Malware Analysis Report

2025-01-18 21:23

Sample ID 240323-zveg6seh8x
Target 5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48
SHA256 5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48

Threat Level: Known bad

The file 5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48 was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Detects executables built or packed with MPress PE compressor

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

Modifies system executable filetype association

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-23 21:02

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-23 21:02

Reported

2024-03-23 21:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 4364 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 4364 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 4364 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4364 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4364 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1820 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1820 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1820 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4908 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4908 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4908 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4128 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4128 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4128 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1616 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1616 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1616 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4232 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 540 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 540 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 540 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 412 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 412 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 412 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4764 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4764 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4764 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3568 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3568 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3568 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1220 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1220 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1220 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3860 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3860 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3860 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5072 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5072 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5072 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1216 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1216 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1216 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3956 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3956 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3956 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5100 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5100 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5100 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2004 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2004 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2004 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3568 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3568 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3568 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3848 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3848 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 3848 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5024 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5024 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 5024 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 4636 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

"C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 udp

Files

memory/4364-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 907291c545b6a2c26506b3899f04c6cb
SHA1 7a6221486dabb988d5513ea22a67966afa1a88dd
SHA256 1d651dfb56f7e70691e387680716f9902c00f99850e93a7575932437f7ad132f
SHA512 95b9017e3a91a744eb4c45ce6920bffb66add5d12655fcac2d964f4f591770b55f46b86f8cc4a05c7391a48542dd2f2016e4bb4f62c3716bbb77e5d5cac1841d

memory/1820-5-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4364-9-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 81165060d4ba8bb8249b0fc3603febd8
SHA1 8eb6fb832b50a5dc8e3baa11379c29339b00921d
SHA256 dced2a4b55e2d9a5811e103d70767cf48ba9bb14f24260ad893d78c1470014bc
SHA512 4d9f840c2b52f4e54b6db309dadc7589dad666b7512c4ae19b6f68b74d9706c2f9cf7c484124465e95026f6888572c81b996726dce18f21a9fe099877e9c07b6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 221caae2b834a09b4f226cc828ba4619
SHA1 7971c68b510fd828bfd05df3c8d1ecc99283e03a
SHA256 d8175eeeb84fecc9ef78f766bebfdca8f34b481726a7c3f5ea485bfd9f0287d2
SHA512 7376c0d0943fb5b29fd4c8c2929cdd84571da09bfc9503fab03ee5019902c67ca7757ea4fbfb75b3fa317f10489b96c9aa44a3fabb8da82063fe73fea435a1e2

memory/4908-18-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1820-22-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 16ba595c69cc2d48b4cb3129644e7f72
SHA1 06dfa927c577998a36e4ccedf952e3b3223f1f91
SHA256 a8c1fa373c271815d5335763c5d9edc80bc4d999b8ade658e652c3c55289945f
SHA512 c52c1bf13f18c33d71dea8732a6eeb1b4ac5a763d81490a79379b97c02a88547fc153e0e141940308cbab9b57a49f3d9e48ae17e573a90be507223f183db921d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d29312135f13b2bf9d274dc07a2f1639
SHA1 e4325563f4b08af44eac5204f9d97b1b826b8dbd
SHA256 a077b2a2983eda7a7bbee83ce98fde6bad1540416e7ca83ce0abef4d3d9aa038
SHA512 5bc06f484343193d6106ef83664fe1a81b85cdf7a8379c4af7fc0c032ff734d49fc063b0c16e205a2ed73b0af894ab0652ac9f2a1d029a6d40c19e57e4ddafec

memory/4128-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4908-35-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 819edac5093c8291bb66aeb24f1507a9
SHA1 96e6a210c26cdb8f211f4302c7ddf2cc4ab5192d
SHA256 07f34401710925177732aef7265ac97c45225d03c42694a4e4ff05b7df4ce663
SHA512 10952a8db4cedbec1c1f5cf8979d91fe8c091f2c2c4d1c3a84c614f42aa5122cb4e01064fe6db7a5bef858b0a26638dc8251de05e97a3696744c9f3594045894

C:\Windows\SysWOW64\drivers\spools.exe

MD5 95abd387d67f2736085546d64e7acab2
SHA1 82e8f63cc60724d0a9b921fa61307c73734775f4
SHA256 9f2e930495b766596e36532c4885ae9b6a91f984ef442d3edf33e299dbc2293e
SHA512 c7d64b5e4a1be32718f7aaeec950a2cba67042bbd3ddf2df0f5c94f95b410d709948cceb2733f09ba86fb9a560353d4aa3bcc4e211796d88d2bdd64510d3a3df

memory/1616-46-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4128-48-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f6f70ce8e8c47a5d8ce5e6296290f834
SHA1 e5e06fbac46067d85b1673f2e004234e7625b2ae
SHA256 503cd97ec485dbca689446a8207189deb6d937d152604785f2e69b8170e6b2ee
SHA512 0f504850a810d12c7c2ae489767c2326426f7dcdd700313cb23acc8ff056ccb37595c6f989df2d060fb4d65e2aa1c36450f6145907647852e26dd3ecc4f34d12

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2fcb08e9a4adc9065bf2b4f329a147a3
SHA1 78bb22110503ca775c547d3b810b3832b1f8d65a
SHA256 6def37d78e8042a2505573c9027d2f0e77bab373454648c16588f60a03c11b6f
SHA512 7ae2ddf1ac79b7a6b1e93971c8bbd54e2e357190bb46ae0dfcd54c6bd79893f630a1eecc40b16f7dfd8c1892f955590f5859b102ab88f64a4c01bf0c520a8f32

memory/4232-59-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1616-61-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6f4c9aec5a1551ad075ddff31a6109bd
SHA1 2b07d7700beeaafd38f9323fc65ed01cf4170e0a
SHA256 43db18afeaf1ec7b65ed77d0a0069606eaa03cdee0a565bb4c979f21c10bc777
SHA512 1365c87afe3da9458289f3a7cd851a09faca006d1aa0f163d6b9731830d443a822850593d7f89613e9b9a881192b80c5880051c61b0248bfda710ff2e268a254

