Analysis Overview
SHA256
cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6
Threat Level: Known bad
The file cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6 was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Modifies WinLogon for persistence
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Sets service image path in registry
Drops file in Drivers directory
Modifies system executable filetype association
Installs/modifies Browser Helper Object
Modifies WinLogon
Adds Run key to start application
Enumerates connected drives
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 00:52
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 00:52
Reported
2024-03-24 00:54
Platform
win7-20240319-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
"C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe"
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/2080-0-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2080-1-0x0000000001FA0000-0x0000000001FD8000-memory.dmp
memory/2332-2-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2472-9-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0a59c33cc4c899554060e5be95a6cfe4 |
| SHA1 | 6d643dc409983a28d17ffd1687f9fec1bcefbad4 |
| SHA256 | d8ed09d7eb2b1d573a50069511c86867585736eeaca161852e142e2e311da5fb |
| SHA512 | cd21fedcea4b05102d66b32065f3b33e90dc2b8b001fde49dcb32d877ab061b6ce4ab16a340859293081f2f3309bf159ec4f1cf694b1e232681d124581afa892 |
memory/2332-7-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/2332-12-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2080-10-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2736e4dd229a6293cc2b17993ec19805 |
| SHA1 | b4de5c4111c19571ab41f8bfeaa486a1f71895cb |
| SHA256 | d54e31fa4b5c4dcc15706536a2cfa56cddb30e0095962df077f9230d48d52c17 |
| SHA512 | 94fb781ba797faf1b59c827f50172c509979dce1615410ed0ea23a903c969608c3c0be79392599f501d425681e1b14101befff0214be4af22eed1fbce666f6db |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 47634991bdf9e953461fadf164b8cec4 |
| SHA1 | edd7a7742b23b358612af8af5e7e01a37a372574 |
| SHA256 | 923e22cfebd0c0b9fdddc8a3fa820b6bd02a5467da7795b198dce8da00bb3463 |
| SHA512 | 4cff0daa01d98282f4d93538d7294816506bee9ad975126f88503eda16fd8c5c652b2892e3fd04e860659ab40b45fa0b299eb02adda47ec25d8a546713c055ae |
memory/2472-19-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/2668-20-0x0000000000400000-0x0000000000438000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2472-22-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2668-27-0x0000000000760000-0x0000000000798000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2b1144f6a13e457ac5b37ccde2a30a77 |
| SHA1 | 04fa123742aff6388f381c919fe0ba622c75665a |
| SHA256 | 1b5b84f4fec8ed9e68790db8517003e41fea9bf8e10883b65af175bb04c97f26 |
| SHA512 | d0c3ad92e1654166d7bea0ccdb5b71804b9fafb24fb941e829f98f89cc8cff04b4c6974852101a53fd59321248496b8b6d70da6dd5a0d77b8d177696657d552d |
memory/2392-28-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2668-32-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 465bedeccbd8ca44d180c4ba354f497e |
| SHA1 | 3c814af4b9292c7b0ae7c5cf8f8317b4c7ca3d86 |
| SHA256 | 1a4b93064f524624667b6419f088ab9a922dcdf3e87785912d0720bb4ff651f0 |
| SHA512 | 22004ad5a79b6d0cb18bd32a6acf38002216c6fb81daff7af256c47816886a9affef9606ed1944e117790a7e7c19c666c7da000e8e69c0e52be8c46fd2e3522e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 38a133b50095c676507b902288efec65 |
| SHA1 | b5bdc41fb0eb4a9d27f597cd9c386d7bf0629d44 |
| SHA256 | b93e99a543eabd6dfa39b0f29beaf8c49afc27e03c20c6a4dcca7b7430d52f74 |
| SHA512 | eddebd058ea50e64d1d64e25547a43adc99865c8c665e162d11be02edef397c27213d4ac7cffb774944f943ae0715231b10810ad88db80b3cccc687f4135906c |
memory/2392-39-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4872244dba822b2e1b748ba023161529 |
| SHA1 | 4f62f0157179a9e28c89f76ed87cf9f89b1e15bd |
| SHA256 | 422fd422af57f29335779ca84ced7eae76487f0af775f9a71cdccbf1713f14cf |
| SHA512 | 928759f464beece78e7c48c6414048baf14d6bbc8b7548fbdb0a8745db4fec0a46482ae6d8cae11f146171662262d7e8d59cdef786bd82197d7252a2d85ccf1b |
memory/2376-48-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1868-49-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2376-44-0x0000000000360000-0x0000000000398000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 70a1ad2b37477730c2627d38f673a608 |
