Malware Analysis Report

2025-01-18 21:17

Sample ID 240323-xycrmsdf9y
Target 32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8
SHA256 32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8

Threat Level: Known bad

The file 32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8 was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

UPX packed file

Modifies system executable filetype association

Modifies WinLogon

Adds Run key to start application

Installs/modifies Browser Helper Object

Enumerates connected drives

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 19:15

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 19:15

Reported

2024-03-23 19:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1888 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1888 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1888 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 2988 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2988 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2988 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2988 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2552 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2552 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2552 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2552 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2484 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2484 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2484 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2484 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2412 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2412 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2412 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2412 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1852 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1852 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1852 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1852 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 816 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2652 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2644 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1864 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1864 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1864 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1864 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2340 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2340 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2340 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2340 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2884 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2860 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2860 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2860 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2860 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2960 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2960 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2960 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2960 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

"C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe"

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/1888-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2552-8-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2988-7-0x0000000000220000-0x0000000000250000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3cd21cc48859dd97c49c87fcddf15500
SHA1 f6051eaa53a93a735e7deb7df95cf29eba8d66e7
SHA256 ff02ebb379aa36891a678cb37df0ae09d492551eadd2d6f00ecccdd6e7d798cf
SHA512 0a7018597746c91efdf0d7286c355c340c2d26d662f9512201b624e75f5f93a3b481f4f0b3aedc21c124c56ea328dabf264ff4c0050585f5d027ede72e74989c

memory/1888-11-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2988-10-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cc60a7d03b516f7a07f1b98c53cea35d
SHA1 b85d183b2a417b17a23486db5839b173d15736cc
SHA256 2702c74e1786fd31cac6729266b707bcb23a36f24f5a82449db3a9fc4ccecb85
SHA512 70138db2334fbecb5f48c1383ea04465a58384d9d143f54388e665945ee7e73997c0cbd149f15bc2b40836025fcb3bfcb3cfc1f931e5c23f82520312232fc92e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8ecd402fba80de2860c17a932896e88c
SHA1 c987a6c0b7513c4f385da902bd1d2458c05f6d00
SHA256 e900da0b6fcf0802e59c1865421f69b9c5506eff9fa91fd8f3acb92f4668608d
SHA512 4e26676336d312633cdc3b9e3cc2b8509a1429200627f22c07cc004682d718a667aa69101400732afdcec0e64873e571e724554d01b4d3f4dacdb307ae7c63c0

memory/2484-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2552-15-0x00000000002A0000-0x00000000002D0000-memory.dmp

memory/2552-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2484-25-0x0000000000330000-0x0000000000360000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 82eb0c1ba8344a296f462663251356f8
SHA1 76cbab697bc2bc4782caf8800dbdab8898d51e6b
SHA256 7c46df7aa9f16a163a856e00d98fa4365c6ee440ba3bb1ff2d4c7e6c9ca5b9ad
SHA512 ab4e92396aad44fb086676dc1d7d149aa67c8139eb8ce0c6c95e8c367763301fee9b69ee523ebd57a23db3ce998f9725348b93440c19a2d0b348302788a43264

memory/2412-28-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2484-30-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9b54d107d4aee74e29a48b0f633d20b2
SHA1 c92eabce770a78456d505120aea4f9d5f8b57b8b
SHA256 30ed1a6357165920605cf0b991c4644432acc4d150f24c64f72a657fdcde3682
SHA512 baaa790d4ce7cb47153e32c65b678cf471c147149a6d1577a79e7f02877e3f06c59f5b40827a86850304d3ea6b77fcdc1a3fb70b2514327927ce358d7455d0cd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e0ba3312261f2b468ee3738fc2b9b2b9
SHA1 973d3f245a1fe0af8c8bf5dcadd7d56725bc69f6
SHA256 ed4cb806f9c0c7d54f8973b0914ddf7d61295f1c1d99d5aa52b1a9a724ee9828
SHA512 21837e82fff3c137c68a98d4e2df3dfa09d0a582f0b12f685c18748c95a19ea25d06dbca6216921f8c66880cbf59518b1f1c9ab93915faad6514f80a440464bb

memory/2412-34-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2412-38-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1852-39-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 db445b64d758560b3a730e352606d7fb
SHA1 586ab6ef24dadc302553de1095b1806f5e55993b
SHA256 aa4e14e03432c3c29d009997f84f8acacd9e52e626c8d549ab4df8b09969748a
SHA512 768a0c64088c055a2cb57488654f6f26e23c3cd89faacb2cb230963aeb372a96ca354d216db0f9f61e74d5441db4a0cd44f48ac34b3a28a5e99535db370e7a9d

memory/816-47-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1852-46-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/1852-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 63667f718468036b45eaf0005fe13196
SHA1 fd582fb642f5a5fd53c5d2a0b5ac7f4c0b2b0dbb
SHA256 9ccd73a36a535b9e04dbb3e902ebf8014845a49a258264547baac92037cade4b
SHA512 e21d365f7affaacdb51ea1950dc4172ec78cbebb6e364f155cffecade99470002229c2818417d1c70c3454d53956d3fd5d308b3162b541841e328831af9cb0e5

memory/816-53-0x00000000003D0000-0x0000000000400000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8fcb9a118a071de11d6dcd184a9bf0cd
SHA1 f682a9406de39b2f2ad3e04d6bce2df919dcc1b3
SHA256 025228a5d54047744b890e3b1dd4d488d4a7f52fbe367fb7fe89c96efa62d7dd
SHA512 9910d447938485106a762f4fcb151a0b49ea10f3b06a74cd8fffd61af656923f856eacad4fe92797405545a8c2a26ad227fbdfb49d419650912e9bab5957b160