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8366a5af15e09c535c5cd320668f6e73
SHA1 0ffe7121b4ebe359bc1378b1c59b7c35c38ce00f
SHA256 45a9e4c4a0a8808dca86c51a55ef3a6e9e80a31d6651723fe93cf8ad5cd3ff88
SHA512 d085732d1b7c91d984fd8f56e9ee886313fb11227f3bccb1218de6d72ada6ca195bf0dab182c2b4dbd7af2ec7ad7a7ba2a443464cdf12c9a7635de05023912c0

memory/4232-73-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e3e54d8c956782f7890bce773cd29ded
SHA1 166c35cc9824018597e17f6dcaf12fabda6ff11a
SHA256 0980419414f4f3c874eee6b5218c632a0dfedad4f7c727589597fc8d37b1a68c
SHA512 a0a2cbe3ebd83c1e685ea8108a468125fe2701313ee62d7229b0b042a6d2701aa494c01fa0d12d8ee5ab5d63a41f48f1445cae931a8d559b976c5be3c526c128

memory/412-82-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0002b21367c1e358046ffc7705acd49d
SHA1 bae23df489b87ff52a3468c1b9a23066b184efaf
SHA256 2d503cbdac0739cff5b057df052d38e4b3df4a9357f6457276f50415f292aa92
SHA512 ddbcde046678c2a76bb333b554135616bac39e71ffad56b86d763ea5e65953909b094845bd34ca197ad5f42dea96ca9e3aef42de8265283fa6f8402efae048cd

memory/540-86-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 09486db90008ad456e6cb6927be4d011
SHA1 813503a48ad53a0491249c33ed95156ee31533c5
SHA256 816b92ef207e292939953ad0d8e1de7113f4484fdacc7ceee7298e46fcbffb76
SHA512 83829d1dc2eddd4e9cca8595a509d2cbbe17fa65a91390167234a91e5e7142852ae616748239aa49c858680ccb1dcc63214de861bf0ff574ed121043db4f609c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ce0f9550bb7b45b914f70a76e0e2ffdc
SHA1 8488432635d3c2aeb0f5f8d2f6038fda84115ac9
SHA256 7fbad47d90cbdd0e5a3a8ffb22797a66bf3dca0b181fcafafe72e42cf47503d4
SHA512 ac170e34a0600f9d667b9b04e967bceaac160a10348cbe73c3b60273e5e3e326f4b48fb1e9cd4bd9ca4350685f65acea77807edb3e18f12a4983b4f4e5212a13

memory/412-98-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f3e847a9fe2bff38aa2427ad58fc769d
SHA1 d7b6308ecc2c4f2cd4f1f4f3275b2f1dedd8f27e
SHA256 e6d7943e625feed3c09fe82cacac3a076e4247b4200f8a16e0d03919ade8793a
SHA512 4d5f69d9a5c8e4af57c74581ecca00a4434ccad3528e4cf9ae1b0e79673ec15984d7cb9e5822ab5d6469f395677db9268a4c26d3265306b7ec14ce3d917a8ea9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 36a91f67f638ebc6c76ab470f7cc8177
SHA1 9fef654d81b5d32938c6620d199122f09e992128
SHA256 7ce88bacca1889727b13ab6c5b2cd44abe174b6531237f9091ff97ca7aefea33
SHA512 089c6e84fbbb683114279ea40df7bd9baddf543e2860ddd31aa220d61854c01e0adfc19d30491c72eb9e5cbff68b17856f8baa4f473a95a41cc5b868904d47d9

memory/3568-109-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4764-111-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 86231c9354471dbd593061f4dae9429a
SHA1 ee50e3eafb982b2402c4a6adcfcf54da847dc8e0
SHA256 903adba540653d12bb5fb3e50c0f9fef935698cc058c5f6c6317db1ce9a14874
SHA512 b9b474ed19f6f155e165d6e5ed090b8de1a4a6d2e5536b3bb642c73a9de4e72156b01057b529f06a27b63afccaa7ce7034eac19d7cb1dbefe67e11ac3afe149f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e6150b2b44cd6f8493eb73dd6e904ed4
SHA1 d14f1b3294bafa45d02ab22a76cee1ad18b434b1
SHA256 a9a82590b5f1b1098be361556bacc83032181e707fc6f0816ef91fa734669eda
SHA512 d613b041b4faa1385329e7a956c7a2ab9b846d5804d970eebf86f3924f18b5c33a91a2a3ee243a8a048520bed63b636851507bd1afe15834a2ef38ed5a75e5e5

memory/1220-122-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3568-124-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e1bab380096ce922ad89c206af586516
SHA1 f13c97e87f00db27cc078b6fb6dda0918a085610
SHA256 2df156b86edbfc6ecaf3320fca2aac95ccffdebdf0920eb25f7b9bf26bcc6ab8
SHA512 8cf78da148b922a7c6a21cb105c85a1212ccbf62e3c5fb222f1d93a3975ea082cdbc4077fa2c045c1b8664b8ef73b38e6caea2c46d5dbbc4481ddcfadbb148d0

memory/3860-133-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b57b035053304b9d7579171fa30806a5
SHA1 e2375ff3824b3aacd52d3c671838cb55cde068e4
SHA256 fb401136b4e295d14de4d51ee53fbae85e6622d87f934e87e2833675c49a5852
SHA512 c0a14e8ce8c24ccc232014389793132677fe8944be7eaff203efce0b05d9bbdd7cdf9027f4d7ae2af3a05614f3fbb25910410c79a876f9415fb5644a2a1b865a

memory/1220-137-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8c20536d5230a54c57f374266feba79b
SHA1 b5d564bfa325bf82a63d0467579167cb058c340b
SHA256 e0363b712b1b3e879d101b6c4be2788c1bdc2961bd801a2039995d74d32f082a
SHA512 98ef2db3b59d05dd9c330a2585d668e4b86888a8052bbcea1b53e868dd9bf40203f9f74871f0132166ee285fe9e73a9c1bfa685cc86b25db3414dc2b6d1899bc

