Analysis Overview
SHA256
5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48
Threat Level: Known bad
The file 5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48 was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Modifies WinLogon for persistence
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Sets service image path in registry
Drops file in Drivers directory
Modifies system executable filetype association
Modifies WinLogon
Adds Run key to start application
Enumerates connected drives
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-23 21:02
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-23 21:02
Reported
2024-03-23 21:04
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Modifies system executable filetype association
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
"C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| US | 8.8.8.8:53 | 29.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 49.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/4364-0-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 907291c545b6a2c26506b3899f04c6cb |
| SHA1 | 7a6221486dabb988d5513ea22a67966afa1a88dd |
| SHA256 | 1d651dfb56f7e70691e387680716f9902c00f99850e93a7575932437f7ad132f |
| SHA512 | 95b9017e3a91a744eb4c45ce6920bffb66add5d12655fcac2d964f4f591770b55f46b86f8cc4a05c7391a48542dd2f2016e4bb4f62c3716bbb77e5d5cac1841d |
memory/1820-5-0x0000000000400000-0x0000000000438000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4364-9-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 81165060d4ba8bb8249b0fc3603febd8 |
| SHA1 | 8eb6fb832b50a5dc8e3baa11379c29339b00921d |
| SHA256 | dced2a4b55e2d9a5811e103d70767cf48ba9bb14f24260ad893d78c1470014bc |
| SHA512 | 4d9f840c2b52f4e54b6db309dadc7589dad666b7512c4ae19b6f68b74d9706c2f9cf7c484124465e95026f6888572c81b996726dce18f21a9fe099877e9c07b6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 221caae2b834a09b4f226cc828ba4619 |
| SHA1 | 7971c68b510fd828bfd05df3c8d1ecc99283e03a |
| SHA256 | d8175eeeb84fecc9ef78f766bebfdca8f34b481726a7c3f5ea485bfd9f0287d2 |
| SHA512 | 7376c0d0943fb5b29fd4c8c2929cdd84571da09bfc9503fab03ee5019902c67ca7757ea4fbfb75b3fa317f10489b96c9aa44a3fabb8da82063fe73fea435a1e2 |
memory/4908-18-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1820-22-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 16ba595c69cc2d48b4cb3129644e7f72 |
| SHA1 | 06dfa927c577998a36e4ccedf952e3b3223f1f91 |
| SHA256 | a8c1fa373c271815d5335763c5d9edc80bc4d999b8ade658e652c3c55289945f |
| SHA512 | c52c1bf13f18c33d71dea8732a6eeb1b4ac5a763d81490a79379b97c02a88547fc153e0e141940308cbab9b57a49f3d9e48ae17e573a90be507223f183db921d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d29312135f13b2bf9d274dc07a2f1639 |
| SHA1 | e4325563f4b08af44eac5204f9d97b1b826b8dbd |
| SHA256 | a077b2a2983eda7a7bbee83ce98fde6bad1540416e7ca83ce0abef4d3d9aa038 |
| SHA512 | 5bc06f484343193d6106ef83664fe1a81b85cdf7a8379c4af7fc0c032ff734d49fc063b0c16e205a2ed73b0af894ab0652ac9f2a1d029a6d40c19e57e4ddafec |
memory/4128-33-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4908-35-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 819edac5093c8291bb66aeb24f1507a9 |
| SHA1 | 96e6a210c26cdb8f211f4302c7ddf2cc4ab5192d |
| SHA256 | 07f34401710925177732aef7265ac97c45225d03c42694a4e4ff05b7df4ce663 |
| SHA512 | 10952a8db4cedbec1c1f5cf8979d91fe8c091f2c2c4d1c3a84c614f42aa5122cb4e01064fe6db7a5bef858b0a26638dc8251de05e97a3696744c9f3594045894 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 95abd387d67f2736085546d64e7acab2 |
| SHA1 | 82e8f63cc60724d0a9b921fa61307c73734775f4 |
| SHA256 | 9f2e930495b766596e36532c4885ae9b6a91f984ef442d3edf33e299dbc2293e |
| SHA512 | c7d64b5e4a1be32718f7aaeec950a2cba67042bbd3ddf2df0f5c94f95b410d709948cceb2733f09ba86fb9a560353d4aa3bcc4e211796d88d2bdd64510d3a3df |
memory/1616-46-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4128-48-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f6f70ce8e8c47a5d8ce5e6296290f834 |
| SHA1 | e5e06fbac46067d85b1673f2e004234e7625b2ae |
| SHA256 | 503cd97ec485dbca689446a8207189deb6d937d152604785f2e69b8170e6b2ee |
| SHA512 | 0f504850a810d12c7c2ae489767c2326426f7dcdd700313cb23acc8ff056ccb37595c6f989df2d060fb4d65e2aa1c36450f6145907647852e26dd3ecc4f34d12 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2fcb08e9a4adc9065bf2b4f329a147a3 |
| SHA1 | 78bb22110503ca775c547d3b810b3832b1f8d65a |
| SHA256 | 6def37d78e8042a2505573c9027d2f0e77bab373454648c16588f60a03c11b6f |
| SHA512 | 7ae2ddf1ac79b7a6b1e93971c8bbd54e2e357190bb46ae0dfcd54c6bd79893f630a1eecc40b16f7dfd8c1892f955590f5859b102ab88f64a4c01bf0c520a8f32 |
memory/4232-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1616-61-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6f4c9aec5a1551ad075ddff31a6109bd |
| SHA1 | 2b07d7700beeaafd38f9323fc65ed01cf4170e0a |