memory/816-57-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9990124154670daef1916e64af70e051
SHA1 9fc613bb93d3ff25a189a134e23445355bb2273e
SHA256 ab0e13845d58071b1f98fa4fceb2f6670186ff9d29de650cfcb1e3bc1143cb31
SHA512 1d6824f4fe387cb76ac7fac261ed4942f90809a538dc1450339a197af7e7612ffe86c3e9bfe1379f60a0f686b8c739f3d3a47364a1f93f146f3b895e7a032822

memory/2644-64-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2652-66-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 26642fcadfc1bd691ecb1f19108b91b6
SHA1 74b7a39a584e4b98201c0a832b8de6c2e344502d
SHA256 839971b437b755cc5466fee08c7adb6e74b3e649f25f33ef6edb0ec5e34fcf0a
SHA512 f7da633dd5ae9bf2247ba3ad5de18c74bf2cec55c8c057dded55f615d64664addbaa048c3eb102ea35b37199c3c3bf863a9bb42351fa20c9da187027ba3ea7d7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b4c1425becbe0472407cd142d88330d4
SHA1 ab618dc5e2b476029dbe4d0c30b2db1b3338ce80
SHA256 e829d28b5d322a6397efdd9a9bd5909e62e5a3691276e3a1cccab252e0dd1351
SHA512 d7714f608a9027d9fc26040625d8937a9338f79129f097c2c16930b65b4c708a8661b95a84e8ae4d0418532333907e543953bc56ea4af8509234f613bf71de65

memory/2644-73-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1864-82-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a80125b654a5fc988843f05f62752976
SHA1 837eff1f6cb1583150477591c8bc6f8c2d3c6c21
SHA256 8396bf2b59adeee0333352d4126a8bafe32a963c1627b65b674a90b5b4853d3a
SHA512 5fa462b3c36899f21162f0986a9de043acd002b5dde4020f7f5491fcea26bf5d5c1342018cb42a2a9f4c3feb7aa3ca1cf510eccfed013ce4ac35c72e9af0027c

memory/2780-78-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9350c7d11c18fcda82d07ca84d374ed9
SHA1 a968abb01ca3326274c1ba3782ad210693f48ea2
SHA256 d1806e796d79a1906f7ad7f90109b55f6da10ad876b98d773fe491698325c287
SHA512 acbf11940445435541e1bfd35219f04ca99c9cd3e25a2f5892bace49594cb3871bab2e2563f3a1401d0d6ce8e448ea3344a56ca98c4f36b4169def22af395f0b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c78b8cbd913ff5f35f773456f48f0a00
SHA1 744636bf96c42dfc6c7ac3e3d1f0d2ec0922eb86
SHA256 a9049cf52e3b339c428b682890a107cf11cf3aec311a5b5fcde9c136f28cb0a8
SHA512 cafbef7af55bed0b12619ddb872b4066211a15ff9f02cd4942db41a3eb3e2707ff4f75d94b78a6115248e75dd26c67041330d1c1de2e1970a12e38eebedf3d3c

memory/2780-86-0x00000000003D0000-0x0000000000400000-memory.dmp

memory/2780-91-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2340-89-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 385ea5534d0d80db153baf4daafeec3a
SHA1 d94d22a363a8f02020fad1beadd3dbd3b6a676f3
SHA256 af4ebd647abb83688aa4c41baf90f268de62c56b71052b694d8c05d7e2b11091
SHA512 fa30ed952c38c5091f522267af0e4e66ae0fd6caa671f79f72fa7e10083b5a2b58c8fad121d6e9eee049b680dff91dbe18ce9916ef3e7e12ae4d4dc29986ce08

memory/2340-99-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2ccd4b2066aeff79a79f4ae5ff3c286d
SHA1 11e993107ed28b53284e45b0cb81a93be2a6c736
SHA256 b00f577c64ec5be59ba7feea7a7a0dc04aa893d1da846a6b72682b6f6b238927
SHA512 64f94c6cdabc878493d834b4281e651d34d9d2072f5539f18e20b98c2d35cb5c131dd35e6401b2fc3c49a3f34b5efc1085fd32df224e18ad95a9032398d4fbfd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3c289446cb9233d327fd44041001298a
SHA1 8d72b0f1a80b321f2c9a70c7b556bfcc501c2185
SHA256 df245ac8b6f28b34297afb8f0de13035885574444e34ef2e3254ee6c381aba5e
SHA512 33169f44ca5633b2cc1265ede0f1ce9f2e851a4e5632c3fc6b9659f21c9a45142d4a7dfcfde0a04f70026c7442c989b84d4c750925652ddfd22e85a740d2b03e

memory/2884-106-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 11364c6341983a4ea9fbb663c534e48d
SHA1 6b8b0489b2bfb9d9188ac299b014eaafebd5aa5c
SHA256 175cc3e0247ab2c82277800117c112d0f5aa5509a4c9b85243f39c84e3e04016
SHA512 2ef768bd113888eddf96866e890d54ff1b548c13c302c02518b962b7606cdad1142aca4ec2e027d39606d2671bf77e3f980c653c46e90418be7b1f741451e132

memory/2960-114-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2860-113-0x00000000003C0000-0x00000000003F0000-memory.dmp

memory/2860-116-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d8469e138ec699c99b67c9a96347d876
SHA1 b2c7afe0bdaf5ea7f2a01453d6298e10c13b377a
SHA256 e6134297e1217cf80715a4524ad54dbcd5b0b73f6064874b674d5c49c4c8e70e
SHA512 d8016e149b70e93ff0c95422f743563a6d5d858d7b50ea440ea6773849a81508ef44e6514fb53f30bcc04bba506139db7d36901f68b3dc720ae2d75d4c4df2f5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 08e6610be5b4f74b06f065de5482ef5e
SHA1 c4c076f1e6ebb520ad3c4c9c235cc405dc7bfcb1
SHA256 d68765b0615ffd7921a9aa775faffbc792994620aa832ef65d893d8f4e3abc0c
SHA512 54ed1a6f79eb24333a71e4d504d6abd59c92256ac1b5b22d167607a684ee8beb19d5f3a5bde09209cbcdccdef9e1002ac6bd509b4058054512b1d5932008e376