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cc4126d959540901c180686dce3b6bdb
SHA1 5ce55faeff56058f212cbe7d6dd32c06016d5871
SHA256 1e7ead76526dac5a569faed5bf3e6241ac2189a7587290870c07b8bfd12a0762
SHA512 79f7faffb439e37cb9f3795944eed3b03f211e8a41e0f10f41faa7d41c952b0b37772cdb2ac957a3cda82efd0385ca83e4f38cebfca47f8d4b6d558d8089c513

memory/5072-148-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3860-150-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 327ca6ed87fe3d5dd888ff4a9f837621
SHA1 02baeddbdfe05e676c6772ab7d21983537453b7e
SHA256 4206307fce9e99c5ebe14dddece80ad99435af4a61a132db05bc619e3c8fbcdd
SHA512 5cee121827a3a7b76bea2f7d4cf8c732c14e7d6ad6c5d665978b9ab814951822876412f1582b3802a8c6925e03b74a6e5041730069456d86661a59679d5d2b19

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8cc1b988fd1525c1af840cdb8e7f413e
SHA1 6ace74cf2af5ca233a05a0145c08e440867020c3
SHA256 47e80c7843cee61b79675f9d00705f9d154bff4f0417609158c607dd35260b4c
SHA512 0961751a6aa6cead55220fd00da3de7685dcb3defbde8e094cc09f12cc174a020e2c5a78079d4346975da493370d06b43236c30aff81424a372913487060ce5d

memory/5072-162-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 288e1a998ef16e3b81dde95a2ed9ffec
SHA1 7e220403289738cbea0ecc3d0a3cb97ba345c549
SHA256 b2a7d908053d3919b2bbc033a99e18e621bbf4f2b4eb61c993399c6cb832534d
SHA512 46dc0e4d2279c71473fe38352095d3437546362bf655adad421a3d63105939e34bdc067073cfe8fe1ef73081af4fa344f2b9dd3b4d587255d721731208b2a8f4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7e5cf679b4d435d001375ae8d6d3bc4d
SHA1 d74be0388a0ab865d06004620df5eb66dbc0ee6a
SHA256 6e16b53adc07323a6aa77d336471756ae2cb985f7030a11db22ab0f994431439
SHA512 5b48da20ffe211edf78f572ba356fae5e6521731cf98ecdfa68c5a02a44e92c25deae9e6f59e6ac68f5ddbed2e11cce362c43fe94203d44fd43a5108ba87283c

memory/3956-171-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1216-175-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 525f284cdca08c9cae0871cf3f350275
SHA1 91273128ebffdecae56d8db305266b1286758784
SHA256 1d3aad4c847df244df1fe904b0851cbaea2a9e2c7506f41d3ba91055b17b17d3
SHA512 cbb54e56ba94b05b815dc7d74b75a43578e404da7962b35faab17bd6d24c55268ae0dc740211b709c06338ac1bc4cc7498656c7ad8b078c797ba77d73b66f04b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1f1ba865f01627e1680f5eb8d06b667a
SHA1 1d63599147f2bec96954f50f62ae2f87ef9abd3b
SHA256 3d5e4264217196bf4d43430a7300fba6502c041b4d12700a7c9bc424abe378fe
SHA512 d716cec8e8b7d37b2be7909b19ca1163d9fa15727f3aaf6f89f36f193859da4d19d7cc4a423b97b47d741904f201b1314ff3235e8be6ad257cca17d6b803591a

memory/5100-186-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3956-188-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 57793f3ff3d0ee8c1bcb1c66fd6bb22b
SHA1 a1e49851fdd0978b38b38150e1c7df730ca7e168
SHA256 653c83b18e21fe66a37cb6068b2fbbff0b8948197fdf339affe9bbc8d87c79b3
SHA512 51b60f2e606512396aefea168fa16747af6da28207b0f6fac5309c118db57137412fadfa15a65d1081adff53b25d0e3dec622fe7dcfb87bc85c5cc1184369c2a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 dfe7ccce8348f8a79aef764b60798d21
SHA1 2ea5985ee7d3fb6b6c19c19fc70d1f8d8f4ceffd
SHA256 da0798600b08cef82a508f57e362fac36ab05b224c8b59d001c75690d3cf75e7
SHA512 12e2f94996b6d7aab2a5a2dfbce9ebf568a02057ec1c2116d508396f81526a3421d4e56da92d20256d3d9a2d8ac8544f28c555c31424bab97560634edfced81d

memory/2004-199-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5100-201-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ededd131b1b63efc819da6213d5e18bf
SHA1 f8b199690673450fecdb1d75f94e56fccda79f4d
SHA256 f2394e1efc879f0d99edce8e6981f444336bfe41a591af7851e269d28b1901ae
SHA512 5acac1c3eb41614c015ef87a50448399dbfaf163679bff345e247bed661acf8538c45f4ce7fa6fba0e0dd76e4a7c662381e93c8e889e5879f70447ef8a26a853