| SHA256 | 43db18afeaf1ec7b65ed77d0a0069606eaa03cdee0a565bb4c979f21c10bc777 |
| SHA512 | 1365c87afe3da9458289f3a7cd851a09faca006d1aa0f163d6b9731830d443a822850593d7f89613e9b9a881192b80c5880051c61b0248bfda710ff2e268a254 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8366a5af15e09c535c5cd320668f6e73 |
| SHA1 | 0ffe7121b4ebe359bc1378b1c59b7c35c38ce00f |
| SHA256 | 45a9e4c4a0a8808dca86c51a55ef3a6e9e80a31d6651723fe93cf8ad5cd3ff88 |
| SHA512 | d085732d1b7c91d984fd8f56e9ee886313fb11227f3bccb1218de6d72ada6ca195bf0dab182c2b4dbd7af2ec7ad7a7ba2a443464cdf12c9a7635de05023912c0 |
memory/4232-73-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e3e54d8c956782f7890bce773cd29ded |
| SHA1 | 166c35cc9824018597e17f6dcaf12fabda6ff11a |
| SHA256 | 0980419414f4f3c874eee6b5218c632a0dfedad4f7c727589597fc8d37b1a68c |
| SHA512 | a0a2cbe3ebd83c1e685ea8108a468125fe2701313ee62d7229b0b042a6d2701aa494c01fa0d12d8ee5ab5d63a41f48f1445cae931a8d559b976c5be3c526c128 |
memory/412-82-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0002b21367c1e358046ffc7705acd49d |
| SHA1 | bae23df489b87ff52a3468c1b9a23066b184efaf |
| SHA256 | 2d503cbdac0739cff5b057df052d38e4b3df4a9357f6457276f50415f292aa92 |
| SHA512 | ddbcde046678c2a76bb333b554135616bac39e71ffad56b86d763ea5e65953909b094845bd34ca197ad5f42dea96ca9e3aef42de8265283fa6f8402efae048cd |
memory/540-86-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 09486db90008ad456e6cb6927be4d011 |
| SHA1 | 813503a48ad53a0491249c33ed95156ee31533c5 |
| SHA256 | 816b92ef207e292939953ad0d8e1de7113f4484fdacc7ceee7298e46fcbffb76 |
| SHA512 | 83829d1dc2eddd4e9cca8595a509d2cbbe17fa65a91390167234a91e5e7142852ae616748239aa49c858680ccb1dcc63214de861bf0ff574ed121043db4f609c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ce0f9550bb7b45b914f70a76e0e2ffdc |
| SHA1 | 8488432635d3c2aeb0f5f8d2f6038fda84115ac9 |
| SHA256 | 7fbad47d90cbdd0e5a3a8ffb22797a66bf3dca0b181fcafafe72e42cf47503d4 |
| SHA512 | ac170e34a0600f9d667b9b04e967bceaac160a10348cbe73c3b60273e5e3e326f4b48fb1e9cd4bd9ca4350685f65acea77807edb3e18f12a4983b4f4e5212a13 |
memory/412-98-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f3e847a9fe2bff38aa2427ad58fc769d |
| SHA1 | d7b6308ecc2c4f2cd4f1f4f3275b2f1dedd8f27e |
| SHA256 | e6d7943e625feed3c09fe82cacac3a076e4247b4200f8a16e0d03919ade8793a |
| SHA512 | 4d5f69d9a5c8e4af57c74581ecca00a4434ccad3528e4cf9ae1b0e79673ec15984d7cb9e5822ab5d6469f395677db9268a4c26d3265306b7ec14ce3d917a8ea9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 36a91f67f638ebc6c76ab470f7cc8177 |
| SHA1 | 9fef654d81b5d32938c6620d199122f09e992128 |
| SHA256 | 7ce88bacca1889727b13ab6c5b2cd44abe174b6531237f9091ff97ca7aefea33 |
| SHA512 | 089c6e84fbbb683114279ea40df7bd9baddf543e2860ddd31aa220d61854c01e0adfc19d30491c72eb9e5cbff68b17856f8baa4f473a95a41cc5b868904d47d9 |
memory/3568-109-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4764-111-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 86231c9354471dbd593061f4dae9429a |
| SHA1 | ee50e3eafb982b2402c4a6adcfcf54da847dc8e0 |
| SHA256 | 903adba540653d12bb5fb3e50c0f9fef935698cc058c5f6c6317db1ce9a14874 |
| SHA512 | b9b474ed19f6f155e165d6e5ed090b8de1a4a6d2e5536b3bb642c73a9de4e72156b01057b529f06a27b63afccaa7ce7034eac19d7cb1dbefe67e11ac3afe149f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e6150b2b44cd6f8493eb73dd6e904ed4 |
| SHA1 | d14f1b3294bafa45d02ab22a76cee1ad18b434b1 |
| SHA256 | a9a82590b5f1b1098be361556bacc83032181e707fc6f0816ef91fa734669eda |
| SHA512 | d613b041b4faa1385329e7a956c7a2ab9b846d5804d970eebf86f3924f18b5c33a91a2a3ee243a8a048520bed63b636851507bd1afe15834a2ef38ed5a75e5e5 |
memory/1220-122-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3568-124-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e1bab380096ce922ad89c206af586516 |
| SHA1 | f13c97e87f00db27cc078b6fb6dda0918a085610 |
| SHA256 | 2df156b86edbfc6ecaf3320fca2aac95ccffdebdf0920eb25f7b9bf26bcc6ab8 |
| SHA512 | 8cf78da148b922a7c6a21cb105c85a1212ccbf62e3c5fb222f1d93a3975ea082cdbc4077fa2c045c1b8664b8ef73b38e6caea2c46d5dbbc4481ddcfadbb148d0 |
memory/3860-133-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b57b035053304b9d7579171fa30806a5 |
| SHA1 | e2375ff3824b3aacd52d3c671838cb55cde068e4 |
| SHA256 | fb401136b4e295d14de4d51ee53fbae85e6622d87f934e87e2833675c49a5852 |
| SHA512 | c0a14e8ce8c24ccc232014389793132677fe8944be7eaff203efce0b05d9bbdd7cdf9027f4d7ae2af3a05614f3fbb25910410c79a876f9415fb5644a2a1b865a |
memory/1220-137-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8c20536d5230a54c57f374266feba79b |
| SHA1 | b5d564bfa325bf82a63d0467579167cb058c340b |
| SHA256 | e0363b712b1b3e879d101b6c4be2788c1bdc2961bd801a2039995d74d32f082a |
| SHA512 | 98ef2db3b59d05dd9c330a2585d668e4b86888a8052bbcea1b53e868dd9bf40203f9f74871f0132166ee285fe9e73a9c1bfa685cc86b25db3414dc2b6d1899bc |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cc4126d959540901c180686dce3b6bdb |