| SHA1 | 68ff0de366acebe4e95da95f2b8ea7b4e1321798 |
| SHA256 | c04fb781e1f6f5961692889aee4e894e5509f7e67def8b736e9b744006ab99d8 |
| SHA512 | 46296f617585314178398a0c8aef3f6e684b99cfec5dab18840efe478d67c2aa0940351f41e3cc3fec491ac175577c3ab29f90cb332be5496ea63c01bdf303c4 |
memory/1868-57-0x0000000000540000-0x0000000000578000-memory.dmp
memory/1868-56-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2728-58-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9811fe0d5900cdcdcff5126b4456347d |
| SHA1 | 1ec2d0d3f30e2ede9a434c4aa8f29224d5599ca8 |
| SHA256 | 9bc1ef518c554e2c91e7339803ba89526c89bea3bd391e18016f61ac1615bec7 |
| SHA512 | 5e29aaf43f69207024f2f82517a3402139e0cf50a9f10acaf2578aa2b814a7ec38fddb469111494f638a0fe356a336b7431b3b9d6eb89a2e00ee1b7f67f75dd7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c3cda0e486730bc2c6e87f6159f2e594 |
| SHA1 | 3a891fc9914560753750101686342af356e8c690 |
| SHA256 | 6f9dd5e4d53add1f14ce88fe54c96b61191bd65937f0c3004cb8d9f87487030e |
| SHA512 | b71639633e05ac60d24778640460089adbde9340c48afb0dfc3f211f89adeefaa410e60c7a0db5ce446d094cdbe3b95d2da0146914e7227eb0c5ce8a6575335d |
memory/2728-67-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2020-63-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | bebebe9211a9773e408593ab35753dfb |
| SHA1 | bde4bd099da15fd0bdbcf146c03d09900e022785 |
| SHA256 | 7c8665f65d0850371315725499de433760945ffc7e819f95df01ee93ad8a9ba3 |
| SHA512 | 3ec6bdfc762acd2304b6722cb334bfc9485401825e28cd3c4d096a484c698786b10038f4fe2eda2b2c6e9dcb7bb991109dd101b6288908f3eb6593d830e01eb6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f84fa69b82eee7607eda68aa41640ee5 |
| SHA1 | 7a239e9162e9f96d49e0777813f217f6151a048d |
| SHA256 | 3884f512bafc4e3fb1b080d1ff3681f5bbb76280d3f3b766f8b6afa6d08387d3 |
| SHA512 | 836a952902826aa278b51081602917dcdcad500fb7f37d3eccf220961113abdddb3c73a7283973a1fb51082820b29847a58173054a6abcc18de67cedeb1919c7 |
memory/2020-74-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 36c4c3049cf6f3932f56736e6afe0dc3 |
| SHA1 | 3ec7349216eeecb64c5008972b3d2070bf29e0a7 |
| SHA256 | 474aa2e2ae62b3c3b15c181c8d4bfa531fca4617c87b26f2c7e9198ccf2b1c08 |
| SHA512 | e432b20784a04059ebf2553d26320dcb727faa63ba4a1eaa90f0f939e44de88d2906c99100486b47128b2aff84697fac601f41faf7342d16379b3486a43c1d56 |
memory/2432-82-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7719b27985d42d17e1eded08863ffcc6 |
| SHA1 | abde40e44246ad7e9c76f9219e182818235e87cb |
| SHA256 | b4121130a3e79c41fa2a1bc97389823c358b6961c462653c10e68b7cc7796a40 |
| SHA512 | 5bd1caed4e647bf5bd76658ad647cde9450382b4482e5dbbe183c497d932854bc0747cd2a2ecb187fc97f05f8c067277ae1d57001c39e90885f9e7e8ef5ee802 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2af84772fd0de793ac3f562c5ebad2dd |
| SHA1 | 97e55cfbcd55f9d30bc051ddf7263e5faf90da2d |
| SHA256 | 83d5c14961b39fe231723d7b3d6f3034adfe16e1775c510fad2ba8ea05771c8b |
| SHA512 | c7640f254ab84a7ee6149a23a652900c940fc0abed73b169b921d7157dce48de8460ea4504e9702e14a96e3b2cd57811783e6b6b0769c5d8cd7c9957ba7f4fd3 |
memory/2632-86-0x0000000000360000-0x0000000000398000-memory.dmp
memory/2632-91-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1076-89-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | efeb52e09cfff995c5de5cb06a2e28ff |
| SHA1 | 8e53bf2105c51bb126d686a32ffb8bf64499537c |
| SHA256 | e69c779cfd4b3030792c1158ca27f55835e98c172c8b588b7d5086f77f3bf231 |
| SHA512 | bc1bb0a7f5b5ba6528a8f40e023e3c5105f12e759c7955b8772f67d0580137dc804e52ee47aa6ef89e9da1176f9757803eb4063ced17f8253ce4bd16f3c69a5a |
memory/1076-99-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 49e052fb42c662597ac69995ba5d6a1d |
| SHA1 | c874435508d3d7565400d176abb0552c506644a0 |
| SHA256 | e7f9d514b737518d2b34e3e223396306110396a0b0b396cc4fd19d4f17aff45d |
| SHA512 | 7f2e7aa579c44a24d6bbaaaa45d78f693937ea925db3428f8f77d01117502b96824811f7ede6a1a61b14508803bfd2e6e92d1843e02ca28e12e5e05878265c19 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e68799ccd946a0da7ff5b45160d06fd8 |
| SHA1 | da51a2d577907d60b766c105f7ebddbad4f3dd1d |
| SHA256 | 60c88ee97660350b4f9222903a0bbd065ce8577343fc98cc7b9a48338be7b4ce |
| SHA512 | 7d960422fbb9af395446bcb286b135f8a0a27b1cdd771306b95ba8282424cd138ce2aea7664145b8b12a58ada16952e4e83f49ea9c86c262979548f8d2bc7265 |
memory/296-106-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 20f043edafaa1aff9230ad826da67f24 |
| SHA1 | e6bffc88f18860dec1873d54d8a47fbdab5027e9 |
