Malware Analysis Report

2025-01-18 21:21

Sample ID 240324-a77xtahg6t
Target cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6
SHA256 cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6

Threat Level: Known bad

The file cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6 was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Detects executables built or packed with MPress PE compressor

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Sets service image path in registry

Drops file in Drivers directory

Modifies system executable filetype association

Installs/modifies Browser Helper Object

Modifies WinLogon

Adds Run key to start application

Enumerates connected drives

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 00:52

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 00:52

Reported

2024-03-24 00:54

Platform

win7-20240319-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2080 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2080 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2080 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2080 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 2080 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 2332 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2332 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2332 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2332 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2472 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2472 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2472 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2472 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2668 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2668 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2668 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2668 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2392 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2392 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2392 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2392 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2376 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1868 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2728 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2728 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2728 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2728 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2020 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2432 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2432 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2432 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2432 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2632 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2632 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2632 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2632 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1076 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1076 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1076 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1076 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 296 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 296 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 296 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 296 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2196 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2196 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2196 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2196 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1644 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1644 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1644 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1644 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

"C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe"

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/2080-0-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2080-1-0x0000000001FA0000-0x0000000001FD8000-memory.dmp

memory/2332-2-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2472-9-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0a59c33cc4c899554060e5be95a6cfe4
SHA1 6d643dc409983a28d17ffd1687f9fec1bcefbad4
SHA256 d8ed09d7eb2b1d573a50069511c86867585736eeaca161852e142e2e311da5fb
SHA512 cd21fedcea4b05102d66b32065f3b33e90dc2b8b001fde49dcb32d877ab061b6ce4ab16a340859293081f2f3309bf159ec4f1cf694b1e232681d124581afa892

memory/2332-7-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/2332-12-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2080-10-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2736e4dd229a6293cc2b17993ec19805
SHA1 b4de5c4111c19571ab41f8bfeaa486a1f71895cb
SHA256 d54e31fa4b5c4dcc15706536a2cfa56cddb30e0095962df077f9230d48d52c17
SHA512 94fb781ba797faf1b59c827f50172c509979dce1615410ed0ea23a903c969608c3c0be79392599f501d425681e1b14101befff0214be4af22eed1fbce666f6db

C:\Windows\SysWOW64\drivers\spools.exe

MD5 47634991bdf9e953461fadf164b8cec4
SHA1 edd7a7742b23b358612af8af5e7e01a37a372574
SHA256 923e22cfebd0c0b9fdddc8a3fa820b6bd02a5467da7795b198dce8da00bb3463
SHA512 4cff0daa01d98282f4d93538d7294816506bee9ad975126f88503eda16fd8c5c652b2892e3fd04e860659ab40b45fa0b299eb02adda47ec25d8a546713c055ae

memory/2472-19-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/2668-20-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2472-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2668-27-0x0000000000760000-0x0000000000798000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2b1144f6a13e457ac5b37ccde2a30a77
SHA1 04fa123742aff6388f381c919fe0ba622c75665a
SHA256 1b5b84f4fec8ed9e68790db8517003e41fea9bf8e10883b65af175bb04c97f26
SHA512 d0c3ad92e1654166d7bea0ccdb5b71804b9fafb24fb941e829f98f89cc8cff04b4c6974852101a53fd59321248496b8b6d70da6dd5a0d77b8d177696657d552d

memory/2392-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2668-32-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 465bedeccbd8ca44d180c4ba354f497e
SHA1 3c814af4b9292c7b0ae7c5cf8f8317b4c7ca3d86
SHA256 1a4b93064f524624667b6419f088ab9a922dcdf3e87785912d0720bb4ff651f0
SHA512 22004ad5a79b6d0cb18bd32a6acf38002216c6fb81daff7af256c47816886a9affef9606ed1944e117790a7e7c19c666c7da000e8e69c0e52be8c46fd2e3522e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 38a133b50095c676507b902288efec65
SHA1 b5bdc41fb0eb4a9d27f597cd9c386d7bf0629d44
SHA256 b93e99a543eabd6dfa39b0f29beaf8c49afc27e03c20c6a4dcca7b7430d52f74
SHA512 eddebd058ea50e64d1d64e25547a43adc99865c8c665e162d11be02edef397c27213d4ac7cffb774944f943ae0715231b10810ad88db80b3cccc687f4135906c