| SHA1 | 5ce55faeff56058f212cbe7d6dd32c06016d5871 |
| SHA256 | 1e7ead76526dac5a569faed5bf3e6241ac2189a7587290870c07b8bfd12a0762 |
| SHA512 | 79f7faffb439e37cb9f3795944eed3b03f211e8a41e0f10f41faa7d41c952b0b37772cdb2ac957a3cda82efd0385ca83e4f38cebfca47f8d4b6d558d8089c513 |
memory/5072-148-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3860-150-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 327ca6ed87fe3d5dd888ff4a9f837621 |
| SHA1 | 02baeddbdfe05e676c6772ab7d21983537453b7e |
| SHA256 | 4206307fce9e99c5ebe14dddece80ad99435af4a61a132db05bc619e3c8fbcdd |
| SHA512 | 5cee121827a3a7b76bea2f7d4cf8c732c14e7d6ad6c5d665978b9ab814951822876412f1582b3802a8c6925e03b74a6e5041730069456d86661a59679d5d2b19 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8cc1b988fd1525c1af840cdb8e7f413e |
| SHA1 | 6ace74cf2af5ca233a05a0145c08e440867020c3 |
| SHA256 | 47e80c7843cee61b79675f9d00705f9d154bff4f0417609158c607dd35260b4c |
| SHA512 | 0961751a6aa6cead55220fd00da3de7685dcb3defbde8e094cc09f12cc174a020e2c5a78079d4346975da493370d06b43236c30aff81424a372913487060ce5d |
memory/5072-162-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 288e1a998ef16e3b81dde95a2ed9ffec |
| SHA1 | 7e220403289738cbea0ecc3d0a3cb97ba345c549 |
| SHA256 | b2a7d908053d3919b2bbc033a99e18e621bbf4f2b4eb61c993399c6cb832534d |
| SHA512 | 46dc0e4d2279c71473fe38352095d3437546362bf655adad421a3d63105939e34bdc067073cfe8fe1ef73081af4fa344f2b9dd3b4d587255d721731208b2a8f4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7e5cf679b4d435d001375ae8d6d3bc4d |
| SHA1 | d74be0388a0ab865d06004620df5eb66dbc0ee6a |
| SHA256 | 6e16b53adc07323a6aa77d336471756ae2cb985f7030a11db22ab0f994431439 |
| SHA512 | 5b48da20ffe211edf78f572ba356fae5e6521731cf98ecdfa68c5a02a44e92c25deae9e6f59e6ac68f5ddbed2e11cce362c43fe94203d44fd43a5108ba87283c |
memory/3956-171-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1216-175-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 525f284cdca08c9cae0871cf3f350275 |
| SHA1 | 91273128ebffdecae56d8db305266b1286758784 |
| SHA256 | 1d3aad4c847df244df1fe904b0851cbaea2a9e2c7506f41d3ba91055b17b17d3 |
| SHA512 | cbb54e56ba94b05b815dc7d74b75a43578e404da7962b35faab17bd6d24c55268ae0dc740211b709c06338ac1bc4cc7498656c7ad8b078c797ba77d73b66f04b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1f1ba865f01627e1680f5eb8d06b667a |
| SHA1 | 1d63599147f2bec96954f50f62ae2f87ef9abd3b |
| SHA256 | 3d5e4264217196bf4d43430a7300fba6502c041b4d12700a7c9bc424abe378fe |
| SHA512 | d716cec8e8b7d37b2be7909b19ca1163d9fa15727f3aaf6f89f36f193859da4d19d7cc4a423b97b47d741904f201b1314ff3235e8be6ad257cca17d6b803591a |
memory/5100-186-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3956-188-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 57793f3ff3d0ee8c1bcb1c66fd6bb22b |
| SHA1 | a1e49851fdd0978b38b38150e1c7df730ca7e168 |
| SHA256 | 653c83b18e21fe66a37cb6068b2fbbff0b8948197fdf339affe9bbc8d87c79b3 |
| SHA512 | 51b60f2e606512396aefea168fa16747af6da28207b0f6fac5309c118db57137412fadfa15a65d1081adff53b25d0e3dec622fe7dcfb87bc85c5cc1184369c2a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | dfe7ccce8348f8a79aef764b60798d21 |
| SHA1 | 2ea5985ee7d3fb6b6c19c19fc70d1f8d8f4ceffd |
| SHA256 | da0798600b08cef82a508f57e362fac36ab05b224c8b59d001c75690d3cf75e7 |
| SHA512 | 12e2f94996b6d7aab2a5a2dfbce9ebf568a02057ec1c2116d508396f81526a3421d4e56da92d20256d3d9a2d8ac8544f28c555c31424bab97560634edfced81d |
memory/2004-199-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5100-201-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ededd131b1b63efc819da6213d5e18bf |
| SHA1 | f8b199690673450fecdb1d75f94e56fccda79f4d |
| SHA256 | f2394e1efc879f0d99edce8e6981f444336bfe41a591af7851e269d28b1901ae |
| SHA512 | 5acac1c3eb41614c015ef87a50448399dbfaf163679bff345e247bed661acf8538c45f4ce7fa6fba0e0dd76e4a7c662381e93c8e889e5879f70447ef8a26a853 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d44170b717366a0044e382c704212862 |
| SHA1 | f93ac95a3aa6be0d098aa4465943109edb161782 |
| SHA256 | 1b9a190c185f47410ba1fdada88745f0be7e76fb783a1911331f144ed05e76dc |
| SHA512 | 9fea94a4745004ea30f095ebbe42e9bc7a12a7ffe90fb9357243d3baba1035c492e30adb63a10869a7fbd7dbbb76b6557cbf99b669ed9bea1709b9735d4fb280 |
memory/3568-212-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2004-214-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bcb8952247c37ff4b5aceb818e2532f2 |
| SHA1 | acbd755d82677fd71b64576d6608190c7187e20a |
| SHA256 | 16dbe110be153d49cc8074bbde2621d32a54fab9d109a6c920a4011eefa436f6 |
| SHA512 | b306bbb0a24913aaffd3b48b8b78f345e24d11b1e0c95feafafe32155d97b9872fc9f77d77c36af98f26c77836b07d21420a7e5331b77f9d0e6569e3920ee613 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f98cb9bf607ac10e40c3e3091d8548b9 |