| SHA256 | 2a0607ec588b5a36521e2267fbcda59ce122645f0750862b15122ee0c119a70c |
| SHA512 | 813196ea081c20b1798c059a29b0ddcdc8a6d2316a77d90c903be31dff644fd53c2bf67e54530957716ea5f1550979118b09f566140022245f765a4cd0ae48b7 |
memory/2196-115-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1644-111-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 82897df06f8bc1703098440498d5ca3e |
| SHA1 | c76bef44ee5327dbc2f2e3b563392f2163989bc5 |
| SHA256 | 72f131d511afedc77a5c950bd69be2f65672769d8a3de8294d2c568a1103aaf8 |
| SHA512 | 3315b8589e1cbe036743cc27a32cb4b64940e6d6dbde855ce2429dd373d44ecb49d64b1b000e6408c3f30542e021bf7b4ead429f0674288beb7c58053f9e6017 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f50516cd928592b6b629fb13745dc485 |
| SHA1 | 9d34f2967da10418ec27e51c621500a496859ae2 |
| SHA256 | 14f7597555f0d3fe993bbaa21501b1a6f9483c0450aafd8e717442662db53362 |
| SHA512 | f5c5016dd0cebfe3cb64e93ce8251b752d5202d767415ecd8099f71d004daa6bc56af9786f87b55f24da177d1b2f18f12b6f75df36aad953fd7d4004d38ebd04 |
memory/1644-122-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1678d1c7fbc5fdfb65335a52f590959d |
| SHA1 | f71850742b7fd1fdc82f6ba916782bcd6a148e03 |
| SHA256 | 59019cbb627972e883de326ccd33ff1c42933f8d71b0baae2b8f039e26e926fd |
| SHA512 | 5eb4833dcde5eaf083b630a0f62a03fee3281e6289e8d8b8b68c3c1873a2ba47d92029a742c358411493a78613de89c4c940433c6279e4a8e0d1ced46e8fd690 |
memory/900-129-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7ec3e0a4a12dc4a3cf54ff55ec754538 |
| SHA1 | bdeaca9a9a25e1f54a1a52d8e356ce87128a2ad3 |
| SHA256 | b2cd77789b03ae6c4bc6375efb5f783c0c799c0ebcac97a4d508614c58c6a3db |
| SHA512 | 9454f61f23e13042ab1a36cb8f445ef9ac35b6e07469d8369ee750a8abbf0f62ac3d2a4a9df8746ff284f2525d49d97516d82f7d99fa1f5bf50424debf8727eb |
memory/936-134-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1cde61ca66a81c7c4a3444ee91725b1a |
| SHA1 | bc1edb8e048416f6ce0c7393d46c7fc8cad3342a |
| SHA256 | 006b13619f76bea869eb7f69dbf4b2eec21c2c896a3caa4914a84973da8959d5 |
| SHA512 | fbee6b78a21e52806196e50cf352f878410172ae30e23846b73decfd5a3b4cceccd69bc9435fa6460842afb9fcb0f2f2c09518d2fac9f40d9011ee9c024aa7c8 |
memory/2312-138-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cb246bdffb3f7b36947e19d375b56e27 |
| SHA1 | 7ef2710710b094f08d1d500d3d07888c89992a32 |
| SHA256 | d98fa459ea6f488c011eb339c11c686ad0f8dd54a15fd956cf757fbb73f78eb5 |
| SHA512 | 4ab14a6d5284fb3c373bcbc6bced7ad8754ab5e7c1da78e74a1df1b7d3939bec886c0e071510f0d7ad6153daa1848c6f0d2214b877d4b66388aae07f568131fd |
memory/936-146-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 17e1011b7666d3b5bceb5c14a7f02b7d |
| SHA1 | 6867edbe087210438d0f081a0d3df21f3f8fea59 |
| SHA256 | dc16bff21e13682d06ddec800b6001ffbb38a6c034ab25d051c30a57556f5bb6 |
| SHA512 | 240b87d6c4e34f3a845c8d0de635c7c7377ff9ac4bd518f91db4886e3c1d08e300492ab0fef0e18a1447924df28261d7201b47ad77d7646da6385c8bae4c2d93 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 711808fd3521242b4127f0fb96059283 |
| SHA1 | abf66aba476f63193eb00864fdb136b1b52ffd3d |
| SHA256 | ec6db7af6d2f968c7ec1ff51f0b297cce1adeb047d1e43117cb8aaa7fd1a2cfd |
| SHA512 | 304df3d5a7ead006edffd3b6b435db3c176deb5a0f3ef17e37dac267de6d05287da7ee44f782ab8499a0df11c15f8c2fb33e3bf1b4f4a455cff578213f8e1f89 |
memory/1196-152-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1908-154-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3109810548f4b2380fcc5bc365167420 |
| SHA1 | 27441355ccdae9774394737b66b44ad80751c0ee |
| SHA256 | 532d8eb7bb6b6fcb2f3628e48c117aefd9980c2318871e94a0d3cb3949ff7704 |
| SHA512 | 759b1246221fd5c0e1172fcb69ab7adbd0f037ae1500de129da1e5afb705237034ff9cc2d767792a4a023dabf1dece70ea2c113a8ae356869d770f27a4754640 |
memory/1196-162-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cf331a3b0c0e96d03099441317a2ec33 |
| SHA1 | fb9862e8d31e26768f870e07c8925e03717d53cf |
| SHA256 | 1262f49c6346d0b24fcddeccae2b9347779dcb58a6e8e2263d5c599c6dddc63c |
| SHA512 | f0798c0de5361df9ba2a26616a8549d223667b420b8a47b2ce137e076c094cace67a6bc4ba3809ae2e2aa22f37006164912fd09745af15607311200f939e5133 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ad37c6278a75172e10959cd494aca884 |
| SHA1 | faf8f0632c2e5c4006b28aa98ee4b46d941be2c7 |
| SHA256 | 8bf8ae6cafe8ea9e89413a4d1f90f9f2d0d77c5146301aec727dda84a6d410f7 |
| SHA512 | 1f475141da7eed321f27932ce599d3909275c34bce0920d5109c93f2ee87eef15c329e6cc98920850fba724b348a3c8c5a4d312f3ba5e2bd07833c66c7407ae9 |