memory/2392-39-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4872244dba822b2e1b748ba023161529
SHA1 4f62f0157179a9e28c89f76ed87cf9f89b1e15bd
SHA256 422fd422af57f29335779ca84ced7eae76487f0af775f9a71cdccbf1713f14cf
SHA512 928759f464beece78e7c48c6414048baf14d6bbc8b7548fbdb0a8745db4fec0a46482ae6d8cae11f146171662262d7e8d59cdef786bd82197d7252a2d85ccf1b

memory/2376-48-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1868-49-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2376-44-0x0000000000360000-0x0000000000398000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 70a1ad2b37477730c2627d38f673a608
SHA1 68ff0de366acebe4e95da95f2b8ea7b4e1321798
SHA256 c04fb781e1f6f5961692889aee4e894e5509f7e67def8b736e9b744006ab99d8
SHA512 46296f617585314178398a0c8aef3f6e684b99cfec5dab18840efe478d67c2aa0940351f41e3cc3fec491ac175577c3ab29f90cb332be5496ea63c01bdf303c4

memory/1868-57-0x0000000000540000-0x0000000000578000-memory.dmp

memory/1868-56-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2728-58-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9811fe0d5900cdcdcff5126b4456347d
SHA1 1ec2d0d3f30e2ede9a434c4aa8f29224d5599ca8
SHA256 9bc1ef518c554e2c91e7339803ba89526c89bea3bd391e18016f61ac1615bec7
SHA512 5e29aaf43f69207024f2f82517a3402139e0cf50a9f10acaf2578aa2b814a7ec38fddb469111494f638a0fe356a336b7431b3b9d6eb89a2e00ee1b7f67f75dd7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c3cda0e486730bc2c6e87f6159f2e594
SHA1 3a891fc9914560753750101686342af356e8c690
SHA256 6f9dd5e4d53add1f14ce88fe54c96b61191bd65937f0c3004cb8d9f87487030e
SHA512 b71639633e05ac60d24778640460089adbde9340c48afb0dfc3f211f89adeefaa410e60c7a0db5ce446d094cdbe3b95d2da0146914e7227eb0c5ce8a6575335d

memory/2728-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2020-63-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 bebebe9211a9773e408593ab35753dfb
SHA1 bde4bd099da15fd0bdbcf146c03d09900e022785
SHA256 7c8665f65d0850371315725499de433760945ffc7e819f95df01ee93ad8a9ba3
SHA512 3ec6bdfc762acd2304b6722cb334bfc9485401825e28cd3c4d096a484c698786b10038f4fe2eda2b2c6e9dcb7bb991109dd101b6288908f3eb6593d830e01eb6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f84fa69b82eee7607eda68aa41640ee5
SHA1 7a239e9162e9f96d49e0777813f217f6151a048d
SHA256 3884f512bafc4e3fb1b080d1ff3681f5bbb76280d3f3b766f8b6afa6d08387d3
SHA512 836a952902826aa278b51081602917dcdcad500fb7f37d3eccf220961113abdddb3c73a7283973a1fb51082820b29847a58173054a6abcc18de67cedeb1919c7

memory/2020-74-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 36c4c3049cf6f3932f56736e6afe0dc3
SHA1 3ec7349216eeecb64c5008972b3d2070bf29e0a7
SHA256 474aa2e2ae62b3c3b15c181c8d4bfa531fca4617c87b26f2c7e9198ccf2b1c08
SHA512 e432b20784a04059ebf2553d26320dcb727faa63ba4a1eaa90f0f939e44de88d2906c99100486b47128b2aff84697fac601f41faf7342d16379b3486a43c1d56