| SHA1 | 8d2c6e50b82cc3035563765f09a7db5b738e918a |
| SHA256 | 87a8e023a09bc14adb2bd915f7748f142dfbd5e07cc9515e6b365d159b8579a6 |
| SHA512 | 4e3fd032842760c4e60e9b909896aa99afe5ea6aed7c1048e3ea2c5b56b2cb8c1ddebc0bd6876a0ff8a72c5aa706dd29e4a00041c611ca3d757dc4c7c578614e |
memory/3848-223-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3568-227-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8af006d1d8aa407f0dd0882837dcbd0a |
| SHA1 | fca09d9e49101c23f1c12b84117301067bbaaefe |
| SHA256 | 128c42ff1b808737e83ba32419c675b689f12fbc6cf4965113cb25dd3054af78 |
| SHA512 | 77c708a3532ac84f8320d185160b6a671ff50574ab8fdd3d48b63d210756b18330bec51c920d142c82916c81af31461cfaabdafd4dca5e2ad90c4dfeeec9b1db |
memory/5024-236-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3848-240-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2808513ea6d6ba6a9c6df6548d65fdac |
| SHA1 | 6132df6a628becf840d9b6745955e3dac4feaa16 |
| SHA256 | d4579f23cf21950d637f88b4bbc5fe8df9c2b446e9b4b993cf9e46d79fb34a93 |
| SHA512 | a8ff1a27fda41711177274b933f8668b3adc0ef8b9419a0ff709b69eecff1d1afdea174ea1c69a3171b72a1e57caa330dc4526f4162fb3ffabae865fb017c9d0 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | eb47d73a9e655fbdda42d42520a71601 |
| SHA1 | 09a5154501453168d57fb4616e08311344131127 |
| SHA256 | e35de5d5096bb1917eeeaacac2bcbebdaf4b71497bc1352d06f20c597bbd45ba |
| SHA512 | 70fed69527677757a43b9eb35ac8f4cec66a5f053e668fdd81af654906c48c90b1d911908267a95b816c9c9fb2b5af3a7bbe4c60746ed88f43c5a14368822d3e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ccaef8fe9ce4a38e4b76fb2a046fca96 |
| SHA1 | 1c06e861997fd8a6fcba02ab83382929012ce0fb |
| SHA256 | 3c8c89a71ec717e36b9384491a5948fa67eb503cad74f1a7a6f254d4af98f997 |
| SHA512 | 97c3c635a089cc8919989c8bdce1247e8ca7b2e94f63fbcbbf0a0a7ee0b50a6b476da9ecb9f983ad19fc131048da01393543585ec06194c8a99cb4ecbbcabdf9 |
memory/5024-252-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8b5929ffaa017be030616cbf12a731b0 |
| SHA1 | 939460f5ca63b251be74dd411495efe653961e89 |
| SHA256 | 870bc7c54f4c388166a6f62b6c51441ce0002393b16ad964533f9237a671dcc6 |
| SHA512 | 8cd6bf564786713ca6530a0e4cff7970da49c932ad24a2613ba52e8236777b7832799f636d0c894e5ac3e2caca317c8a8c30ba6266270b3a41934825d279ac0f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 74306faa2525d3eef5d025da268fb933 |
| SHA1 | 76f9b3eb9a452a3fd3f8cb19110619ecc7c11e50 |
| SHA256 | 6d76a980a148b112923c0965fa0699e05482ad4692e335b1dd28fc4c3862a64c |
| SHA512 | e030c670647c72370a0de8a5c2492ab4b3cb8d5941eaf83083ee8542455b1f0fa586f2978eae6eddfd7d9ee200b350851c76d9892261a4523c9d76eff130cb78 |
memory/4636-264-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bad421d3f90dd1d8cff842796d8a5c67 |
| SHA1 | ff224e64868f79649c9faffe8284391f27ee4b5d |
| SHA256 | 78960218295b445eb1edeef91d2bd436d8d6151098414f951c05fe68b6bd0dff |
| SHA512 | 1092a914ca2245535051d1bb4d74038b1d70d44b645c7df4fd80df896d22a5fd5f35afb47576d020953a9eb8fd54c3cf1eb3cc1fba756a7c51d47d17c9f0d1fb |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 25f1a59f9c74efcf78d8771d89ca2bd0 |
| SHA1 | b2b6b8e01d7f527100adbca7dc5d1ece8ecdf420 |
| SHA256 | 0a760c99264e17a4ad781e69dd56fc215b72bcab08424844e2a1459718e94972 |
| SHA512 | 18547dda49ae196fb78946167e9a5a441ff94c4c2c82d5fde19616e93cd5f2d2a75f26ca13bffc6bb9885c56b88c91b970c1c183b56854a7470fcdb5a448cd69 |
memory/4644-275-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1824-276-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4628-285-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4644-286-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4628-295-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3916-303-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3336-305-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1952-314-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3916-315-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1952-325-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4516-324-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1820-333-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4516-335-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-23 21:02
Reported
2024-03-23 21:04
Platform
win7-20240221-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
"C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe"
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
C:\Users\Admin\AppData\Local\Temp\5fd6daa4d3e0caf838a4abbac3f5687017ce143cacbca05dd1fd4b7befab6a48.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | bublikimanager.com | udp |
Files
memory/2164-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2164-1-0x0000000000370000-0x00000000003A8000-memory.dmp
memory/2844-2-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2492-10-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d7cbca63e707a4497b6da4151a3d5ee4 |
