa6d21217d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bee6b4f40b6a3226b7674a051b19dd09 |
| SHA1 | 6a1d16faf8be53c72d3124932c5b4a9a057fc913 |
| SHA256 | 538133659d48f05ee3fc4401b8a77b93b78b7cd5b3478313b8a8d4fa7d55ce6e |
| SHA512 | a92a1c42a1f50ad93283dc9cde4857af73bf83180f7dcfad15ad5ec6bac2c0e32007f8eea0024a7d15b4fd405429cba84056bb36f20741f9e6dbca623e0f2726 |
memory/4048-109-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2336-111-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1a53e99a731cf02d2bb3a7bf0dc18d71 |
| SHA1 | 8ee9d331f90182fc1d8e29284b8278eee7ebe01a |
| SHA256 | ed27b398e3e543a1318b4b83179e6aefee2dd3792d87693b2915d2b53e357bd6 |
| SHA512 | cb8b5de0bcf9f0b709b5035e49bbf0e22b9586d7ff1d0dcaffdef62c4667ed52b40e1f3263f4994359e1b620ebff471adbf56dfe7a0036963e6bc26d4cdcfcd6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 87fc6caaeae8314d603cb9bceb1cc110 |
| SHA1 | 999fef5259c6a3880d34f5f7eef8568c31d70bbc |
| SHA256 | 6309b2286042b95f84b1f3d3dc839f1ac1eb713f01ed23356f1a2f91faefebbd |
| SHA512 | a6d2a8cc50b30f51fb88b3f472b00932532381f55b187e378563380ceb4d8f33bf831b189ef6ee8784c9c88a1552441ee422aacc41cdd74a33877c7ccfd45394 |
memory/4048-123-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fe1f1073701b3c2cb9431f622315c801 |
| SHA1 | 1eb5bc9ce9e8a0912e2103b4183320459b934ccc |
| SHA256 | f8b09895a6c5b3a4bed1a67afe76f2acccb953e191f781002d0801efc166e190 |
| SHA512 | 68892b002ac79762aa84470216cd6d5ef2fcaa4b2b9ac91693d008c310b5ae08a1246e59903141d98cda15f36d51270fb1762d5d32d5530fdd1f3345214e8797 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9ac916f3d0059d5f0b7918df0b0cf9bd |
| SHA1 | 395cd086a7438b010d327ed124a316eae05783c8 |
| SHA256 | d94328bb8fa81e10f813900490df6882c73ae5b85d442bdedfb1e774f1cb4c18 |
| SHA512 | a3e2a7278aca27aa31dad40e63d567749b811c52f73f90759e4bdd7bdb927bc1b29e4948d160a163cecb7cce6c9af1a58b8af1f12177755c90ed6100cf5e4bd5 |
memory/1824-136-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3924-135-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 17412ea0e87517caf2cdce3326538d52 |
| SHA1 | 8531ed67c9c0b10d3f905bfac4f3a956b2b8e34c |
| SHA256 | da7fe64a3530a3a2c8b7670d13e2cb323fa054b58607987885974d5265f18e56 |
| SHA512 | afca5ae0de7c03f2d9dd566acad1228c33b41874282c5a9662c05722ed42a83abd25abca03d23575c4c62de09f000b9feda77938a236e980731697c6561f7c2f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2059fb64d109263819a79faeaa42605e |
| SHA1 | c8578dd14a19a0635e7a1a3b9e2fd79fde69e65c |
| SHA256 | 8fb5279f6ad203a3a3451f934d3d52c1b5e09b7bcff816ae8e3c5ceba4020192 |
| SHA512 | 9d75641936e703daa62ee7208ada69c6d772b50251c3a1724e230ca4c8ae03fb9edc1d38cb5da2199a330b5d54852cc4f607bd1c2404a41b19598f40ffd47480 |
memory/3924-148-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 944fe06548fd53a88369dff9c26d8f10 |
| SHA1 | 204c82978a3d62f015b8fc84c93729dd91b3b8f1 |
| SHA256 | 63358169e1615a3532f6e81b6646674efb53a506d2ba3f987d3d29122f81ee93 |
| SHA512 | 53333c41e86d565abc42899e8afd59299500ce95a331962f86f5ad18b74e8f5f699e3d39029116a53dfe1b0453fcba970fb15a46c7b248886e7c2d4e2288143d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 99df01952fd266e217df5c3292cc8980 |