memory/2960-120-0x0000000001C00000-0x0000000001C30000-memory.dmp

memory/1988-123-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2960-125-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 72e4680e394c4e609ff99301e910a47d
SHA1 871743aa2ee0d74074b5803df54c9e397f57c292
SHA256 d3ab2d5ac33507c2176f6e3d1ec0964c4a4b97ba65ec518e300378b342c5393a
SHA512 f74aeb738cebb89d8213e153ce52a3fd50e9dbdbb032a5d6c1bf31061d8de4e26896de66ccc8759b9f7ba2b0b9dce0c2a1fbd1f6811a9aaca1c1e8be57f3ceef

memory/1988-132-0x0000000000310000-0x0000000000340000-memory.dmp

memory/1592-133-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1988-135-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8ea8255a28f619931367b597fe011cdc
SHA1 1ad2f69801ac81f9a4b737f28fff4acdf6e8bc44
SHA256 d16bfb26cff412cfc0a7e4ed661b2f18c92817c8bda5481153fbafc85557aef0
SHA512 cb664076a34b603e6a456a714a67f5fa7f30fc285bd3612feb918444ee423052427a526072c185d3d08d884450633290123b2cf271da285033f825a2d0397e4e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cf61475d5892d49ebd8551e30d05e338
SHA1 db3036698ca39a3540156b318c13b11d299972ab
SHA256 3eeecc4a759520d6fcc4b1a5b968bf43a3e6782a0d9c769b7d13f02a5ef4e1f7
SHA512 467278279d6c9b87f309d7563f84ffac6306cae95847024c4a62e3431e3e08dbd3919529dc159dc98ddc2c15c7b6718d6b6e1ce312ecfa717bb38c8769685db5

memory/1592-144-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1056-142-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1592-139-0x00000000004B0000-0x00000000004E0000-memory.dmp

memory/1056-149-0x00000000003A0000-0x00000000003D0000-memory.dmp

memory/3052-152-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 17ec6a932c021ff945559babfc1f0587
SHA1 9c5face2258c1631d8601d5d67aa3259082dfdd1
SHA256 cde16f311bec92494d9c98f2067b27da61fae7631333d4851d0a5de201c7055a
SHA512 585f99151d114545caaff3e2a8f6a7f5088a9b42dbec0d52f00b30eeba2dc61061e2a449d6e052386e84a80e9931a4f9d4b1b72ded55a0fc0a455ea1ffa17ebe

memory/1056-154-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7a7b6d319a55077e8e1c10487fea6e38
SHA1 1c45619ff0e794f89aabf60e23fc1e1ffb30bb21
SHA256 62690c05acf5b1dbacbcbd1129fee821aeb63c525af4df628ea4b2d0b2856f7e
SHA512 12dcd1cfddab2de08d1f67640c8dd942f1c97c2d5e0b8f104b796fd6aee5bd96c084225b511df71941dec8072705ed504876509cf9ea3740af1fd278e71a64b5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b297dda0ca40e2e972096d91ef1ec4d9
SHA1 ec59f0da2a1524a8478f4006383f965cbc04c4df
SHA256 a5fb795914541e3bae6ee518fed4eb5bef5233c1a008e8e27876f75587ecd263
SHA512 328db01e22bc7f022664c88a11233f836e6e6ab4d9abab9b729088d9519491904725457a8c533f8d1db108db42542968a7c20756312490b0edd45fd52c838f86

memory/3052-161-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e88add4ddbfc37c90387bf35aaa1a79e
SHA1 b158321dc9e05fc75797f3169cee70df0d7b4991
SHA256 5f80381aa26b8d33c51579323196272ac71be30db45dc42118848abe7d284d28
SHA512 5508dcd4719e646a10791549e658ab031ad32d7a97f081a94a657fe3ecb95efa0591809bf9712f4a44219a5ed1a0721bd94de0fa3700f1779bd79757f265a4ad

memory/884-166-0x0000000000400000-0x0000000000430000-memory.dmp

memory/860-170-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0489d57d2013894dcdd10b67477242e8
SHA1 7b71ee74f91d4d1ccca1711cb2f6f9b03f3cef58
SHA256 c6946d8bf1b0b9ff39aa61c6aa064554492d940e6265be6995bb72549d1efe3e
SHA512 12ce167991833ca891eb9ac41facd50cc1ab30d064f9823c07da28e3ef520cefc1082ec38927974b45bb5b39a36b1d738414476f20b23d8a1c32620953d0eeba

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9a41521a9e94e32c0545135bb48ccd47
SHA1 812b46ac0b0ab23e551ffec4ddc01c7614964f8d
SHA256 4cdb0968741a74d954c58681829a2c53d61b09622559fa3391e322d6c081564d
SHA512 b815f9c55daffb33bb067a735a2cb4a6a39b15df88b55db19faef699584c8c2bc31577e3a25e16b4a6a807f61328e0b8a57324e94e52d8d3ab052577946eb947

memory/884-176-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 665af751cfc1961371216cbf7a13e3cd
SHA1 da1610b3e901fc634d1c3dc85b77815238a40e0e
SHA256 fc222613e64f5d216d3fe180adb1918841ba65ce10d19f9a204f86243635f600
SHA512 d0864b1f749b594cdb284a7df636d2bb2fa2b1cb0f87f32ce8bd0a40ad8828105316303eeac036a42d5a5019a057704883d43584b49d2adccb594f3bcfdf1bc1

memory/2684-184-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1700-186-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5b4725671f08b20b3675c03a128adbde
SHA1 5592627a4c3a530337da531c6390482cf2b1c4b5
SHA256 1e6f71ccf8ee15e84035b7a29497c5b0868d563d0d9031108dac9191168aef53
SHA512 e55f16b925226d847fc8530c4ea15b128b0065cab70b1a8b7e58b5d42eecc1635fe82f1648ec3dc235fbca9f3d545c4fcc61265d3d6ec518346b930b347ce9ec