| SHA1 | d96d19a6a1663772ee4fa430384160908b7f69f1 |
| SHA256 | 82dfe732c85d57aac6860b1326e55276ff1d7cff5c7ff9aee867febec146d9ac |
| SHA512 | 4d3273c59360b9613d798865f2136757bcaf7e1357239163d7144e5e800f820f02f10586d9eccf78c5cfd70def284d3d174824b398927321840b1409bebc5640 |
memory/2844-7-0x0000000000440000-0x0000000000478000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2164-12-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2844-13-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 43f861c75cf1e5d926bcc0d91a9e5db7 |
| SHA1 | ebafd8f82bc72e296a4b70452ecd89b2cfa0e985 |
| SHA256 | 052954ce5da554255da0a69e2fee8d668b43cf5204360f8bcb83bac117da9348 |
| SHA512 | 842d170db9a9d414eceb55ad4aba555cb377c95d6f0f7cc2d1839e284bf9d1185f4429dcd7cabed478eedd0f75b15663bfd1b7ef2a93f38970260da8c8a21e2d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6e5a3e6a46a0005b3e454ac62a1b9c54 |
| SHA1 | 94e401f2b715695cb16faeaab903ac0740a9f5f5 |
| SHA256 | 37a3fba6e7a806251be22de0639848f21bbeb3ab08ece8a19b8499cc463a32d0 |
| SHA512 | f1a5713f917299c6886839dfb935f4083989e0dc2b35d94d7e5e88ffa18fdfbd1ff67b8ad31bb21f9f7b3abae31039faa47d532a077fc365c1f6d7706f41c746 |
memory/2492-21-0x00000000003C0000-0x00000000003F8000-memory.dmp
memory/2492-23-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2388-24-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 85919f6535b1759dd398269049c40b95 |
| SHA1 | 6e870178fa1bf98a13b5ba10c7974c17d81cbf4f |
| SHA256 | a1467203b3b80a78c163e0574469e56d5eaaaf30281082ed7fed69e8b23b4092 |
| SHA512 | bb12f9f86bcc58c7b227d83d9b14336ff93827cc6e98b6276a6f80618e2f34e6879d0a3528caee5529ff384dd3ccfc0a9a2630bac7c436dd1f14363a006ee6a4 |
memory/2388-32-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 53c231650b94f8ed9fee467166df8ce7 |
| SHA1 | b6878a59964663e2166b9c6458a226269fa57f75 |
| SHA256 | 380438a55204eb28039181eff5529a4f7a14ef84d07300dd39b15677538e8fb2 |
| SHA512 | fac6a0fc5c280e632fb2762939c70e7b624681ff8d5f787a3818095fd94cef99f7158747f2c231ec7fa8a78482231a863cb7ee348f0e1d6aae5f65c3a2ade7fb |
memory/2272-33-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2388-28-0x0000000001F80000-0x0000000001FB8000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 01f020a08d01fcd6f76efd198af2f1f0 |
| SHA1 | aff2e90d98ff323843cc0b96a6291e16fbfc78f0 |
| SHA256 | acf71a5c251d1210d25617debd9dabf92aa71298516c81b775c511b003853734 |
| SHA512 | 27c46ad0a1929937944737098a3d20608c4eb3e259ab1661331c54b21ae0064f8c60f387eae1b9a260e2ced1069e662cbeba793c341198c24c8116b7600d7385 |
memory/2272-40-0x0000000001F50000-0x0000000001F88000-memory.dmp
memory/2272-43-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2832-41-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7faf19fa634d9fcbf7b7a539923670c4 |
| SHA1 | 13732b40640ded74a032b2f64a41c62f486bc570 |
| SHA256 | 12d7bfb3df25739b89cd0d3881b205cd678acf4862150f96dab3d3046ea71292 |
| SHA512 | 049d4ba83327456c19e3b64ac268acd19b4dcb9f131c688429b31e5b649da661aa0b8826f55d887bd562c6d9a3127667fed4232c329ab1b6a1cf6ac5a47b6084 |
memory/2832-51-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1276-52-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 93d75c5336cae0fc00401e0de02d8a82 |
| SHA1 | b6a624a41dcc51f9a95db7bf5ffc602c78e7c1b2 |
| SHA256 | c4159d7f9b68698cb4293ca73d470399002d833cce6942eafe44c913021c0f6f |
| SHA512 | 67c194a673e4473a0d174767c6d70c10f4e1cd1780ad4b20f57b9ddb9c3d53e02e46dbda9e29b93a6fc52566d7539f0416cdb27e1d091c5dc430d58540245fe7 |
memory/2832-47-0x0000000000440000-0x0000000000478000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 963af5409629b94da6c88805b39ffba6 |
| SHA1 | f2c53344f06510c06137a66d53f56e26265cb536 |
| SHA256 | 792ddb2512112e1d7af7b26ad6cd32ee2e3f5151041911b27b6f507e43817db8 |
| SHA512 | 9741cd8267d061806741b5c4606f149250db5bca9bc5e0a00156369379f4726e3c298bb6b5dba85d13b3c8a85477f44d7c459dad2022a60dafa3630f8db57e27 |
memory/1276-57-0x00000000003C0000-0x00000000003F8000-memory.dmp
memory/1972-60-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1276-62-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4bb90ac418ff2edda82b1fcec4dea816 |
| SHA1 | c22ff822809b496ac7017d82de5df13061f5d46a |
| SHA256 | e157b36b24658d81bffdbc0dadb3d98c8ecf487e69d9f290731ec025c9511ddc |
| SHA512 | b201f8db14b483f8afa424aee499511a6ec8a152f4fa03e62099554a4902f7bafa4aaf2d459d0983ea88de61a6df66593754dec96bf66e4565ef17e13434cd3b |
memory/1972-66-0x0000000000380000-0x00000000003B8000-memory.dmp
memory/1972-70-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1720-71-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 20d4c1f7afad580f82867f5766aaf04b |
| SHA1 | cf471c75846b270bda943479398cfccdd92441b0 |
| SHA256 | cbb05ed33c2a62d5b2defbafcd63de46661168d67b5ae87c421f78f0b4917050 |