| SHA1 | bdba37f660615b468ebd8a8854b5df2d3934311d |
| SHA256 | 11366173c45614e4d92fa5a6e0b1daa9964192e810a6cebe87e88173f3fca208 |
| SHA512 | 9f4f37e0c8b5d3d99af3b557a9e1bd3dec086836fb87b84171ab93f37ce7af85cd2ed8e0a1fe7928d177dd5f71211090d5158d043c3437ac1e52de00058f9e5f |
memory/2676-160-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2944-161-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 27da094499e4fa617291b3ff9a4bc276 |
| SHA1 | 08c16158bfd82a365c1b44222ed69330d3491f62 |
| SHA256 | 547a0e62c96a067799a5cae99e8fa1d28d8d22a2e9c1d14ff18e9b9475a541e6 |
| SHA512 | 64239cf97d975fd1338f057c6d9cf23b175e2baf190b9eb6fc97d2cd141f06d9a64895116cd70bc34ef06f5d276ad4a2760eda89e5e8b4707c63f33caf1046de |
memory/5064-167-0x0000026577B80000-0x0000026577B90000-memory.dmp
memory/5064-183-0x0000026577C80000-0x0000026577C90000-memory.dmp
memory/5064-199-0x000002657FF60000-0x000002657FF61000-memory.dmp
memory/5064-200-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-201-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-202-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-203-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-204-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-205-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-206-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-207-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-208-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-209-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-210-0x000002657FF90000-0x000002657FF91000-memory.dmp
memory/5064-211-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-213-0x000002657FF90000-0x000002657FF91000-memory.dmp
memory/5064-216-0x000002657FF80000-0x000002657FF81000-memory.dmp
memory/5064-219-0x000002657FDF0000-0x000002657FDF1000-memory.dmp
memory/5064-231-0x000002657FEF0000-0x000002657FEF1000-memory.dmp
memory/5064-233-0x000002657FF00000-0x000002657FF01000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9e19daad18c778ca4293f7892eda3c76 |
| SHA1 | ff576bb4646f154234c7f92cd18ddea34fc7e164 |
| SHA256 | b95350ee5ffdedd44195e327e13930f4a61d7dfc021367502fdd6d5237892de9 |
| SHA512 | 542952c965f9760591248be106dec6cb1f339139530d1e242e0ab7a7d06adfb5cd49145f72f9b0e60a2ac0f00eb4bf52a3d0ac51527d30c7f3bd133ed1db48e0 |
memory/4016-242-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2676-244-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9fcfd3410a949ddae11c2b40864e4fbd |
| SHA1 | b08bfd762adf14ba96c1d97ae750fff244d26194 |
| SHA256 | 190ecbdaffeb183258fbdfed55a058e2857131b3f4e04e5db4365eda296ca128 |
| SHA512 | 64953eb5aa55a805760d58f1303ecdfa98c96227b8d6e3224abd3deaf2b183f9c9dc4ad278d93f611e413759a64d1eaff534d42f0619ab9cdf10c3a45397608c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6933f4744794775043dc1081381c8bac |
| SHA1 | e06a95e95f11b859679b63c764935d0f1b3ba853 |
| SHA256 | 31ec33ac12ea1f6a5ed369a5787a80ccad5e3843aca12b59d26e20b363d8eacc |
| SHA512 | 03677f848ac05beede5c7b84a4b904079a7d3f1ef27cf2ccaa5c64ccf2f8040a5106b9ffbca70c2f20192357f158c96c92383b06162f9b588f82d85c28ffd733 |