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f1f5f9cff194825e701d64bde8ec4234
SHA1 7153d66926352c15fcb81d7927278d31065feab7
SHA256 71a7249966b028cde43d7dbaea8918dafe8c60bbc73613010dc6d9adbae2e1eb
SHA512 ed4d3a9bad5fa812ce609e800df540e880a6104e747658f401c548ee5916cfb55c6b2bd5f4c0ba9d28a798ac9b5352e780cf36960050eb99dda5f4fd0bae181f

memory/2684-192-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 152025da71a5e289f5fcc5614ec38cb9
SHA1 77c27256795bed72ab6cd42ac5a5c2c859116d6b
SHA256 7bc69274a0320715809eac3ae43cde4ffdeb046ca9601a984afdf10681d44b21
SHA512 8f70145ce8d0ef9d1f999b2ada5ef2a6daacae28e15bd2cf0f700d6cb97d67b931b8afbe3188bd55cbe8eb3457c0a84cb84d67f6d63133043c60943b7958ce8c

memory/2784-199-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2620-201-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 365688deb11465596a38a10d191718d7
SHA1 036751e7832b3bcdb385a397c49084530c24971d
SHA256 c6877eacb9e9d94e0a0460395513d0743972d8faa06bcd4edd9f9cc84049cc9b
SHA512 833105b0b4536a602506abe5233e932a6350519b682ed1d29de81bb25133a75d7265b830e68b2748355a0a92fd09f4f32305b12c626ef8b49a93835ac49d05e8

memory/2784-205-0x0000000000330000-0x0000000000360000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 dc1e55e54e023f10538b70c36daa3bb0
SHA1 490ac17a63d6008d9c46141e4d12df753963fb80
SHA256 dac1e0ae9b3d9232f3cb8bf2f26d75162bfb67dffa3a73142245225c3ea5cd21
SHA512 5a66e3da11fb2ada8a35ada330663aed0bd420942368dd96131a00876e76f6396d7881702a3685c559e0a77f4c53683f6b7f210ce86f1c59b4d8fa287d5c1972

memory/2784-209-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d28bac258cfc58cddb0d27a17582fedd
SHA1 4c314bc3f90bf6065b59e23538e05b977fd78835
SHA256 e860c420f5fe8cb989b26dee9ada3ddbab1a3bdbc4d921ac58b77f8a0b67939e
SHA512 ee41bc1aac4892f6c3cb54c16ac5fe63daa2c043ecd1d9ff267818b513a1e34ac803afaa24764fe64dda0be213967e1791cfe9a0ce362351efcc50853015b4f8

memory/2408-214-0x0000000000470000-0x00000000004A0000-memory.dmp

memory/2116-219-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2408-218-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e39c3509b7648a5a63f46a32fe08a601
SHA1 9a57f8f544f1fa647ffbd08613e84df7b8bc0496
SHA256 2e4ada19f9daec6a93ce08442bfd5b911001227b8a9baf3a31a648f97ed883bd
SHA512 fda038d03ca4192ebc266e8ad2c58d305b1ea37e020edcd3cb5b47b6b57c3970894092a29a818f55931dcecdbe4a5ac815e57b1aab43fc8884dccb6c1a507351

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ac337b938228accde4df7b404f5195de
SHA1 5f60cf7fb3c918925f006f1caf290e31cfcb3648
SHA256 aef8189093352dfe0d6c329a4e2ba78f249161b764d81a7062fe68bd39419d09
SHA512 8e2504e9696b8a9773fabb706cc445616cb6b20bd0bbd19dd21becaa2dafc0a3e83e68134b1eb1604d8074670a16bca29ca06c394a69a78421bf272a89fbb362

memory/2116-223-0x00000000005C0000-0x00000000005F0000-memory.dmp

memory/1576-226-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2116-228-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1576-233-0x0000000000430000-0x0000000000460000-memory.dmp

memory/2648-235-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1576-236-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2648-241-0x0000000000300000-0x0000000000330000-memory.dmp

memory/2760-243-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2648-244-0x0000000000400000-0x0000000000430000-memory.dmp

memory/624-250-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2760-251-0x0000000000400000-0x0000000000430000-memory.dmp

memory/624-257-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2348-263-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1840-264-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2348-270-0x0000000000400000-0x0000000000430000-memory.dmp

memory/764-276-0x0000000000360000-0x0000000000390000-memory.dmp

memory/2492-277-0x0000000000400000-0x0000000000430000-memory.dmp

memory/764-278-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2492-283-0x0000000000390000-0x00000000003C0000-memory.dmp

memory/2492-285-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2088-286-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 19:15

Reported

2024-03-23 19:17

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 3200 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 3200 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Windows\SysWOW64\reg.exe
PID 3200 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3200 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3200 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1440 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1440 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1440 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 5016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 5016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 5016 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 5080 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 5080 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 5080 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4924 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4924 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4924 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2200 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2200 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2200 wrote to memory of 3108 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3108 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3108 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3108 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 396 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 396 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 396 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2336 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2336 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2336 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4048 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4048 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4048 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1824 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1824 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1824 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3924 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2944 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2944 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2944 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2676 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2676 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 2676 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4016 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1736 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1736 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1736 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1336 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1336 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1336 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1196 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1196 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 1196 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4516 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4516 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 4516 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3424 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3424 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 3424 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe
PID 388 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