| SHA512 | 0c442c54da7e805704299169f418bdea5d00290409245436de4bdde6d71b2c857d00a686c51665aa8186b4f6410f9d650d399a2c5792ad384966a03c5bdeba05 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2c1c0a48fbe458eb3d257fd870eb84a4 |
| SHA1 | 7ca5b3b997268058ed65c4fa36d11ef726c882d8 |
| SHA256 | 39b574ca1834c98a4045ca05777feaf7464577e6af29f52c6bf01e94bb64e4fd |
| SHA512 | f29edfff6cbdb8c6231f3be62d14cfeb972d728c693430fe59a3eb4b04892f6a683ce352300316d28f58ec8afca6918b373ef32173ea55de971279bda0bffc72 |
memory/1720-80-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1636-81-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1720-78-0x0000000000540000-0x0000000000578000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 49804087eedf0b4247438e97f37bd11b |
| SHA1 | d7211c8d08ac029a3dcebfeb0e72e49cf03eec2a |
| SHA256 | 527195f881c0d87865a7d67a224171059c7c506597119f1071a82b69c41f7fe9 |
| SHA512 | 2db639ca52f6171fca36fda8dffe39051d7a7c1648d9226ec13b6e3e6ef2758f46cace74295b9327228d595b114106a66d249a8ffa2cea1700a6763071aae641 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0ec6e2e7c08571c6afafa0618aa04a3a |
| SHA1 | 5c0951a9a3ed839ea377e453d15b48d24c82b31b |
| SHA256 | e1688354579d9d62ebb0d50d9828c2def722d8dff47f08df5be0b338e0cf7dd9 |
| SHA512 | 127887441866ebf6a8fd56802ebdc87b3f17c9b40a380240f92643ef3576d372d6d66ff1d4f705882371b705684a0dd99fd379e5d8d117a43934ebac4dfa2b2b |
memory/1636-91-0x0000000000400000-0x0000000000438000-memory.dmp
memory/820-92-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1636-87-0x0000000000310000-0x0000000000348000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2418c8abd7d31398829a2d9f30f14a32 |
| SHA1 | aa1ea23931f4ab37c696600602bfea94c35ae0e9 |
| SHA256 | 55381456de83f19b18ee92c581dd6fdc63f863e0f072b73c502575a5a64bb58a |
| SHA512 | 651bf750a4cb0610ceae3b31e8ea1e88945be7d646b691cf2f54ab815ff886b385b3f0845fb4aeabec79697fdabb36254358c3eadb6acb30770d051cfe8cb585 |
memory/820-102-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2692-103-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5810afa35d0ae588a4ff35856aa7c3fd |
| SHA1 | 3a76e4337d829f373d65c3f887e4bec4ce8fcefd |
| SHA256 | bdfab69b5290c8e1aadbe0445dc7073658cc06314ab68a8b77daeacf7bb413e4 |
| SHA512 | 43ce07ff50db34a80487ef9603aab8c90bf19af73c55e95df6bf181bb2eb9336c5c49f3c7786f1a3cca55936552cc329f2d9e59f1f6114479896d056d8ca66dc |
memory/820-98-0x0000000000370000-0x00000000003A8000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 248396f5ff46aa0eb8004a56dde80466 |
| SHA1 | 1dbf18161e9b8b2b44dfd9f2bc67889d49972983 |
| SHA256 | 89dfc50d494096aa986c802278ddf5e70661a23cf2a7d389a050065ad01e518a |
| SHA512 | a0b5df15afce90fc55d2bd0d1ca2f508b934b3f2fc6fbb28cace5892ab7fbc1eb503ef5b5b977097ed7412742eed6d1f0dbaa9db078214eaa88cdc84e333cc41 |
memory/2692-111-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1572-112-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | eaebc18c5449779704ec8b9d94ec1582 |
| SHA1 | 38e3d047bae1e2363ec1ccb171705abcfd0b085c |
| SHA256 | c171503c997d74866048fdaeec1719563ab44422e73a8cd39b182400120accc0 |
| SHA512 | e9d9344f672d4f8101080141e6c726578a3951c4308b451b917f94bba974840652663a085986dee15d4811cc75bb5536b948f7b6df9cef55c59d7285559d7e67 |
memory/2692-107-0x0000000000440000-0x0000000000478000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 536af064c64852859f5c4b9cac42fa7a |
| SHA1 | 90191923f6a2ca4634b719ea20286a0d0b711494 |
| SHA256 | d704b2a2eabbc27045181ce905df47d63bf7285f89fbfd2bbaddd31b32210d66 |
| SHA512 | c93f57973f4c40d62cd5f08709d92b143b25cd1556c896d27d9e327a2038e2cc9ffe1edd307f077a81a94134d206278c0cc809a01f8a16af07decb79effddafb |
memory/1572-119-0x0000000001F30000-0x0000000001F68000-memory.dmp
memory/1712-120-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1572-122-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2872fee5ac4858037b80171bd61ab7a1 |
| SHA1 | 6ac4d3f9bd9f1f0fcaa5966d65b66337eebfb3a8 |
| SHA256 | 1c3e9a97e784d73a09f2f46e5afce99814e51be123ea663a76193b72bd874e8d |
| SHA512 | 176ea13a95fbad3789db1b72459e7ffe46362127fe80f8ffaa20fadb3ab213f1f79188605bd9911b20b86e54cba8a90170122b4a114ffda720c9bde0829a4e6c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bdd65028cc244e282fbe6397f22bfcc1 |
| SHA1 | 54fbe7db98f028b4cec33514cbc93c8e984146ff |
| SHA256 | 3f85486a3cf340326b6b67ec916397a0e5ee18db4b3305352412f2734864a871 |
| SHA512 | cd98be924fa4632eb05cfc8ae532d162d20d6e3bc904de88dbf90b87cf55d4b9b4dbaf40ccc17f1ed6001da4ff18dbb9f223d6df3c48ed052db1e0369f589ffb |
memory/1712-126-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/2904-129-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1712-131-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f4cae3b3791aae5b0ac09444a91f6a95 |
| SHA1 | 8b11276ba5fe7ecf148196f6f6968cc917346988 |
| SHA256 | 924d80f3495f364eb079ad929a6c5e9f2eb583e7357d14d370390dbd4c721594 |