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d44170b717366a0044e382c704212862
SHA1 f93ac95a3aa6be0d098aa4465943109edb161782
SHA256 1b9a190c185f47410ba1fdada88745f0be7e76fb783a1911331f144ed05e76dc
SHA512 9fea94a4745004ea30f095ebbe42e9bc7a12a7ffe90fb9357243d3baba1035c492e30adb63a10869a7fbd7dbbb76b6557cbf99b669ed9bea1709b9735d4fb280

memory/3568-212-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2004-214-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bcb8952247c37ff4b5aceb818e2532f2
SHA1 acbd755d82677fd71b64576d6608190c7187e20a
SHA256 16dbe110be153d49cc8074bbde2621d32a54fab9d109a6c920a4011eefa436f6
SHA512 b306bbb0a24913aaffd3b48b8b78f345e24d11b1e0c95feafafe32155d97b9872fc9f77d77c36af98f26c77836b07d21420a7e5331b77f9d0e6569e3920ee613

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f98cb9bf607ac10e40c3e3091d8548b9
SHA1 8d2c6e50b82cc3035563765f09a7db5b738e918a
SHA256 87a8e023a09bc14adb2bd915f7748f142dfbd5e07cc9515e6b365d159b8579a6
SHA512 4e3fd032842760c4e60e9b909896aa99afe5ea6aed7c1048e3ea2c5b56b2cb8c1ddebc0bd6876a0ff8a72c5aa706dd29e4a00041c611ca3d757dc4c7c578614e

memory/3848-223-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3568-227-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8af006d1d8aa407f0dd0882837dcbd0a
SHA1 fca09d9e49101c23f1c12b84117301067bbaaefe
SHA256 128c42ff1b808737e83ba32419c675b689f12fbc6cf4965113cb25dd3054af78
SHA512 77c708a3532ac84f8320d185160b6a671ff50574ab8fdd3d48b63d210756b18330bec51c920d142c82916c81af31461cfaabdafd4dca5e2ad90c4dfeeec9b1db

memory/5024-236-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3848-240-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2808513ea6d6ba6a9c6df6548d65fdac
SHA1 6132df6a628becf840d9b6745955e3dac4feaa16
SHA256 d4579f23cf21950d637f88b4bbc5fe8df9c2b446e9b4b993cf9e46d79fb34a93
SHA512 a8ff1a27fda41711177274b933f8668b3adc0ef8b9419a0ff709b69eecff1d1afdea174ea1c69a3171b72a1e57caa330dc4526f4162fb3ffabae865fb017c9d0

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 eb47d73a9e655fbdda42d42520a71601
SHA1 09a5154501453168d57fb4616e08311344131127
SHA256 e35de5d5096bb1917eeeaacac2bcbebdaf4b71497bc1352d06f20c597bbd45ba
SHA512 70fed69527677757a43b9eb35ac8f4cec66a5f053e668fdd81af654906c48c90b1d911908267a95b816c9c9fb2b5af3a7bbe4c60746ed88f43c5a14368822d3e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ccaef8fe9ce4a38e4b76fb2a046fca96
SHA1 1c06e861997fd8a6fcba02ab83382929012ce0fb
SHA256 3c8c89a71ec717e36b9384491a5948fa67eb503cad74f1a7a6f254d4af98f997
SHA512 97c3c635a089cc8919989c8bdce1247e8ca7b2e94f63fbcbbf0a0a7ee0b50a6b476da9ecb9f983ad19fc131048da01393543585ec06194c8a99cb4ecbbcabdf9

memory/5024-252-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8b5929ffaa017be030616cbf12a731b0
SHA1 939460f5ca63b251be74dd411495efe653961e89
SHA256 870bc7c54f4c388166a6f62b6c51441ce0002393b16ad964533f9237a671dcc6
SHA512 8cd6bf564786713ca6530a0e4cff7970da49c932ad24a2613ba52e8236777b7832799f636d0c894e5ac3e2caca317c8a8c30ba6266270b3a41934825d279ac0f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 74306faa2525d3eef5d025da268fb933
SHA1 76f9b3eb9a452a3fd3f8cb19110619ecc7c11e50
SHA256 6d76a980a148b112923c0965fa0699e05482ad4692e335b1dd28fc4c3862a64c
SHA512 e030c670647c72370a0de8a5c2492ab4b3cb8d5941eaf83083ee8542455b1f0fa586f2978eae6eddfd7d9ee200b350851c76d9892261a4523c9d76eff130cb78

memory/4636-264-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bad421d3f90dd1d8cff842796d8a5c67
SHA1 ff224e64868f79649c9faffe8284391f27ee4b5d
SHA256 78960218295b445eb1edeef91d2bd436d8d6151098414f951c05fe68b6bd0dff
SHA512 1092a914ca2245535051d1bb4d74038b1d70d44b645c7df4fd80df896d22a5fd5f35afb47576d020953a9eb8fd54c3cf1eb3cc1fba756a7c51d47d17c9f0d1fb

C:\Windows\SysWOW64\drivers\spools.exe

MD5 25f1a59f9c74efcf78d8771d89ca2bd0
SHA1 b2b6b8e01d7f527100adbca7dc5d1ece8ecdf420
SHA256 0a760c99264e17a4ad781e69dd56fc215b72bcab08424844e2a1459718e94972
SHA512 18547dda49ae196fb78946167e9a5a441ff94c4c2c82d5fde19616e93cd5f2d2a75f26ca13bffc6bb9885c56b88c91b970c1c183b56854a7470fcdb5a448cd69

memory/4644-275-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1824-276-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4628-285-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4644-286-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4628-295-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3916-303-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3336-305-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1952-314-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3916-315-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1952-325-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4516-324-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1820-333-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4516-335-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-23 21:02

Reported

2024-03-23 21:04

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2164 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2164 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 2164 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Windows\SysWOW64\reg.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2844 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2492 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2492 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2492 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2492 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2388 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2388 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2388 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2388 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2272 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2272 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2272 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2272 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2832 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2832 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2832 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2832 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1276 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1276 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1276 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1276 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1972 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1972 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1972 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1972 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1720 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1720 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1720 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1720 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1636 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1636 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1636 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1636 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 820 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 820 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 820 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 820 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2692 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2692 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2692 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2692 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1572 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1572 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1572 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1572 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1712 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1712 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1712 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 1712 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2904 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2904 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2904 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
PID 2904 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