"C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

C:\Users\Admin\AppData\Local\Temp\32d6d189bd411aeb36f376cb2129091acf0d023f29e532d14a67a3bb6e275ae8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 bublikiadministrator.com udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 128.230.140.95.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 137.178.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/3200-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 44fabb24a73c639b8fa5692edec55dbb
SHA1 866f5a1999efec936aca9d6877269d6f934ec111
SHA256 81d691d95ee53f48ea9dbef5923ca9ef18b22549412641e67463e442bd0ebf87
SHA512 26096989ce7ee4e113d3ce25008ffcc3e36756ffee4c26820ea0e472f4a97639430187a3650fa3cd9a696ca3e80ffcb73a176ad5754851b2a5d1d96dcd59fcdb

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3200-8-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 909c67390a1ccaf95440dfe9303dad20
SHA1 a2553b67d735d140268929c0f59605154aea0f06
SHA256 b8b9b3f9a83827d017f5c3711525a6cbf2ef71a2b78934cdf78333ee6d2e75e3
SHA512 56b80b8484b5cb73f52876ee268695b3ee1659a968e89075687f86041ca227ee55cc943f24cfd8f5a94ca321cc260866113bc3a2e372f583b2170e1fab4bf19c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 62fdd9794f665f203ee2a61ecc350c02
SHA1 dffdf5e677fe81d644d0a7e1ff1ecca1abe42fe1
SHA256 2eb59d153fd55028e58957d3dda83517305904b1e5f64fff21acba1646e62934
SHA512 1259e4d1238e82cf322d6ef8cf7960971781ed9adbf3741ac621460b2ef013322a64c3627658626757f7e8ae2e3d06402d1917a8cdf01697a05caae3d6187746

memory/1440-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5016-20-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7403259a42b63dd82c7be54e817a9aa2
SHA1 4758b3d5c50eb5417bb72fdbecfd0a2b635d6b31
SHA256 9935e7a270601aec8df60e63b9fd057b7e860284bc36647f15caadb6cf328dcc
SHA512 a20099be3f7624c979b1dbdfefc8d295b202960fe080da14da9c7812afdd328a960bd3d0680a6c4709bfa1c1a89c9990dd73578ffd6a86dc5b73269bd11bb49f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7d3ecb4f8e2c21e524b8685262c2c88e
SHA1 d8d3b77a7a29b667a768f98ece425162e4dd99fa
SHA256 7b26e28df763d7fc685fa04c32f51d3dd310a19c3f3f68e49cc10c5d1908c427
SHA512 9f3034976af77549d0b06432b21616aad1adae5f71a52b9c0aaf348374a28de4119a92427cdc5885136ae29e81dd508d3db76c5cfd613589bb5fd5562aa42984

memory/5080-32-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5016-34-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 881a2c5d9081ac8b4a8558dbb9348dde
SHA1 b2950b97a45ded6c14d321b87702f966fe1d8b00
SHA256 2f28e614a7375ddc530152c3e098010d22b6762a45c87836f3813e7ef4276ae8
SHA512 e285eefe05b687fc618508d9277d19f672825d3289329d94e7a812183dd92877250735343bcc63d6195fdb57641752ef19d72dd0435be683b5226258296fd103

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1a6e1e090f4ce4a073577cd7225a0755
SHA1 50827661595503f615a7658e52d091843c07af86
SHA256 558ae0101dbb53e265d42d67be641debf35d1f1890a6b847e86cf2431f127302
SHA512 535d93ca215bce717199fde243f70ad523459a2b7781ca2a26c30c372da4f62e76e9de64b45238220acfc1dd09cb8d65f804302520acb77152cbfc1412cf7eb2

memory/4924-46-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5080-47-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 eebe2bb3e3f49af7b4445b41e4492663
SHA1 8c897b530d25323c336e4e8c4b82ca329710b8eb
SHA256 2a45bcc206a6f062ee7991f4a00e5a4b9f605c4cd5f4ab0979968b44d5cff80f
SHA512 a5b588183e868d3f5520078196e7f8a8f998483923405d2795c4d6e84989b699856f33f3c8c00df0802939c574dc489600b040f2f7746e282ccd6bb20ef0a7b0

memory/2200-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4924-60-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a9e996c79b2be0dafeb5a19be823bb12
SHA1 ddc582e99502537884b71b24c7b187e7b8ff70b3
SHA256 3c2742595c429022ecd20ca2af87762a622673c5257f9c22af0a300a0f75ad83
SHA512 fadcbbe16167f9d1bd9013c22c3e105d9246dbe535a974cbeabe16e3f42db0689a46fdfe9b6f0c8d76493f091e1d3c85e3644b45c32ed8e6bcff1e5c1678f5c1

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f99a662afb194ea66610805388ac6910
SHA1 0d262d4cbe77fca2eaa239f64633084586ca513d
SHA256 a6ef1750d69aed5cc41020d6d71841bf4354db33ea2376ea6a3c491345d8997c
SHA512 4dd960ede8536c71011ae0b0ec5c6e0ed33339feb1796569d789652b22f91eecd394368413adf88bb147b0952158fa0363517b1834d6f119d801ea06d493ff87