| SHA512 | 44d355022a5493945f9b8e3a84cee5811daa75eb14b745e44649eee925e947c40d20f28bb2cb6ceefc288297d693e3b9ed2ca01057ac6b57457b6324f88288cc |
memory/2904-136-0x0000000001D30000-0x0000000001D68000-memory.dmp
memory/3008-139-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2904-141-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1a82a6dea8246d435d34e9f7112c0aa7 |
| SHA1 | f884bd5075ac43a0c578405dcf4f739240e8f10f |
| SHA256 | f1c86cc2c9443507adc13169d8ed53f702af85b9b2dbf97ec543dc96b7dc08ed |
| SHA512 | 8ed76c5608db984962e6356fe6c4322f5e769f9d6ada6d287d8c0d53f0447cd3396a5ba2d84055b096860d4465b5d9c61f54fb2c40e7f74029a837b5f7da600c |
memory/3008-145-0x0000000001FB0000-0x0000000001FE8000-memory.dmp
memory/784-146-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1665880d65b4b1c12d844003830328f0 |
| SHA1 | 0eeb2b8f241c520d06a2dc3c73389752956b7c98 |
| SHA256 | ea6236c48960c33587f272a0682a04fb7cf20228b3cadb61d98ec20286dd86cd |
| SHA512 | 7708c9d305ada887f9cf6916c0f3c17bdb538d2e38759deadcd3b0043afd216773dde5c7fbb8fe3d69a79df2bfd75be1731f5fbc472af43b7f806d0bff48087c |
memory/3008-150-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 305ef8f30004c47175ec0843fd569561 |
| SHA1 | 98036e6e12b9a64e51ba2cad1e5afacc8acbf228 |
| SHA256 | 316dcf4f418c1723c653d7a4992119b4da098cf0502fa1577f5b4f4c1be8ade6 |
| SHA512 | 5cf7079a24d0aeea9f4084467922dfc05498a36e97b96a1853774ff7af7023a04b2cb89722477d7fba79aa420faa7f23705ec7159ae1b11c461e8a221daf1f46 |
memory/784-155-0x0000000000320000-0x0000000000358000-memory.dmp
memory/1064-158-0x0000000000400000-0x0000000000438000-memory.dmp
memory/784-160-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 42e153bd473b5e9c00853822494ea225 |
| SHA1 | 5ab1e40af91d9cf1e50c957fbfe64b9fb365d1c1 |
| SHA256 | 5c80f6d8aa534697aad0b1a4a2c3de9e508993d80e22589d885b87cd3cf678c2 |
| SHA512 | 5bff4382a73cc0f6c3e400f26fa2446ee1d4db94f4d2469b9a8c04c22a681c175c306dc8f463a833007ef631966f0d1299671e9a011c7518dbfc1c3debde0aff |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f5321eb242922583a9798be809c39afd |
| SHA1 | 42e4abc1d6fed0bf8d6b3556ff966fecdbe7702e |
| SHA256 | 8dd27486eb6fbea566dccb1a1fb38316bccfa706046157a650a6527d55d6cef3 |
| SHA512 | 5d9e00deca463e51c427c8c8c39121696281dc7ba5aaf2a18c88c3e6ce9c3184dbcfa89a9448134a7768300b699c04a38300ca9d10374430d127bd8d013ba613 |
memory/2012-169-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1064-166-0x00000000003A0000-0x00000000003D8000-memory.dmp
memory/1064-171-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6d8f768b9f849681564406272a5e5946 |
| SHA1 | d5e8933b257800f66abc80c29e3e79f220466cb3 |
| SHA256 | 8625d7a642d308b02ebb7ac2a21b3898cbf8a54d95f788820a481f4e6d908cad |
| SHA512 | a9c403cef1a0401d5f80d86e70290b051038af7172e4d5ce2b7af8fa644b589fe87e358586ade086c4452ee36957d3b0ebe2d119227cf881f2acecc405a879fe |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1ac32786d31a40387bf28ba877b4ecb3 |
| SHA1 | 32620c83590fdb3aad09f1a1f46c665144eff58c |
| SHA256 | 084e348343015b4abc4116909e874a0145976c1ea7bd81dc657305f11545f0bc |
| SHA512 | b192499109decb294d9ddcd49f494c0f64d560e00db3dd614773c7a362e01d4eb49d37dad5a8dbb20e89734579e4dd851c55f83fb674148b50911c2dcb1a856e |
memory/2012-177-0x0000000001DE0000-0x0000000001E18000-memory.dmp
memory/2188-178-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2012-180-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6e9ab8ec94da81aaf5b89c52cc1baa15 |
| SHA1 | a55887e2ee12f039bd5c5fd589f931be328c9981 |
| SHA256 | b81b8a3be737ca37be7e7585e8f5155d2957b4365e51628910735aef6ed03f12 |
| SHA512 | c33a120c0c98bdf2cb9f858d46b4a2fc2cf5a7a8f8af01ed891ba6f474f842287535bce3c8d09dd4033679b280122b824347358e3792db18a411f8d516795800 |
memory/2188-185-0x00000000003C0000-0x00000000003F8000-memory.dmp
memory/1512-188-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2188-190-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cb07ed1cdcb70225569711dd8c582cf8 |
| SHA1 | 2bdd06eff9be464b6da2e370b4e12f5d4e84572d |
| SHA256 | c159331affecb3744e9c516198a1502d2c7f70afe64e82812c3838453bb407c5 |
| SHA512 | a29c270766df726742d3d5e4a7467bc196a18e8ac56043560841bda3d2c5b48ec2e245b81662d349f0d65611a3a5ae4e3d20d25006c7919d2c57c80666d2cbaf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 84e477ea5a0a308e40f734fa535e547d |
| SHA1 | ffca47196378d937c1f961e78afaff37854ca17a |
| SHA256 | a87900d054a7e2b575baed49e65f06f66798f6ec5715bf20e7c7d7e17e2c95ca |
| SHA512 | e380497d8d6e83767bc514ace444ed202f33347c42f8b9f78fa42c2efa12dcfbf77828a6251bb5f592eb31cb7a4a1ff0addecca63d22704ae0cdd97a033e3c9b |
memory/1512-196-0x0000000000440000-0x0000000000478000-memory.dmp
memory/2640-197-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1512-199-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4cfcde23e7a6c7d45d98bbfb788d850d |