"C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe"

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 bublikimanager.com udp

Files

memory/2164-0-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2164-1-0x0000000000370000-0x00000000003A8000-memory.dmp

memory/2844-2-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2492-10-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d7cbca63e707a4497b6da4151a3d5ee4
SHA1 d96d19a6a1663772ee4fa430384160908b7f69f1
SHA256 82dfe732c85d57aac6860b1326e55276ff1d7cff5c7ff9aee867febec146d9ac
SHA512 4d3273c59360b9613d798865f2136757bcaf7e1357239163d7144e5e800f820f02f10586d9eccf78c5cfd70def284d3d174824b398927321840b1409bebc5640

memory/2844-7-0x0000000000440000-0x0000000000478000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2164-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2844-13-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 43f861c75cf1e5d926bcc0d91a9e5db7
SHA1 ebafd8f82bc72e296a4b70452ecd89b2cfa0e985
SHA256 052954ce5da554255da0a69e2fee8d668b43cf5204360f8bcb83bac117da9348
SHA512 842d170db9a9d414eceb55ad4aba555cb377c95d6f0f7cc2d1839e284bf9d1185f4429dcd7cabed478eedd0f75b15663bfd1b7ef2a93f38970260da8c8a21e2d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6e5a3e6a46a0005b3e454ac62a1b9c54
SHA1 94e401f2b715695cb16faeaab903ac0740a9f5f5
SHA256 37a3fba6e7a806251be22de0639848f21bbeb3ab08ece8a19b8499cc463a32d0
SHA512 f1a5713f917299c6886839dfb935f4083989e0dc2b35d94d7e5e88ffa18fdfbd1ff67b8ad31bb21f9f7b3abae31039faa47d532a077fc365c1f6d7706f41c746

memory/2492-21-0x00000000003C0000-0x00000000003F8000-memory.dmp

memory/2492-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-24-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 85919f6535b1759dd398269049c40b95
SHA1 6e870178fa1bf98a13b5ba10c7974c17d81cbf4f
SHA256 a1467203b3b80a78c163e0574469e56d5eaaaf30281082ed7fed69e8b23b4092
SHA512 bb12f9f86bcc58c7b227d83d9b14336ff93827cc6e98b6276a6f80618e2f34e6879d0a3528caee5529ff384dd3ccfc0a9a2630bac7c436dd1f14363a006ee6a4

memory/2388-32-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 53c231650b94f8ed9fee467166df8ce7
SHA1 b6878a59964663e2166b9c6458a226269fa57f75
SHA256 380438a55204eb28039181eff5529a4f7a14ef84d07300dd39b15677538e8fb2
SHA512 fac6a0fc5c280e632fb2762939c70e7b624681ff8d5f787a3818095fd94cef99f7158747f2c231ec7fa8a78482231a863cb7ee348f0e1d6aae5f65c3a2ade7fb

memory/2272-33-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-28-0x0000000001F80000-0x0000000001FB8000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 01f020a08d01fcd6f76efd198af2f1f0
SHA1 aff2e90d98ff323843cc0b96a6291e16fbfc78f0
SHA256 acf71a5c251d1210d25617debd9dabf92aa71298516c81b775c511b003853734
SHA512 27c46ad0a1929937944737098a3d20608c4eb3e259ab1661331c54b21ae0064f8c60f387eae1b9a260e2ced1069e662cbeba793c341198c24c8116b7600d7385

memory/2272-40-0x0000000001F50000-0x0000000001F88000-memory.dmp

memory/2272-43-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2832-41-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7faf19fa634d9fcbf7b7a539923670c4
SHA1 13732b40640ded74a032b2f64a41c62f486bc570
SHA256 12d7bfb3df25739b89cd0d3881b205cd678acf4862150f96dab3d3046ea71292
SHA512 049d4ba83327456c19e3b64ac268acd19b4dcb9f131c688429b31e5b649da661aa0b8826f55d887bd562c6d9a3127667fed4232c329ab1b6a1cf6ac5a47b6084

memory/2832-51-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1276-52-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 93d75c5336cae0fc00401e0de02d8a82
SHA1 b6a624a41dcc51f9a95db7bf5ffc602c78e7c1b2
SHA256 c4159d7f9b68698cb4293ca73d470399002d833cce6942eafe44c913021c0f6f
SHA512 67c194a673e4473a0d174767c6d70c10f4e1cd1780ad4b20f57b9ddb9c3d53e02e46dbda9e29b93a6fc52566d7539f0416cdb27e1d091c5dc430d58540245fe7

memory/2832-47-0x0000000000440000-0x0000000000478000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 963af5409629b94da6c88805b39ffba6
SHA1 f2c53344f06510c06137a66d53f56e26265cb536
SHA256 792ddb2512112e1d7af7b26ad6cd32ee2e3f5151041911b27b6f507e43817db8
SHA512 9741cd8267d061806741b5c4606f149250db5bca9bc5e0a00156369379f4726e3c298bb6b5dba85d13b3c8a85477f44d7c459dad2022a60dafa3630f8db57e27

memory/1276-57-0x00000000003C0000-0x00000000003F8000-memory.dmp

memory/1972-60-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1276-62-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4bb90ac418ff2edda82b1fcec4dea816
SHA1 c22ff822809b496ac7017d82de5df13061f5d46a
SHA256 e157b36b24658d81bffdbc0dadb3d98c8ecf487e69d9f290731ec025c9511ddc
SHA512 b201f8db14b483f8afa424aee499511a6ec8a152f4fa03e62099554a4902f7bafa4aaf2d459d0983ea88de61a6df66593754dec96bf66e4565ef17e13434cd3b

memory/1972-66-0x0000000000380000-0x00000000003B8000-memory.dmp

memory/1972-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1720-71-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 20d4c1f7afad580f82867f5766aaf04b
SHA1 cf471c75846b270bda943479398cfccdd92441b0
SHA256 cbb05ed33c2a62d5b2defbafcd63de46661168d67b5ae87c421f78f0b4917050
SHA512 0c442c54da7e805704299169f418bdea5d00290409245436de4bdde6d71b2c857d00a686c51665aa8186b4f6410f9d650d399a2c5792ad384966a03c5bdeba05