memory/1996-168-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2340-170-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 53cf9ff665e327849e9ee8ba082f4836 |
| SHA1 | a401c92bb774bd0084c2e32abf2b4c3392d398bd |
| SHA256 | 72d8d2c4dd5b37f25ed6c4ab1a2adf848eb96b26ea49ae3d9503b4689151d06e |
| SHA512 | a22ccb308e037d4a956dcbbbcf3817143094d3c7ff9fc5d829aabed038202265debe27950fe0916229dfc9b3f828c3a50c0d2b5f55924980c9d7aaedea21dbab |
memory/1996-178-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8b1efefe1a604729fb0f84c20a92c0d4 |
| SHA1 | 4f3880b4d9cb4e7a9ee507f59cf353c6ab67a596 |
| SHA256 | 366e9ca8fcf18cd46ba582460406f6742d5698811f49edfa2b0f066c8542a76c |
| SHA512 | de5167ae6180aa36ef1f38613d389b05d4b8a8a99f5069fa3024ebff9a419fa8c2a5b2cefb37bb4be064c252c54309e868712ae80064e1c61d065f232d48e240 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 912ae192015f7f58c37736aa17ad6aa7 |
| SHA1 | c3a1809c120a6483cbf64402527fb0ae36077146 |
| SHA256 | 0a91d4fa3838a6a4177e95803bafef7c3532499686df32cd2e23169e2e79b9c4 |
| SHA512 | d88b86c10ae81f968b04304e91a6306fb21ee91bac41e42701181d293d32d278404306ef3fcc4ec1a455f1832a8789346a7356b21e911eee7cc822341f9686da |
memory/1960-188-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2320-187-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 937eb6ecd29e1f78da1e38cc935fc53d |
| SHA1 | 60da6cc8f3998e88868ec7f773c65ec597e60d3b |
| SHA256 | ed34cc8c9fad0b1b85c6357ab2eb92ffb090f8de6505b110616875266ede87e3 |
| SHA512 | 57dd441f81b8d477090fe96057f39c55db4b849efb5160dae8b27c025bee3bee472af31e0bd98b7355cf18c903dccddd6e24ac379ae057178950b7e53e9f0f14 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 460cf7ad262f4c8ff7b8d0859af4bcbc |
| SHA1 | 27bc69dee4a064fdbd517b89814ab76c07bff6da |
| SHA256 | 552f9b0dee3ed93f071804289931e2d24f05705d9534c90d5fcc229135105ac3 |
| SHA512 | 3bdc4edfd5a6756e58f3bb5a4e392d4becaf3d3d06a13bb77eb5d68b2017a61aabee8de08c54a1263915205608f3a3e7abdf08a780d3ecd317ec3c8969fd9756 |
memory/1960-193-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ffe6d652ad498abfdf480a159d365007 |
| SHA1 | f1da19f5b08f1767dbf17b04c50b520c69c3e4d0 |
| SHA256 | c178c86108764170fe96187c5eaf78813f07b619361632b020761018a736e429 |
| SHA512 | 939f4c95443221d70db5893461a2ab538dcb4e962fdb771fab429eba9cd3acb25125136eac097ac1fac4d90aba0d646f941fcfda7c6d08ea1c9033dadd02fe01 |
memory/2236-202-0x00000000004C0000-0x00000000004F8000-memory.dmp
memory/2236-205-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2636-203-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ca6996b08373a024c229c0ef2761fd7e |
| SHA1 | aa78e3115d6310f0eb9b2c3b30ff3a1ddba434bf |
| SHA256 | 01a258f77a623635e1f89a21e2c165671b7a9cd288fa2dcaedfed41abf4a90cb |
| SHA512 | 93c791f38746c18210078c00ad84aa5f3dd3c46edb799690de5d445185909e24be78a6a7e2fa917f8dcbd2021e8ef404e296b9e00a7c26228750efd1caf6ef75 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ceb7028746339c173173ff235136babc |
| SHA1 | d999d2b36497058f2d879e6242e067b588c5b276 |
| SHA256 | 1be9b3474824cf9d6928786b27009d3a55ea7cd9988944010259eb97a90546bc |
| SHA512 | c3e56d0eb769d0923a213bf82fa7808893a1136dafa86e9da562abb41c7b8d7038a67f56885825a8421b5f019a4643a1923f45afba61276a64d9a83ff9410e63 |
memory/2636-214-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 38d032e8fdb9e8f17593f4607687526a |
| SHA1 | 0b4e6df8765c6602023159f6b094c458e80b6fa2 |
| SHA256 | 04fce4e0f9cddff999fc15fe8b9b509ecb5cce7773d762f56278e7ccdf7064af |
| SHA512 | 8f0bb1b4c0cb1638b15201f0386bac30e2487dc4d0a7238c669f9ebbb34b6368ba4e90a84921e3b0915b0c7996a15f26de3fe2bfef66fa4fb7919523aecee9df |
memory/1688-222-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1736-223-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c258906fdb9a9fb18e0ed3cba052bb80 |
| SHA1 | fbef028c1539bd8b8de02a56298976d4dc544bfd |
| SHA256 | 54961d9f1719cbdabd3f7612798f758f5dd8dcc4e586123f6e1611a0e96e6010 |
| SHA512 | 89efd72416b950807e1c6c636e2efc546ac11ef475c7a732a5fe0dfcd7a6387cc1599a774daf2460b0cbaa21599c1e50e2df93201ddb5599b1a98814029a2364 |
memory/1688-218-0x0000000000390000-0x00000000003C8000-memory.dmp
memory/1736-230-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1736-228-0x00000000004B0000-0x00000000004E8000-memory.dmp
memory/2348-231-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2348-236-0x00000000004C0000-0x00000000004F8000-memory.dmp