memory/1736-255-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4016-258-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | dfad486ed6dc537692d4aec10084ddff |
| SHA1 | eb34fe92130e55a6f6889de320f59a90b7787114 |
| SHA256 | c519be86f329a21ba294f675668aa31590c0629bf41be65d18663fca35dc69d4 |
| SHA512 | ba1aa271018b9c57cd79307a4feb2c96fb4825159d9199ff9b4df63bee3532ae05ba345aa81cc470d1747dbb13ab6dec49997b7f626534f6c41cdf3e91e23bd8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0193498e0d8dabccaa2f05ec56d378eb |
| SHA1 | 33cc9d09526cc74184e0fbbbc87d43250ac6a852 |
| SHA256 | b908060d01763da2f895457f0a6d260e2009f91c89b23f7e850b7a6acbded19f |
| SHA512 | 9f0c50ce5bd2ddcc5482e36e550fe5e6f51de8aa596f3fab0a15cc491efe9b5ac5e5ac4fade6d0ed7d3f716a706f2d94e18753c9942611cac2a0c8fbcf0e1c08 |
memory/1336-269-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1736-272-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 12aded24afb99e1f81c3142fa2532e77 |
| SHA1 | 0c8f62f66a08561cf1bf65c200af69aca64e8cc0 |
| SHA256 | c4044b4caa054f752fb40d8eebba7cff8c6ba5c7492091c200903ee234591310 |
| SHA512 | ac3c50bd563c0eb8576d5014788273df9cf5f4ba28b2ddb99ac19da639a4d06be5b45877eb38394a82a67ea353df64e1f784935268a17150afb537cce497c295 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0f6f4fa36e7a0090cd88cf0d61778a9b |
| SHA1 | c90fa9dfd4b1b1e974e4b12976604d5a7001254a |
| SHA256 | fcc0906940bcc4ebb6a762173d58a4e92cedc20487bdc29b63efd68f5f2232df |
| SHA512 | b4524cb47a9005367fc3f1898e045f80eace11ebe849df5f42efba6998168020f4bccf879bc040214f0458dd8d7a9ffa5a10c65aa4a47f704edf39ac3df097b9 |
memory/1196-281-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1336-286-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5ba8407afbc7c19a52aaace1927a60a7 |
| SHA1 | 947d4e9bc3baa2e8ab7cc186658be6b38bde3af8 |
| SHA256 | b86a040d57e9be2b432f2197a1356c2f4a034f99d5e14c5e0bd6ee8e60241337 |
| SHA512 | 1baf1fe281050876f646ceb41883fd6111559ab65c6a618742d00509561d19618c798202322870b2a2f7f92fa1287d710496149991b972cf8dbceecb264895f5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 660e99fac3bf88dbcc914464006ec5c0 |
| SHA1 | 88fe9d90c0cf0f14696b42e42ee17ba0b1981476 |
| SHA256 | 8e22e9e95bf3aa8ea2c60599e4c0c788e131f3ee31c8ea83669676c94efaed8a |
| SHA512 | 3ed23ba5e436de4af650303a73b5a28c1a0be327728e8254c2938a3e226d56a855ff9a9dc747e76f5d9a8c25e162c509cd6350e566c5db61243234c961a30c88 |
memory/4516-297-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1196-300-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c3330d75dc472c6f8b4668484f49a436 |
| SHA1 | f4a4b414c2747f742f2c1e55093c750cf866dca2 |
| SHA256 | f55100d7539628e2a2c8f494c259770fcdd875a52971c91fbd2675bc1116ac69 |
| SHA512 | 754594810097d283f287a419c1f78e3a4a951576c6a64465cf1498a24ff8700b153c731af00e8343639d98dcce18eaa494c21c2bc1c52511a471f79f523ce8e0 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6b4877110e316d63a0916d8ab751c915 |
| SHA1 | b7b85f73f5da0321081096e2f6ca87f8f3335412 |
| SHA256 | 15a7f5ecc6c6ab6b69ba6c35ec4aedba8082578a8db7d95d0a9db4224a7659da |