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2c1c0a48fbe458eb3d257fd870eb84a4
SHA1 7ca5b3b997268058ed65c4fa36d11ef726c882d8
SHA256 39b574ca1834c98a4045ca05777feaf7464577e6af29f52c6bf01e94bb64e4fd
SHA512 f29edfff6cbdb8c6231f3be62d14cfeb972d728c693430fe59a3eb4b04892f6a683ce352300316d28f58ec8afca6918b373ef32173ea55de971279bda0bffc72

memory/1720-80-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1636-81-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1720-78-0x0000000000540000-0x0000000000578000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 49804087eedf0b4247438e97f37bd11b
SHA1 d7211c8d08ac029a3dcebfeb0e72e49cf03eec2a
SHA256 527195f881c0d87865a7d67a224171059c7c506597119f1071a82b69c41f7fe9
SHA512 2db639ca52f6171fca36fda8dffe39051d7a7c1648d9226ec13b6e3e6ef2758f46cace74295b9327228d595b114106a66d249a8ffa2cea1700a6763071aae641

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0ec6e2e7c08571c6afafa0618aa04a3a
SHA1 5c0951a9a3ed839ea377e453d15b48d24c82b31b
SHA256 e1688354579d9d62ebb0d50d9828c2def722d8dff47f08df5be0b338e0cf7dd9
SHA512 127887441866ebf6a8fd56802ebdc87b3f17c9b40a380240f92643ef3576d372d6d66ff1d4f705882371b705684a0dd99fd379e5d8d117a43934ebac4dfa2b2b

memory/1636-91-0x0000000000400000-0x0000000000438000-memory.dmp

memory/820-92-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1636-87-0x0000000000310000-0x0000000000348000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2418c8abd7d31398829a2d9f30f14a32
SHA1 aa1ea23931f4ab37c696600602bfea94c35ae0e9
SHA256 55381456de83f19b18ee92c581dd6fdc63f863e0f072b73c502575a5a64bb58a
SHA512 651bf750a4cb0610ceae3b31e8ea1e88945be7d646b691cf2f54ab815ff886b385b3f0845fb4aeabec79697fdabb36254358c3eadb6acb30770d051cfe8cb585

memory/820-102-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2692-103-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5810afa35d0ae588a4ff35856aa7c3fd
SHA1 3a76e4337d829f373d65c3f887e4bec4ce8fcefd
SHA256 bdfab69b5290c8e1aadbe0445dc7073658cc06314ab68a8b77daeacf7bb413e4
SHA512 43ce07ff50db34a80487ef9603aab8c90bf19af73c55e95df6bf181bb2eb9336c5c49f3c7786f1a3cca55936552cc329f2d9e59f1f6114479896d056d8ca66dc

memory/820-98-0x0000000000370000-0x00000000003A8000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 248396f5ff46aa0eb8004a56dde80466
SHA1 1dbf18161e9b8b2b44dfd9f2bc67889d49972983
SHA256 89dfc50d494096aa986c802278ddf5e70661a23cf2a7d389a050065ad01e518a
SHA512 a0b5df15afce90fc55d2bd0d1ca2f508b934b3f2fc6fbb28cace5892ab7fbc1eb503ef5b5b977097ed7412742eed6d1f0dbaa9db078214eaa88cdc84e333cc41

memory/2692-111-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1572-112-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 eaebc18c5449779704ec8b9d94ec1582
SHA1 38e3d047bae1e2363ec1ccb171705abcfd0b085c
SHA256 c171503c997d74866048fdaeec1719563ab44422e73a8cd39b182400120accc0
SHA512 e9d9344f672d4f8101080141e6c726578a3951c4308b451b917f94bba974840652663a085986dee15d4811cc75bb5536b948f7b6df9cef55c59d7285559d7e67

memory/2692-107-0x0000000000440000-0x0000000000478000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 536af064c64852859f5c4b9cac42fa7a
SHA1 90191923f6a2ca4634b719ea20286a0d0b711494
SHA256 d704b2a2eabbc27045181ce905df47d63bf7285f89fbfd2bbaddd31b32210d66
SHA512 c93f57973f4c40d62cd5f08709d92b143b25cd1556c896d27d9e327a2038e2cc9ffe1edd307f077a81a94134d206278c0cc809a01f8a16af07decb79effddafb

memory/1572-119-0x0000000001F30000-0x0000000001F68000-memory.dmp

memory/1712-120-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1572-122-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2872fee5ac4858037b80171bd61ab7a1
SHA1 6ac4d3f9bd9f1f0fcaa5966d65b66337eebfb3a8
SHA256 1c3e9a97e784d73a09f2f46e5afce99814e51be123ea663a76193b72bd874e8d
SHA512 176ea13a95fbad3789db1b72459e7ffe46362127fe80f8ffaa20fadb3ab213f1f79188605bd9911b20b86e54cba8a90170122b4a114ffda720c9bde0829a4e6c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bdd65028cc244e282fbe6397f22bfcc1
SHA1 54fbe7db98f028b4cec33514cbc93c8e984146ff
SHA256 3f85486a3cf340326b6b67ec916397a0e5ee18db4b3305352412f2734864a871
SHA512 cd98be924fa4632eb05cfc8ae532d162d20d6e3bc904de88dbf90b87cf55d4b9b4dbaf40ccc17f1ed6001da4ff18dbb9f223d6df3c48ed052db1e0369f589ffb