memory/2464-238-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2348-239-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2464-244-0x0000000000840000-0x0000000000878000-memory.dmp
memory/2464-246-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2728-247-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2728-253-0x0000000000360000-0x0000000000398000-memory.dmp
memory/2148-254-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2728-255-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2148-261-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2632-267-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2680-268-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2632-274-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 00:52
Reported
2024-03-24 00:55
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
156s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Modifies system executable filetype association
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
"C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/1556-0-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bcb92d53de7c37541a3e28bc61fc342b |
| SHA1 | 658dafeacc792aec0c81c721f57290099cf810aa |
| SHA256 | 8af7055dfe7333218a4a294da7f9641404e8e0177df4f1924526502ad44ad6d5 |
| SHA512 | abbd9a661f33602eee592080cdf353638dac4b326a447feac7acc9d771c9cf454aa485c4b89d8d6a995882ea7cbe8ea87855a03831e4909bf02ff6847597e0f0 |
memory/3212-6-0x0000000000400000-0x0000000000438000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1556-9-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 529623c50e878c65d39ee412ed018f1f |
| SHA1 | 341f84e97bb1853c99c3174e94195389dffc3a61 |
| SHA256 | e149fa40e3fa8861784fb5a09ea3e627dcb10295d741bc68d65b5876239518b4 |
| SHA512 | 9195224dc92612b77ad9fa025829f8797f4985308da5dd8fcbbe0133c2c2d2388a0b7c0894bccceb37adbd9a6d897a1f9024e27327d8fc0af4c9bbaedc1cd904 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ca28a8062dffca6298129580d8cb49ad |
| SHA1 | 18eade2ca033d479c35e7e0280bf5012c16dcb6b |
| SHA256 | 513941482f16113962bf988cb94247bdcd6366c2150cfc238d67f0511ae0b2d5 |
| SHA512 | 5bdc591c285ea53878a508d840709a7bde8dc852344d48f04bea0f4ea6e51ac53bf2f9f7128f1795084826fd0160fe9094168cfbb930b008f89bb455d0fc6f28 |
memory/3212-21-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 78280b082bdf7bfa13f2b7eb341237ed |
| SHA1 | beed4cd35ef04b988fa5ec11cae8a494ebf561f0 |
| SHA256 | 12528da728d274579ea72d9df0b527a29031f60737ed8471941c3c7266c5564b |
| SHA512 | 0db823c4a0eca7b4eb4f46d5e8b45577a8d7b0e737cd0200356e39f82813016c5304ee16efbc016e5deeb59d9ff1a25b2d0b99c30268f17370fa8c82e92d82d4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 15fb83e2b038bf051d41f34e1ceddfa4 |
| SHA1 | 37532187686801611337ad26b4cc3ad41523f109 |
| SHA256 | 9f5488ca36c1216da8c699985aeb0f1e570554af13d61232189ea58f92870c83 |
| SHA512 | 3e4d86ed865a8ba918ef4da9c0c917915c7483c99efb90514aa3445a35bf9ab755413bc0378eb84aa2262d9dfb7a23c2551e7e19aafab1fde29010f17725b00c |
memory/4648-30-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1676-34-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 231280a66a7b462601c0642c13a390a7 |
| SHA1 | 2ed11cf47e6d1c3d8fff556d476614fc4600ed63 |
| SHA256 | d16675b33486a13474c41c0ccef71d24418b520c5c4cc9e4516afcbfc47e0b3c |
| SHA512 | 5bbb380e6ae40f14ddbf90ced37c3378e5c296aae6fbf7686d3e94c2a18c24c0853caf44945dd7dd55a0f5cfb9d4cdbef698f3e94aa5ad9200ea3710e6ed79c9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3883ed0435af7c2ba7e61fe55febd7be |
| SHA1 | 247fe2d2fe67fac8d7b1e3532b9b35881fbb0b08 |
| SHA256 | 945892504cc29f56f4cdb2fc3c1f7cdaed3bf0b0535f7380a512e45903655f80 |
| SHA512 | c90d5d9fb60fa85fcef5b91d678630ed0bf97965632846df0b3043a5cd561fb23c2ad16be0a026215cfe2f9366eaf234343b52a4227b99f757c13824992d5853 |
memory/4648-46-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9e4ea02a2cd220fa72f1c72c59c0f12c |
| SHA1 | c92c14109d482c0b2d89aa2f2668d3762536f764 |
| SHA256 | 72ef3a56812b631c5ba7d9e29a6a9045c2273d99f9085ff0d3eda31d02cea378 |
| SHA512 | e974636f77a9b20a6c4c8a9943af24d6fb66d717977d49132cce09f8def5ed0b3d20233980c93bc4e6fe7c6221f71a6fe8687e8a864a3f7b9ce29d523d6a6577 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2829fa13a96120c72ce6851d93260b20 |
| SHA1 | dd32861cc4944073efb53e73b0b94a664064d28d |
| SHA256 | 009c6f0385acfb445db91a47c3e6afd099b41bc519aef6be5fd6f49221fac3ae |