| SHA512 | 7c0d6da567ff374b2d2ac3fdc9b7ac0def4bce080376efbe3ba247879c40387f94e24fa3cd50418297b33898504416792f35ce7a7de99a6125b323aeba8eebc0 |
memory/3424-311-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4516-314-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bee557ffbb8bcfa07e9020f9b0a74b20 |
| SHA1 | 810329ac9abf6d34a028a7e8da715cd947ec10e5 |
| SHA256 | 9cd9856a4d695c58d0acee5c8b714c6122e5d938e9d121eb650e059721cd851c |
| SHA512 | 6494b603e8fe06d6f83a8848d97302eed9dc1298650673e0591b2280a98939e2a20e483da71d0ceb8d28b1df265d81a18d558d90608c38f6b93a1e5c9c8b4a45 |
memory/388-325-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bbbb737b8d23ec754227ba563a7046c3 |
| SHA1 | 82000d1946bf88a59674fbc92c5e1a9ac4f3ae39 |
| SHA256 | 0e412364886e13ae3faf348aa3e7e212750569819f81a1afc300e859b477602c |
| SHA512 | 4dc3af4151cee141e23947febce8a552756381dc3a9438a0db09fac9d91177e82f2b9f9200093835eff7201ccf408bd8fb20e142d6f62d1eb67e07176c10dad4 |
memory/3424-328-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6f7c5bfa9ea28fe1654a966bc1ebc7c4 |
| SHA1 | 9959770a9db9e8217a4ab9d6928317c220e44f0d |
| SHA256 | 410a0875f2df7237df89de060cda90d5057ccac981da8ae7ea6a336def0e4f0b |
| SHA512 | c0bdaaa3f212bad9aa2c92497177b22a1d456972be66913a2d231404160055adb6a97a6ad927c122583917c57836b55df9309e49231dfd00b996b82a5b86512f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d44c4871923925c906cb9205331a1f58 |
| SHA1 | 589a45d179a145b0686d083cf33b567c641464f1 |
| SHA256 | 081ec8b8f94d615e33ff9985126353d703e039e5b00054db1128a1d8d556f422 |
| SHA512 | 24ac2491bc378599445d557834fa908a0101819ff273848a709a13a6901cd442c8e659598632950496fbbc3e27597fb65204053eec22e8dd432b437270401b42 |
memory/388-341-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 348fec391375699fe4bad50f298be590 |
| SHA1 | 3874f4201e316e3ace8ab774e996c9b353608466 |
| SHA256 | 768ce2f811f66cade3542438d09bad200178d036141ad305cd4e26d556457d09 |
| SHA512 | 329e1b5646a03a7195daf8e062dde13c5be47083003c579778f26eafac32ec77b8fd7611bff793a8286dd3c1ef54d2f149bb09badff4b5553ba712bf99834836 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e76b37e2c7a6aaf398dd511dd05f4145 |
| SHA1 | 5c90219a99ac8c49c209052953cef38598a79792 |
| SHA256 | 9b2eb3750ec8184a9b9fba2db182dff87f447f6d508b094ae9d8630a5194350b |
| SHA512 | a287dc34498360c4c1cab01ef190591c5055e9dc805d192b408def399830e7bf422aefe4a2721283ea53f13ab63f8d7eeed99e31598d7ad1ac89e8a2d3e90694 |
memory/5080-352-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1604-354-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5056-363-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5080-365-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4032-374-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5056-376-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3468-386-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4032-388-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3784-397-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3468-399-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3784-409-0x0000000000400000-0x0000000000430000-memory.dmp