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4d26d0fded92fc0aa91ba2d7f98da1e5
SHA1 170382950d1d357b9584412ded1e3576008d2c96
SHA256 39ff89cf6dac80e59bc22cfaf9d358bfcb8f2d3d110252e5d3c29046a030d434
SHA512 af78065379a8d6e2f538a1bf8dccfca68e3c717cd1434068703ee71e73ac9169348cf21ee05f25186e40f59779588addae11ed6b8235742e788c48b14575c834

memory/3108-69-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2200-73-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5787d5ec684cfa45550cd60002fde88e
SHA1 ba6cd645a64f13d21afcbea42622444d7081a58e
SHA256 48c05f959b97c042e4ba9c3d9f8224a05235f77ba43741d3a6dc099abf364554
SHA512 80833f458e311e30c921eac095b7c9b5a1f92ee697c2b2c8295908a687b9d13ca36a9833e36a51b9112f86260cf9147561e0f72d21a8d1632631fbf85912248b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 38a8b8eb69586facb2be6c1a82b73b20
SHA1 b299f9c4e3e1da3750534bbcd129fe48d2819222
SHA256 a9a0677eb7ff60d8f3663a177f4d3e43f7fd0ce206d69b8ae8dec61b924ff32f
SHA512 eb795379d46a9d20b104bc76aeaea5d2f13360dbe8829610ff8e4cf7115f7e5dc85da601c5491a910930241c3b6bc1a17d682c62a03a4f5a6b9d314743dc2f43

memory/396-85-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3108-86-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2d9c96bd10a67311c51febcb04493703
SHA1 27c184a7f28f5ec87498c9c68e40fc01432f94b1
SHA256 998668eb311375e3d11075b40962383990ebd7f164c17cebb6b489d01124e59c
SHA512 8066107f7b2ddf0ae6c50a875112b4f8debca8574f4975a8d057fdc88f8c19686760b3108be87f70700a5966f029e22dfb01131c1c4148e58780dd2993ebe6ae

C:\Windows\SysWOW64\drivers\spools.exe

MD5 68c5205d6e55e8647dff5067a3e329d0
SHA1 f2561226cf63ca9aece894b0b5b749362895ef85
SHA256 aa3ecc2199fda74036ca9bd76f5512983aaa4969a100cf0aedc55db38413cf44
SHA512 bfa1d4f29594d3b0a8917deb9b37a610c8c912196f29180bf4f7341befacb2d593b01861c56da05ca100ca0de64e39b00c82e1a16ca7cf497f6522537d6d22d8

memory/396-98-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 31af50b0f8d753939e454084a9e56e8f
SHA1 72282f3df91c6c110343eeb75c47b9a496a8be98
SHA256 4e437b8e374a179dbdfb220ba4c27b7641107be28ca44cc90b9b5de9b22ca558
SHA512 62fa921d307be22f0bcad1ffaadbee489bc40f947d4fb74c90457284572dc55d42783a3686684f2837dd7c7f8bde8989cfcefbe6bc949cb4ec932efa6d21217d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bee6b4f40b6a3226b7674a051b19dd09
SHA1 6a1d16faf8be53c72d3124932c5b4a9a057fc913
SHA256 538133659d48f05ee3fc4401b8a77b93b78b7cd5b3478313b8a8d4fa7d55ce6e
SHA512 a92a1c42a1f50ad93283dc9cde4857af73bf83180f7dcfad15ad5ec6bac2c0e32007f8eea0024a7d15b4fd405429cba84056bb36f20741f9e6dbca623e0f2726

memory/4048-109-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2336-111-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1a53e99a731cf02d2bb3a7bf0dc18d71
SHA1 8ee9d331f90182fc1d8e29284b8278eee7ebe01a
SHA256 ed27b398e3e543a1318b4b83179e6aefee2dd3792d87693b2915d2b53e357bd6
SHA512 cb8b5de0bcf9f0b709b5035e49bbf0e22b9586d7ff1d0dcaffdef62c4667ed52b40e1f3263f4994359e1b620ebff471adbf56dfe7a0036963e6bc26d4cdcfcd6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 87fc6caaeae8314d603cb9bceb1cc110
SHA1 999fef5259c6a3880d34f5f7eef8568c31d70bbc
SHA256 6309b2286042b95f84b1f3d3dc839f1ac1eb713f01ed23356f1a2f91faefebbd
SHA512 a6d2a8cc50b30f51fb88b3f472b00932532381f55b187e378563380ceb4d8f33bf831b189ef6ee8784c9c88a1552441ee422aacc41cdd74a33877c7ccfd45394

memory/4048-123-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fe1f1073701b3c2cb9431f622315c801
SHA1 1eb5bc9ce9e8a0912e2103b4183320459b934ccc
SHA256 f8b09895a6c5b3a4bed1a67afe76f2acccb953e191f781002d0801efc166e190
SHA512 68892b002ac79762aa84470216cd6d5ef2fcaa4b2b9ac91693d008c310b5ae08a1246e59903141d98cda15f36d51270fb1762d5d32d5530fdd1f3345214e8797

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9ac916f3d0059d5f0b7918df0b0cf9bd
SHA1 395cd086a7438b010d327ed124a316eae05783c8
SHA256 d94328bb8fa81e10f813900490df6882c73ae5b85d442bdedfb1e774f1cb4c18
SHA512 a3e2a7278aca27aa31dad40e63d567749b811c52f73f90759e4bdd7bdb927bc1b29e4948d160a163cecb7cce6c9af1a58b8af1f12177755c90ed6100cf5e4bd5