| SHA512 | 702aa46043bff70b00f098fa3b51965db8ca346b873223837cb3feeaf81283e572610946deed9f791dc0beec9d9b8b3b19e2ad7e1d6509d8080cccb7e9303906 |
memory/4412-58-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ee32e641e2e4c59ab8eefdeb87dc89be |
| SHA1 | 409dd22bf03c6eec13ea4e9e00590f9bf6381f47 |
| SHA256 | e5b4e57dd41008b0e6cdaf2225c2f13c2fe07fff214d4924f251999fd424c134 |
| SHA512 | 583e985f9137183b6fc5b145aad36dc4a1c3504b00064210f645a23dddeebb3e98092c7cbceb375220ca1ffc0731ccc2ff0a93750b4844b59c747f3b2778d554 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 043fb6c1a85627f22011cc1347c278ae |
| SHA1 | 8aaea76be77ca75cdc322a86b4b13d5718b58ccc |
| SHA256 | cb7f095359df35604592c5aa49b48e3379165db082fe7d104f534b5e915bce36 |
| SHA512 | f433793a0e52591c22ba83a7287fae87aa66a44eed887eda0580482e3230d6ee4b46ddc4e1f70f6ace8624455a0aa364bc205cb3240218e10796df29809c17b3 |
memory/1784-70-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 43c2a50433f019141c8b3462c0e2afe7 |
| SHA1 | d803d9a55a2f9650b57e115d0e658a1a009899f1 |
| SHA256 | 4dfdc6cd5972e41fea2f3984c6419849484f3a7b346d977b30d18e055c80b25e |
| SHA512 | fc2b2b466dd6f5510d21968dfc240cb3dd87efc3ffcaaa15954e004b1b97aa97d2b98a4af89e5e240f7c7cf5576c9e31537f3aa07cef65c012ed0e77ca65b7cc |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 26d548b423af21029cf4ad77c3321639 |
| SHA1 | 9ec5dbd4fe8c0740ae189033e07a0508ec0f5a1f |
| SHA256 | d5a8577c0fc58e2b72f7509f725991a37cf6c3ef079cf1976c801dcd6fbe63d7 |
| SHA512 | a72bc22480bf1cc660a0087ef527de2ce605461dea608bd6dee36df8114555e2260672f6d808b58c853b248ce69be0167ee3aada4910e50649be53147a088c59 |
memory/4608-82-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | edad24c5e7b6eec3f62ac68a0ba4b7af |
| SHA1 | c0e571b2c9413822a33a606830916b1937b5207d |
| SHA256 | b63815a4775a4748cb3c62ea8e545537859c303e24ce83b826a49f5d198008a3 |
| SHA512 | d404b85e5efdbcc925332dcb9c1d64d346cae8f83239f17748f2a757944e2e2534506ec087978ed3769a05f51e86a1a0297d1616dd0591beea06672b1a37cb67 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5f6497799afc7b57ad7881d090d9a285 |
| SHA1 | 5dd7f0287c9e42568cb9fa49524e26ff177c6c6e |
| SHA256 | 2ce3b7ae8b41fead8d8f664eecaf03fa70865478fac2b6c7a90fe1963d6520b4 |
| SHA512 | 21161ed375a9a01315ea23a613b9e518bd6bf6c7aa29bab0771a150642c507a76465332bacbfb506f309c1a11d62e7cb889afa61569388e436ace5ec8199be10 |
memory/4624-94-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6d85734611ebca301c86a1e7160186a4 |
| SHA1 | 20ee03089458857339deefd147b1f0d809f5d75e |
| SHA256 | c895e23b80395ce34bd14af26b9eb27fc2f8ad188422e362daed4eb9c29fc251 |
| SHA512 | f45c3ad37136fcb2500f46e02a68b15ec862af63fe47f68ea9b35c22eac0c106812d219a0ee02e355535b2ca472eb10e1e9e2b59c0b8955e17323eea1781799f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9be8885a3b6787c370d36ca09aec446f |
| SHA1 | 88de330c524378a0c60f381a01b778b89615189f |
| SHA256 | d95cfbe74a0c059ca381bad12402c832df72ec9398e24895c1b755cde4a2c8ea |
| SHA512 | 6e412f432804d820340f3cfce855d6bd8a99d24e9903af103e02df8e6b90c4516e42bdc50a420dc46ff65675ffac28d1d797093fc06609aa0abe69fe49c7700b |
memory/4656-106-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fb7bb4676ebe152a40cc0967631ca1e7 |
| SHA1 | a8ad21a5a1551df29fe59897bfbfecb31e1016e2 |
| SHA256 | 82d085e5de31e622d6eeec9f004289b47385eea4b2f1a81a0378c73850433131 |
| SHA512 | b6c20a9088effc322dadc03a36a312eb95816140b9ab3db313d8f17aaba2826e14f693b3557c1604225f3d4b999af64d45f0b314c2888ed97ff121cf601c1bce |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2fd2047745133d33cf84d34871c9f886 |
| SHA1 | 8ad24f2fced93d856f6e79403eeaf8539f50308c |
| SHA256 | bb097133f3e0495c26fbe04b72cabf057fd278d00c930e98f76ea8721dfdaffe |
| SHA512 | 608f7112436081d7b5b7481031670f7194afb9d842b1f686a6f3bce59a5768e07e4034496dfc984a34574ec4a5172aac465983a64180348b7b7e00658657a87e |
memory/440-118-0x0000000000400000-0x0000000000438000-memory.dmp
memory/5092-119-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 937c94a7455cc4522fc8b66f619e398d |
| SHA1 | 9804e8833e5212d4f9e69900cc78e9e348c9f4dc |
| SHA256 | 01574aa6d352509098fb33f6f33d759f73b32ce399ceff346fd7f64c908194cd |
| SHA512 | e25624a67be953c1f36763889ff4ed1fcc63e8f103515f1156e4937ac9f7218630b13b7003a9781f97196697e845930f580aecb329ad8a3023ea47622329ddf6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 13dc0ea4d9e6b4f85256300cef506267 |