| SHA1 | 955c50d9f57352fac1f16b8599901fb00f4e4599 |
| SHA256 | 0d2f1d60df6bf54756a25479b3bc24700751fc78cc0987caecc413bff6e140f5 |
| SHA512 | 972236f21fcf57d0d6e2837cad471f6b2c2c8aa6f2d0a228549647634544e7b4742b09ac854df7d867c5dfef7cb125adc4d44029d26cc4a2bed46eeadcd051c4 |
memory/2640-204-0x0000000001CF0000-0x0000000001D28000-memory.dmp
memory/2652-207-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2640-209-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 68f4e6dc992ee2c0c41136319640e90d |
| SHA1 | aa085137bfd09ba530684afa66b10dadbcf7879c |
| SHA256 | fb834bff184f68db0e8caab5f617c9af37442176b4a7de31e848e2be11d3c1ec |
| SHA512 | 3b96c7bda3766cfe755ba1838fd1a50e09e8e31e87a05ebb6c3ce5a8c46e72334b407662546bd821aa6f29a045ed45444325bdba2ef1bb7c5ed08610c5132a20 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e11dc15ea3fd314bc1cdb3857d4e24f7 |
| SHA1 | 2eb5c7e5edafef9e1bd0ac1a20b6fefe5a29696e |
| SHA256 | f08f50f1970d0e0016be8048ce830b29d2bef3839b62de1eddaa22bb2addf54c |
| SHA512 | e48baad2018f42195de1cb7aa2eb557a28b0578ac7d0d906944d5ba68bf37bd54bb23f11b52186c63083644aad06c392c65afebecbe1f753f28a7f703b62c5f9 |
memory/2672-218-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2652-217-0x0000000000380000-0x00000000003B8000-memory.dmp
memory/2652-220-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9d412bc8930c03d9dc7765308a7e82b1 |
| SHA1 | 804184df870799a74a78ea7204ef018b451a54c8 |
| SHA256 | bee7883c89e19898011b7afd75f4fec551b2075e63a1fc0df76deb369ed70f23 |
| SHA512 | ff550a461b4b66eac9bf76adde14c9c62803d3778f3e867a098736eabe79eeb20bf6f9a81cf41683902d110f4d86a1077376f1721b07deae4c4eca3eebd4073f |
memory/2672-226-0x0000000001FC0000-0x0000000001FF8000-memory.dmp
memory/2868-229-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a3c6e746b318606a52ff5df267195e08 |
| SHA1 | 05345fc822d7dad68763cbdc1abab43b79d28497 |
| SHA256 | 446fcbeeb4f74d516dc918e144b8d957f45d78f458acdf035d7c3e77219ec7ee |
| SHA512 | a2b8995afccea1a13989e375aeed8e2877ea0ddbe9a233cd9757950d4a8e9aca2035db51956a80cdad46dfd9e6b4519b1a52cd46218bd5cde01a3f48a7fe948f |
memory/2672-231-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3df20ddcff15a6b5bfdcb954aee686a2 |
| SHA1 | 94a41a22649177c5941fc4b5389f51d2f38da446 |
| SHA256 | 2c5dddc0c6ea8f0d9cb30682d993ce519bddfdb67429c01b8b6fdecc82f16dac |
| SHA512 | bd01e922e4debd130e5c49db244ab6d28747d981d683e17a84952ae17597f8747660cf9309869f70a7a47a021a827b6fc579176b1649d1567cdbd90952cd2c89 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | afc9077d70492f2515b721ec68701d98 |
| SHA1 | 7afaa14f892461317ff9b84dae506a2eb82e0aba |
| SHA256 | ff6d07dd554381b9ef2d7cd31e557d2958a978eb469e97437836ee1393854a69 |
| SHA512 | 313c8645ef9b4ada0c6b42dae77670bfa21cdf027952c125fa2c7e6a162e806b8ea74f932c051a1dab35d1312192f1992fe8bdb23482e048bd140e552c518f92 |
memory/2868-239-0x0000000001D30000-0x0000000001D68000-memory.dmp
memory/2872-240-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2868-242-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f593ef5f41144f3f518f0426c24c23f6 |
| SHA1 | 12765d237871cbabf03a324b37413e6dd6321d4a |
| SHA256 | d074e0b1d0561bdbcf3284b8f7b0eadf20a8e5845b4a66e3c2ed537ae7eacb90 |
| SHA512 | dbcfe1e74428f3bc67386e07af2eaa6b36724ace40288b88cec191d5b4cb53ecc0ba1e558fe6f108724ef40e0369a506f6eb54bd18e5dc36ae95d49a38328b87 |
memory/2872-246-0x00000000004F0000-0x0000000000528000-memory.dmp
memory/1556-248-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2872-249-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1556-255-0x0000000001FA0000-0x0000000001FD8000-memory.dmp
memory/2436-256-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1556-257-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2436-262-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/320-264-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2436-265-0x0000000000400000-0x0000000000438000-memory.dmp
memory/320-272-0x0000000001D00000-0x0000000001D38000-memory.dmp
memory/1928-273-0x0000000000400000-0x0000000000438000-memory.dmp
memory/320-271-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1928-278-0x00000000003B0000-0x00000000003E8000-memory.dmp
memory/1988-280-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1928-281-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1988-286-0x0000000001F60000-0x0000000001F98000-memory.dmp
memory/1988-288-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1620-289-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1620-296-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1620-295-0x0000000000440000-0x0000000000478000-memory.dmp
memory/1160-304-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2464-311-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2580-318-0x0000000000400000-0x0000000000438000-memory.dmp