memory/1824-136-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3924-135-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 17412ea0e87517caf2cdce3326538d52
SHA1 8531ed67c9c0b10d3f905bfac4f3a956b2b8e34c
SHA256 da7fe64a3530a3a2c8b7670d13e2cb323fa054b58607987885974d5265f18e56
SHA512 afca5ae0de7c03f2d9dd566acad1228c33b41874282c5a9662c05722ed42a83abd25abca03d23575c4c62de09f000b9feda77938a236e980731697c6561f7c2f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2059fb64d109263819a79faeaa42605e
SHA1 c8578dd14a19a0635e7a1a3b9e2fd79fde69e65c
SHA256 8fb5279f6ad203a3a3451f934d3d52c1b5e09b7bcff816ae8e3c5ceba4020192
SHA512 9d75641936e703daa62ee7208ada69c6d772b50251c3a1724e230ca4c8ae03fb9edc1d38cb5da2199a330b5d54852cc4f607bd1c2404a41b19598f40ffd47480

memory/3924-148-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 944fe06548fd53a88369dff9c26d8f10
SHA1 204c82978a3d62f015b8fc84c93729dd91b3b8f1
SHA256 63358169e1615a3532f6e81b6646674efb53a506d2ba3f987d3d29122f81ee93
SHA512 53333c41e86d565abc42899e8afd59299500ce95a331962f86f5ad18b74e8f5f699e3d39029116a53dfe1b0453fcba970fb15a46c7b248886e7c2d4e2288143d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 99df01952fd266e217df5c3292cc8980
SHA1 bdba37f660615b468ebd8a8854b5df2d3934311d
SHA256 11366173c45614e4d92fa5a6e0b1daa9964192e810a6cebe87e88173f3fca208
SHA512 9f4f37e0c8b5d3d99af3b557a9e1bd3dec086836fb87b84171ab93f37ce7af85cd2ed8e0a1fe7928d177dd5f71211090d5158d043c3437ac1e52de00058f9e5f

memory/2676-160-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2944-161-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 27da094499e4fa617291b3ff9a4bc276
SHA1 08c16158bfd82a365c1b44222ed69330d3491f62
SHA256 547a0e62c96a067799a5cae99e8fa1d28d8d22a2e9c1d14ff18e9b9475a541e6
SHA512 64239cf97d975fd1338f057c6d9cf23b175e2baf190b9eb6fc97d2cd141f06d9a64895116cd70bc34ef06f5d276ad4a2760eda89e5e8b4707c63f33caf1046de

memory/5064-167-0x0000026577B80000-0x0000026577B90000-memory.dmp

memory/5064-183-0x0000026577C80000-0x0000026577C90000-memory.dmp

memory/5064-199-0x000002657FF60000-0x000002657FF61000-memory.dmp

memory/5064-200-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-201-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-202-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-203-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-204-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-205-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-206-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-207-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-208-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-209-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-210-0x000002657FF90000-0x000002657FF91000-memory.dmp

memory/5064-211-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-213-0x000002657FF90000-0x000002657FF91000-memory.dmp

memory/5064-216-0x000002657FF80000-0x000002657FF81000-memory.dmp

memory/5064-219-0x000002657FDF0000-0x000002657FDF1000-memory.dmp

memory/5064-231-0x000002657FEF0000-0x000002657FEF1000-memory.dmp

memory/5064-233-0x000002657FF00000-0x000002657FF01000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9e19daad18c778ca4293f7892eda3c76
SHA1 ff576bb4646f154234c7f92cd18ddea34fc7e164
SHA256 b95350ee5ffdedd44195e327e13930f4a61d7dfc021367502fdd6d5237892de9
SHA512 542952c965f9760591248be106dec6cb1f339139530d1e242e0ab7a7d06adfb5cd49145f72f9b0e60a2ac0f00eb4bf52a3d0ac51527d30c7f3bd133ed1db48e0

memory/4016-242-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2676-244-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9fcfd3410a949ddae11c2b40864e4fbd
SHA1 b08bfd762adf14ba96c1d97ae750fff244d26194
SHA256 190ecbdaffeb183258fbdfed55a058e2857131b3f4e04e5db4365eda296ca128
SHA512 64953eb5aa55a805760d58f1303ecdfa98c96227b8d6e3224abd3deaf2b183f9c9dc4ad278d93f611e413759a64d1eaff534d42f0619ab9cdf10c3a45397608c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6933f4744794775043dc1081381c8bac
SHA1 e06a95e95f11b859679b63c764935d0f1b3ba853
SHA256 31ec33ac12ea1f6a5ed369a5787a80ccad5e3843aca12b59d26e20b363d8eacc
SHA512 03677f848ac05beede5c7b84a4b904079a7d3f1ef27cf2ccaa5c64ccf2f8040a5106b9ffbca70c2f20192357f158c96c92383b06162f9b588f82d85c28ffd733

memory/1736-255-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4016-258-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 dfad486ed6dc537692d4aec10084ddff
SHA1 eb34fe92130e55a6f6889de320f59a90b7787114
SHA256 c519be86f329a21ba294f675668aa31590c0629bf41be65d18663fca35dc69d4
SHA512 ba1aa271018b9c57cd79307a4feb2c96fb4825159d9199ff9b4df63bee3532ae05ba345aa81cc470d1747dbb13ab6dec49997b7f626534f6c41cdf3e91e23bd8

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0193498e0d8dabccaa2f05ec56d378eb
SHA1 33cc9d09526cc74184e0fbbbc87d43250ac6a852
SHA256 b908060d01763da2f895457f0a6d260e2009f91c89b23f7e850b7a6acbded19f
SHA512 9f0c50ce5bd2ddcc5482e36e550fe5e6f51de8aa596f3fab0a15cc491efe9b5ac5e5ac4fade6d0ed7d3f716a706f2d94e18753c9942611cac2a0c8fbcf0e1c08

memory/1336-269-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1736-272-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 12aded24afb99e1f81c3142fa2532e77
SHA1 0c8f62f66a08561cf1bf65c200af69aca64e8cc0
SHA256 c4044b4caa054f752fb40d8eebba7cff8c6ba5c7492091c200903ee234591310
SHA512 ac3c50bd563c0eb8576d5014788273df9cf5f4ba28b2ddb99ac19da639a4d06be5b45877eb38394a82a67ea353df64e1f784935268a17150afb537cce497c295