| SHA1 | 6e88799eb977897f6a28aa169b54c0bd1da57b7d |
| SHA256 | 8eb1e1285813a0316c78852dcc6c5189102090911bac5079d402becd835e37d4 |
| SHA512 | e41e4b01a3f94d3e31a0556402320df2db900ddf156e7d5d3af3a75e8917df352746c2f65af1b1e09774fd66f9a396a54654b215d64c4cba5b3b9aad2ad3dd55 |
memory/5092-131-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c21a4d0ac5d48cd78f81d8eca76e59a0 |
| SHA1 | 1d37f7ee720761534cc59b1d09c9dd0e4e8b275e |
| SHA256 | db2fbbb85e81f7bf4c816d6f3f6aa287847fa3bb0884e41a8649368e2ab278b6 |
| SHA512 | b9de8aff6f59d4e6c8cf8c8a4fac8c48315ea592648fb9ff18cd4e11b68c7fc66f9fb500db808461c72e009e8692c01497777bfd80b753f585b0506a3e1455f2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9d547a5569b6d655676a05d9ade49091 |
| SHA1 | e120351abefd48b4b089d255d1d7d170f4091e21 |
| SHA256 | 5f6725c34fb16cd564e5aac7b85a538fe09a2335b5ec34225e4b1351de8cdc53 |
| SHA512 | 6aeedb08fe814b4c8ee535ebf360c4bded3f129e995fe7fc59160376de0f34b4b19e2ec3a07843baae37bcb76e220113055f2139c9f4a1f295a378e1626b0738 |
memory/1544-143-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ea5e15c5e321000132be2872c44ad27a |
| SHA1 | 49b6b7b9f3787ba130d86c72dcd45c9c94bc4fc4 |
| SHA256 | 31fc9ec64d2c2927204f633675377fc76d0c02e3cf358c26fd1985fbd5bc192a |
| SHA512 | 72a8464f22633fa637fc16bc3a08d3a8f831a2c4f8db7244f76f3170e0e79ef0d881bac480b9e7d1533d243d9a1143823090cea37c608328750d44b3bf1e04ff |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | daa07927ddec5398018d9be9f87f2236 |
| SHA1 | 38e7ec81aaed363f64beaa8fae6da790c8db5712 |
| SHA256 | 813c88fc7f2bbb85164a5f23d263bec8362c676edb4ab32c0df1f0cc2b7f2538 |
| SHA512 | b5edf5d011a7a9d73e32d3572a30d7ac3231dd92a0a0fb7f8693da3eeb15cfbc6f08157a23da48a3b0c5d7e17310a706e8755e3e317345e0a59af39af2fa2a8e |
memory/1092-155-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 618d8ff779a0719c555f180817cc6d4b |
| SHA1 | 02d55f159b1bfb0b40beae730754620009308aa8 |
| SHA256 | 12ce005747ee864c3085ec937b1e8a74c69318e68d449266125333edd5ae83a1 |
| SHA512 | 15e1209ab8141d96d929c602482b4ee7236ce566191a50ec76ddb36613201ce7f8ae2d9d88708c7785fb88d9fa45ea0b5abd2c033fd8447f7c27ce71a9ab3a67 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b770a5e400b877d01e0d96ae6e37bc48 |
| SHA1 | d51e05eec89f9a4caf009bcae6d470910f2e2a6c |
| SHA256 | b704d33707d8adca5b85c193c479c2b0376cec7303bf813347706eed8d86cb64 |
| SHA512 | 4363de8baf4bd28a90a0d5cb95f46bbbfe8ea8412d9dc782312cf0c3aa65717294b7df0ad539f2790b1d76bb2978272b035c1eab5ac2e66615481a548fe090b4 |
memory/4308-167-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 46eb25ce51819948e87718f081167c9c |
| SHA1 | 5d267e6641b3033e8ccf86882ead66060c7d1a8a |
| SHA256 | ae30a568c8cf45be36d5fe8db1b4239498f99a4d65d43d6da2fcc319dff0c428 |
| SHA512 | 157e589eb0ab3d74e2e0f885cbc51f948492bad44e2e7d9d4155ddb008147da83cb95165a12662d90bceef53f76311f8b2db6e946b568d5787de5cb8369e57c9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8cf6fe53dacebd20a9f18facdf389445 |
| SHA1 | 59de657c4d929d4b3a29c1df38da7f5279aa9def |
| SHA256 | 92b2c25792c0bc5510ee9e00dc1bf67d9e61a157bdfdeff2ede598877a113034 |
| SHA512 | 894e5461e82c0dd9dec00b4c20c291445c9466f0d3a3b4a54ca126714ccca021f0ebf20d5edc9424615c7944e5398d4675fa3ccb576d002be1b7fe7ce59579b3 |
memory/3604-179-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ee05f1b2bfd7b2eeb04e486eaba44d49 |
| SHA1 | 00a674e3e1230decf58968d7cce97a982a0136fe |
| SHA256 | 58bb9a048f6f13d7a9c1dfcb0bd6fab492cda92ae9377d90039572ab25fa10a0 |
| SHA512 | defd63a9afdc5432c91bd0c0908d7edfb86cd73da888efc4b125842d28d88bce742e5172666f3b7bd039c6b514615ad58df3a843b1fb432ea5f3532065f928d7 |
memory/3588-188-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2192-190-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f2959b9c777f84b206526da3356845ec |
| SHA1 | 5a7c1891f14b003160f19f3c86fe8cdbe517b109 |
| SHA256 | 0c10950fff05a8c76711ceddad55eb3e6e1cc7ff294a59d34bd3120d56ee5bd9 |
| SHA512 | 69b2e172b2649a97ec16bd1745411ed6d50660b284ad342961f596963198e3e83877fc019d2144b74946c729784aa321bec899a22fee15f6b88e6502c15a520f |
memory/4812-202-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c85e8b259a0c3f20c8adb603f122a992 |
| SHA1 | be5ac5e80c3443ee28c75ecdac26c061ca6a61e8 |
| SHA256 | 540d4b1439da5b2422e06768ef5c6d993908d86c4c182814b3acc6ab2723c587 |
| SHA512 | a627352c6b9587fcb02bb6ef47a440c3b0b2eae3c1a5b3bc38e1a9f157065387095b4103916ac0949f09d1ab7a98ca373b5eba82b8aba0db50598e3390c53913 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 15f2f3668cab1dd5dd5638feca3e138d |