memory/1712-126-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/2904-129-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1712-131-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f4cae3b3791aae5b0ac09444a91f6a95
SHA1 8b11276ba5fe7ecf148196f6f6968cc917346988
SHA256 924d80f3495f364eb079ad929a6c5e9f2eb583e7357d14d370390dbd4c721594
SHA512 44d355022a5493945f9b8e3a84cee5811daa75eb14b745e44649eee925e947c40d20f28bb2cb6ceefc288297d693e3b9ed2ca01057ac6b57457b6324f88288cc

memory/2904-136-0x0000000001D30000-0x0000000001D68000-memory.dmp

memory/3008-139-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2904-141-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1a82a6dea8246d435d34e9f7112c0aa7
SHA1 f884bd5075ac43a0c578405dcf4f739240e8f10f
SHA256 f1c86cc2c9443507adc13169d8ed53f702af85b9b2dbf97ec543dc96b7dc08ed
SHA512 8ed76c5608db984962e6356fe6c4322f5e769f9d6ada6d287d8c0d53f0447cd3396a5ba2d84055b096860d4465b5d9c61f54fb2c40e7f74029a837b5f7da600c

memory/3008-145-0x0000000001FB0000-0x0000000001FE8000-memory.dmp

memory/784-146-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1665880d65b4b1c12d844003830328f0
SHA1 0eeb2b8f241c520d06a2dc3c73389752956b7c98
SHA256 ea6236c48960c33587f272a0682a04fb7cf20228b3cadb61d98ec20286dd86cd
SHA512 7708c9d305ada887f9cf6916c0f3c17bdb538d2e38759deadcd3b0043afd216773dde5c7fbb8fe3d69a79df2bfd75be1731f5fbc472af43b7f806d0bff48087c

memory/3008-150-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 305ef8f30004c47175ec0843fd569561
SHA1 98036e6e12b9a64e51ba2cad1e5afacc8acbf228
SHA256 316dcf4f418c1723c653d7a4992119b4da098cf0502fa1577f5b4f4c1be8ade6
SHA512 5cf7079a24d0aeea9f4084467922dfc05498a36e97b96a1853774ff7af7023a04b2cb89722477d7fba79aa420faa7f23705ec7159ae1b11c461e8a221daf1f46

memory/784-155-0x0000000000320000-0x0000000000358000-memory.dmp

memory/1064-158-0x0000000000400000-0x0000000000438000-memory.dmp

memory/784-160-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 42e153bd473b5e9c00853822494ea225
SHA1 5ab1e40af91d9cf1e50c957fbfe64b9fb365d1c1
SHA256 5c80f6d8aa534697aad0b1a4a2c3de9e508993d80e22589d885b87cd3cf678c2
SHA512 5bff4382a73cc0f6c3e400f26fa2446ee1d4db94f4d2469b9a8c04c22a681c175c306dc8f463a833007ef631966f0d1299671e9a011c7518dbfc1c3debde0aff

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f5321eb242922583a9798be809c39afd
SHA1 42e4abc1d6fed0bf8d6b3556ff966fecdbe7702e
SHA256 8dd27486eb6fbea566dccb1a1fb38316bccfa706046157a650a6527d55d6cef3
SHA512 5d9e00deca463e51c427c8c8c39121696281dc7ba5aaf2a18c88c3e6ce9c3184dbcfa89a9448134a7768300b699c04a38300ca9d10374430d127bd8d013ba613

memory/2012-169-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1064-166-0x00000000003A0000-0x00000000003D8000-memory.dmp

memory/1064-171-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6d8f768b9f849681564406272a5e5946
SHA1 d5e8933b257800f66abc80c29e3e79f220466cb3
SHA256 8625d7a642d308b02ebb7ac2a21b3898cbf8a54d95f788820a481f4e6d908cad
SHA512 a9c403cef1a0401d5f80d86e70290b051038af7172e4d5ce2b7af8fa644b589fe87e358586ade086c4452ee36957d3b0ebe2d119227cf881f2acecc405a879fe

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1ac32786d31a40387bf28ba877b4ecb3
SHA1 32620c83590fdb3aad09f1a1f46c665144eff58c
SHA256 084e348343015b4abc4116909e874a0145976c1ea7bd81dc657305f11545f0bc
SHA512 b192499109decb294d9ddcd49f494c0f64d560e00db3dd614773c7a362e01d4eb49d37dad5a8dbb20e89734579e4dd851c55f83fb674148b50911c2dcb1a856e

memory/2012-177-0x0000000001DE0000-0x0000000001E18000-memory.dmp

memory/2188-178-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2012-180-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6e9ab8ec94da81aaf5b89c52cc1baa15
SHA1 a55887e2ee12f039bd5c5fd589f931be328c9981
SHA256 b81b8a3be737ca37be7e7585e8f5155d2957b4365e51628910735aef6ed03f12
SHA512 c33a120c0c98bdf2cb9f858d46b4a2fc2cf5a7a8f8af01ed891ba6f474f842287535bce3c8d09dd4033679b280122b824347358e3792db18a411f8d516795800

memory/2188-185-0x00000000003C0000-0x00000000003F8000-memory.dmp

memory/1512-188-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2188-190-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cb07ed1cdcb70225569711dd8c582cf8
SHA1 2bdd06eff9be464b6da2e370b4e12f5d4e84572d
SHA256 c159331affecb3744e9c516198a1502d2c7f70afe64e82812c3838453bb407c5
SHA512 a29c270766df726742d3d5e4a7467bc196a18e8ac56043560841bda3d2c5b48ec2e245b81662d349f0d65611a3a5ae4e3d20d25006c7919d2c57c80666d2cbaf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 84e477ea5a0a308e40f734fa535e547d
SHA1 ffca47196378d937c1f961e78afaff37854ca17a
SHA256 a87900d054a7e2b575baed49e65f06f66798f6ec5715bf20e7c7d7e17e2c95ca
SHA512 e380497d8d6e83767bc514ace444ed202f33347c42f8b9f78fa42c2efa12dcfbf77828a6251bb5f592eb31cb7a4a1ff0addecca63d22704ae0cdd97a033e3c9b