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0f6f4fa36e7a0090cd88cf0d61778a9b
SHA1 c90fa9dfd4b1b1e974e4b12976604d5a7001254a
SHA256 fcc0906940bcc4ebb6a762173d58a4e92cedc20487bdc29b63efd68f5f2232df
SHA512 b4524cb47a9005367fc3f1898e045f80eace11ebe849df5f42efba6998168020f4bccf879bc040214f0458dd8d7a9ffa5a10c65aa4a47f704edf39ac3df097b9

memory/1196-281-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1336-286-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5ba8407afbc7c19a52aaace1927a60a7
SHA1 947d4e9bc3baa2e8ab7cc186658be6b38bde3af8
SHA256 b86a040d57e9be2b432f2197a1356c2f4a034f99d5e14c5e0bd6ee8e60241337
SHA512 1baf1fe281050876f646ceb41883fd6111559ab65c6a618742d00509561d19618c798202322870b2a2f7f92fa1287d710496149991b972cf8dbceecb264895f5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 660e99fac3bf88dbcc914464006ec5c0
SHA1 88fe9d90c0cf0f14696b42e42ee17ba0b1981476
SHA256 8e22e9e95bf3aa8ea2c60599e4c0c788e131f3ee31c8ea83669676c94efaed8a
SHA512 3ed23ba5e436de4af650303a73b5a28c1a0be327728e8254c2938a3e226d56a855ff9a9dc747e76f5d9a8c25e162c509cd6350e566c5db61243234c961a30c88

memory/4516-297-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-300-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c3330d75dc472c6f8b4668484f49a436
SHA1 f4a4b414c2747f742f2c1e55093c750cf866dca2
SHA256 f55100d7539628e2a2c8f494c259770fcdd875a52971c91fbd2675bc1116ac69
SHA512 754594810097d283f287a419c1f78e3a4a951576c6a64465cf1498a24ff8700b153c731af00e8343639d98dcce18eaa494c21c2bc1c52511a471f79f523ce8e0

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6b4877110e316d63a0916d8ab751c915
SHA1 b7b85f73f5da0321081096e2f6ca87f8f3335412
SHA256 15a7f5ecc6c6ab6b69ba6c35ec4aedba8082578a8db7d95d0a9db4224a7659da
SHA512 7c0d6da567ff374b2d2ac3fdc9b7ac0def4bce080376efbe3ba247879c40387f94e24fa3cd50418297b33898504416792f35ce7a7de99a6125b323aeba8eebc0

memory/3424-311-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4516-314-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bee557ffbb8bcfa07e9020f9b0a74b20
SHA1 810329ac9abf6d34a028a7e8da715cd947ec10e5
SHA256 9cd9856a4d695c58d0acee5c8b714c6122e5d938e9d121eb650e059721cd851c
SHA512 6494b603e8fe06d6f83a8848d97302eed9dc1298650673e0591b2280a98939e2a20e483da71d0ceb8d28b1df265d81a18d558d90608c38f6b93a1e5c9c8b4a45

memory/388-325-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bbbb737b8d23ec754227ba563a7046c3
SHA1 82000d1946bf88a59674fbc92c5e1a9ac4f3ae39
SHA256 0e412364886e13ae3faf348aa3e7e212750569819f81a1afc300e859b477602c
SHA512 4dc3af4151cee141e23947febce8a552756381dc3a9438a0db09fac9d91177e82f2b9f9200093835eff7201ccf408bd8fb20e142d6f62d1eb67e07176c10dad4

memory/3424-328-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6f7c5bfa9ea28fe1654a966bc1ebc7c4
SHA1 9959770a9db9e8217a4ab9d6928317c220e44f0d
SHA256 410a0875f2df7237df89de060cda90d5057ccac981da8ae7ea6a336def0e4f0b
SHA512 c0bdaaa3f212bad9aa2c92497177b22a1d456972be66913a2d231404160055adb6a97a6ad927c122583917c57836b55df9309e49231dfd00b996b82a5b86512f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d44c4871923925c906cb9205331a1f58
SHA1 589a45d179a145b0686d083cf33b567c641464f1
SHA256 081ec8b8f94d615e33ff9985126353d703e039e5b00054db1128a1d8d556f422
SHA512 24ac2491bc378599445d557834fa908a0101819ff273848a709a13a6901cd442c8e659598632950496fbbc3e27597fb65204053eec22e8dd432b437270401b42

memory/388-341-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 348fec391375699fe4bad50f298be590
SHA1 3874f4201e316e3ace8ab774e996c9b353608466
SHA256 768ce2f811f66cade3542438d09bad200178d036141ad305cd4e26d556457d09
SHA512 329e1b5646a03a7195daf8e062dde13c5be47083003c579778f26eafac32ec77b8fd7611bff793a8286dd3c1ef54d2f149bb09badff4b5553ba712bf99834836

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e76b37e2c7a6aaf398dd511dd05f4145
SHA1 5c90219a99ac8c49c209052953cef38598a79792
SHA256 9b2eb3750ec8184a9b9fba2db182dff87f447f6d508b094ae9d8630a5194350b
SHA512 a287dc34498360c4c1cab01ef190591c5055e9dc805d192b408def399830e7bf422aefe4a2721283ea53f13ab63f8d7eeed99e31598d7ad1ac89e8a2d3e90694

memory/5080-352-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1604-354-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5056-363-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5080-365-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4032-374-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5056-376-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3468-386-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4032-388-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3784-397-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3468-399-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3784-409-0x0000000000400000-0x0000000000430000-memory.dmp