| SHA1 | f247b76ccfa27d37fdb9a5fbc9cab50a672ca583 |
| SHA256 | e2f404835bbd007e560613b00c25482859e47a6cd2b5bb96652242c6ca8ab5b0 |
| SHA512 | de40a24f0ded1891b56fd570e59d1318bd3744e6ee71911cd808ac3887fde225a52c6361b605f8c4ecb6753702f5c0961fbc241c0b6c76fd4abb5b98e9ac55c0 |
memory/768-214-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 872702a299320dc9a5ef1a21f6847ab1 |
| SHA1 | bda001670dbcb71b4286dd05aa05d9a15249ffb7 |
| SHA256 | 95746bc440751b4f125c698278f5b563b4e64b37d23f588b952758e6e3e0b0d1 |
| SHA512 | 87685011e66c2b5352aa9a48bacfae111038d6bd2623b0d3f71fcb405c990a41f9ca286da884a79a7e5868558ef2b6ca8c3cf750424d43c597252b7682508200 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 566e500a3f5129a0fd384c2a59578872 |
| SHA1 | 5797c3e95c094272b1092a7f1612000fe77e5e19 |
| SHA256 | cca1b813c00c96074e3a47ac2893d309d74da88fb8c96b2fdea807e4bb0b8cff |
| SHA512 | 45e9178bbd5078eb9eba2b7fd1bf0ed765cfff92f7c498884b7657725e9ffbb8ead36b1376cb1060763263dd21dd810f66c79a7c526daf28b515c3e0c075f5f1 |
memory/4724-226-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | dbd636cc09d624edb482f467c887bfb1 |
| SHA1 | e6833d9eee425ecd9f0751f236e6f552e8e43932 |
| SHA256 | 525c96b29472f3ca41d750a666bf2d872fd64cbc39fcec31fd1ff71756cb3460 |
| SHA512 | 95b6ad906c8a6c7b985de8bcb329c9d41b77f52c92279163c638a38b659fecb0ebf7d18132bac1500a0025def93b886ed40448a02d7c73c8502bd202414b83b7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 965d68cc5c98e81f3d21b49910640191 |
| SHA1 | 444e8eafbd1026bd03fa9f65f1492d9a7b086c9b |
| SHA256 | 5216d70dc979ccf5645b51d4dafd08e29e10162c4e3f61b229d1b03527187645 |
| SHA512 | d6012b5a26166e8a23d6fc857e530e366012c9b9f2ad41a7f3ffe915875c7d5ea41b2a3c3516b6f60a4066f28b45d04c8c65fd5e36ffe5a54cf91e0ebb2eb4f1 |
memory/2660-238-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9cedb58fe3d08d4bc5935026264ff926 |
| SHA1 | 9298ab1b64c68db5eca1a69dd0095620a366d242 |
| SHA256 | 90a99f6609c13ec0460b0797296a13d8dde8a5b4310b1bca4f2f63b415fe75bd |
| SHA512 | 8ad06fd3fd6c6f96a8dbf6bd7deea2410e13448ac2678d0df103e1de090dcc5958dbe597e214380088730d743c1551a9dffc841d2477ad8d84b27fc89d618e85 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3a3e04147859896ea6fd371f47bfc20a |
| SHA1 | 7df3f62db79a0ddd5aa1b6bb5797b8bbf50ca707 |
| SHA256 | 2f6a2b6635b13633298fc1806833e46091ee21f43370475479ffae3e9f38851c |
| SHA512 | 95cd4d89a120f33e7eea6f4f4b8dd39b9b143123f4d7819725a36d0c42f33809979cb86b192da02b6266b713813f49a3030cfb2b7d3efe9438a9ffa1e2e08551 |
memory/1672-250-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c323fc0d819ab70c5d92788158b4a4ee |
| SHA1 | 2866a55c41ff7d29c96ed62b905bbffea4f9cad8 |
| SHA256 | c92b934f958f7a5610d8a1624fcd83f16b004b16942a5e94c5ca38671877c2d6 |
| SHA512 | 632f44d71f5f7f8914f3475dc327017702e3879a7c7bd07b0cd9f7c5dffe9529e80cc9d7c13ca01f6264a96cd4b6d1436b250260715f219b75eb29d3462837e7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2d0f268109f1e905c6fd3b60f8f037a7 |
| SHA1 | 835013e8415fbfdc31ed1bff5bc9433e4469cf84 |
| SHA256 | dd4692805e67d091fb72e70caa238ce32d066e679fca161434f1b22533de0067 |
| SHA512 | 00993e42b69ed60f7d30cd72a5fe9959df90e6d9228027a4594fca475d97bf9ee77761b2a17a9f1e1c066270c4b7dcb8e152e44feeff2188f91402ed1bec727e |
memory/1456-262-0x0000000000400000-0x0000000000438000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0515ba26f1060fb353a0cd3a58048369 |
| SHA1 | a4e3b728df21dc7881ef835fb179b8f40339d128 |
| SHA256 | 71730e1df7c01750d0233a552ce08d68bde7c5618ced4d832c34e4ef9bdc7439 |
| SHA512 | d0aeb4d13a233be3b12a9a8b02e30fe53a89d26a532317cf335dcd2102fb5b4982db56074a417f1efd04d0569cb27224183ae266554cb9c53322bfcaf77453e4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1c945e348756eb14687061273e1568ff |
| SHA1 | 2dbaf710bb3636d29112c05e052c4e0dacdc7797 |
| SHA256 | 25a7c8c9fae9b0168f8fd73511a5f6f621ff2448614137ecfddcd3eba6f989e6 |
| SHA512 | 86040e8d03ae53b4db0b713d8e495d169b0c9c20c9d7f925f880101e3e684e604be9a841b5805ebe77e1d1e0e5dde3562a21a94152858184a4e2d6493db39df4 |
memory/3616-273-0x0000000000400000-0x0000000000438000-memory.dmp
memory/3056-282-0x0000000000400000-0x0000000000438000-memory.dmp
memory/740-291-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2316-300-0x0000000000400000-0x0000000000438000-memory.dmp
memory/220-309-0x0000000000400000-0x0000000000438000-memory.dmp