memory/1512-196-0x0000000000440000-0x0000000000478000-memory.dmp

memory/2640-197-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1512-199-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4cfcde23e7a6c7d45d98bbfb788d850d
SHA1 955c50d9f57352fac1f16b8599901fb00f4e4599
SHA256 0d2f1d60df6bf54756a25479b3bc24700751fc78cc0987caecc413bff6e140f5
SHA512 972236f21fcf57d0d6e2837cad471f6b2c2c8aa6f2d0a228549647634544e7b4742b09ac854df7d867c5dfef7cb125adc4d44029d26cc4a2bed46eeadcd051c4

memory/2640-204-0x0000000001CF0000-0x0000000001D28000-memory.dmp

memory/2652-207-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-209-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 68f4e6dc992ee2c0c41136319640e90d
SHA1 aa085137bfd09ba530684afa66b10dadbcf7879c
SHA256 fb834bff184f68db0e8caab5f617c9af37442176b4a7de31e848e2be11d3c1ec
SHA512 3b96c7bda3766cfe755ba1838fd1a50e09e8e31e87a05ebb6c3ce5a8c46e72334b407662546bd821aa6f29a045ed45444325bdba2ef1bb7c5ed08610c5132a20

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e11dc15ea3fd314bc1cdb3857d4e24f7
SHA1 2eb5c7e5edafef9e1bd0ac1a20b6fefe5a29696e
SHA256 f08f50f1970d0e0016be8048ce830b29d2bef3839b62de1eddaa22bb2addf54c
SHA512 e48baad2018f42195de1cb7aa2eb557a28b0578ac7d0d906944d5ba68bf37bd54bb23f11b52186c63083644aad06c392c65afebecbe1f753f28a7f703b62c5f9

memory/2672-218-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2652-217-0x0000000000380000-0x00000000003B8000-memory.dmp

memory/2652-220-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9d412bc8930c03d9dc7765308a7e82b1
SHA1 804184df870799a74a78ea7204ef018b451a54c8
SHA256 bee7883c89e19898011b7afd75f4fec551b2075e63a1fc0df76deb369ed70f23
SHA512 ff550a461b4b66eac9bf76adde14c9c62803d3778f3e867a098736eabe79eeb20bf6f9a81cf41683902d110f4d86a1077376f1721b07deae4c4eca3eebd4073f

memory/2672-226-0x0000000001FC0000-0x0000000001FF8000-memory.dmp

memory/2868-229-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a3c6e746b318606a52ff5df267195e08
SHA1 05345fc822d7dad68763cbdc1abab43b79d28497
SHA256 446fcbeeb4f74d516dc918e144b8d957f45d78f458acdf035d7c3e77219ec7ee
SHA512 a2b8995afccea1a13989e375aeed8e2877ea0ddbe9a233cd9757950d4a8e9aca2035db51956a80cdad46dfd9e6b4519b1a52cd46218bd5cde01a3f48a7fe948f

memory/2672-231-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3df20ddcff15a6b5bfdcb954aee686a2
SHA1 94a41a22649177c5941fc4b5389f51d2f38da446
SHA256 2c5dddc0c6ea8f0d9cb30682d993ce519bddfdb67429c01b8b6fdecc82f16dac
SHA512 bd01e922e4debd130e5c49db244ab6d28747d981d683e17a84952ae17597f8747660cf9309869f70a7a47a021a827b6fc579176b1649d1567cdbd90952cd2c89

C:\Windows\SysWOW64\drivers\spools.exe

MD5 afc9077d70492f2515b721ec68701d98
SHA1 7afaa14f892461317ff9b84dae506a2eb82e0aba
SHA256 ff6d07dd554381b9ef2d7cd31e557d2958a978eb469e97437836ee1393854a69
SHA512 313c8645ef9b4ada0c6b42dae77670bfa21cdf027952c125fa2c7e6a162e806b8ea74f932c051a1dab35d1312192f1992fe8bdb23482e048bd140e552c518f92

memory/2868-239-0x0000000001D30000-0x0000000001D68000-memory.dmp

memory/2872-240-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2868-242-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f593ef5f41144f3f518f0426c24c23f6
SHA1 12765d237871cbabf03a324b37413e6dd6321d4a
SHA256 d074e0b1d0561bdbcf3284b8f7b0eadf20a8e5845b4a66e3c2ed537ae7eacb90
SHA512 dbcfe1e74428f3bc67386e07af2eaa6b36724ace40288b88cec191d5b4cb53ecc0ba1e558fe6f108724ef40e0369a506f6eb54bd18e5dc36ae95d49a38328b87

memory/2872-246-0x00000000004F0000-0x0000000000528000-memory.dmp

memory/1556-248-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2872-249-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1556-255-0x0000000001FA0000-0x0000000001FD8000-memory.dmp

memory/2436-256-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1556-257-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2436-262-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/320-264-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2436-265-0x0000000000400000-0x0000000000438000-memory.dmp

memory/320-272-0x0000000001D00000-0x0000000001D38000-memory.dmp

memory/1928-273-0x0000000000400000-0x0000000000438000-memory.dmp

memory/320-271-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1928-278-0x00000000003B0000-0x00000000003E8000-memory.dmp

memory/1988-280-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1928-281-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1988-286-0x0000000001F60000-0x0000000001F98000-memory.dmp

memory/1988-288-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1620-289-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1620-296-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1620-295-0x0000000000440000-0x0000000000478000-memory.dmp

memory/1160-304-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2464-311-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2580-318-0x0000000000400000-0x0000000000438000-memory.dmp