memory/2432-82-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7719b27985d42d17e1eded08863ffcc6
SHA1 abde40e44246ad7e9c76f9219e182818235e87cb
SHA256 b4121130a3e79c41fa2a1bc97389823c358b6961c462653c10e68b7cc7796a40
SHA512 5bd1caed4e647bf5bd76658ad647cde9450382b4482e5dbbe183c497d932854bc0747cd2a2ecb187fc97f05f8c067277ae1d57001c39e90885f9e7e8ef5ee802

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2af84772fd0de793ac3f562c5ebad2dd
SHA1 97e55cfbcd55f9d30bc051ddf7263e5faf90da2d
SHA256 83d5c14961b39fe231723d7b3d6f3034adfe16e1775c510fad2ba8ea05771c8b
SHA512 c7640f254ab84a7ee6149a23a652900c940fc0abed73b169b921d7157dce48de8460ea4504e9702e14a96e3b2cd57811783e6b6b0769c5d8cd7c9957ba7f4fd3

memory/2632-86-0x0000000000360000-0x0000000000398000-memory.dmp

memory/2632-91-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1076-89-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 efeb52e09cfff995c5de5cb06a2e28ff
SHA1 8e53bf2105c51bb126d686a32ffb8bf64499537c
SHA256 e69c779cfd4b3030792c1158ca27f55835e98c172c8b588b7d5086f77f3bf231
SHA512 bc1bb0a7f5b5ba6528a8f40e023e3c5105f12e759c7955b8772f67d0580137dc804e52ee47aa6ef89e9da1176f9757803eb4063ced17f8253ce4bd16f3c69a5a

memory/1076-99-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 49e052fb42c662597ac69995ba5d6a1d
SHA1 c874435508d3d7565400d176abb0552c506644a0
SHA256 e7f9d514b737518d2b34e3e223396306110396a0b0b396cc4fd19d4f17aff45d
SHA512 7f2e7aa579c44a24d6bbaaaa45d78f693937ea925db3428f8f77d01117502b96824811f7ede6a1a61b14508803bfd2e6e92d1843e02ca28e12e5e05878265c19

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e68799ccd946a0da7ff5b45160d06fd8
SHA1 da51a2d577907d60b766c105f7ebddbad4f3dd1d
SHA256 60c88ee97660350b4f9222903a0bbd065ce8577343fc98cc7b9a48338be7b4ce
SHA512 7d960422fbb9af395446bcb286b135f8a0a27b1cdd771306b95ba8282424cd138ce2aea7664145b8b12a58ada16952e4e83f49ea9c86c262979548f8d2bc7265

memory/296-106-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 20f043edafaa1aff9230ad826da67f24
SHA1 e6bffc88f18860dec1873d54d8a47fbdab5027e9
SHA256 2a0607ec588b5a36521e2267fbcda59ce122645f0750862b15122ee0c119a70c
SHA512 813196ea081c20b1798c059a29b0ddcdc8a6d2316a77d90c903be31dff644fd53c2bf67e54530957716ea5f1550979118b09f566140022245f765a4cd0ae48b7

memory/2196-115-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1644-111-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 82897df06f8bc1703098440498d5ca3e
SHA1 c76bef44ee5327dbc2f2e3b563392f2163989bc5
SHA256 72f131d511afedc77a5c950bd69be2f65672769d8a3de8294d2c568a1103aaf8
SHA512 3315b8589e1cbe036743cc27a32cb4b64940e6d6dbde855ce2429dd373d44ecb49d64b1b000e6408c3f30542e021bf7b4ead429f0674288beb7c58053f9e6017

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f50516cd928592b6b629fb13745dc485
SHA1 9d34f2967da10418ec27e51c621500a496859ae2
SHA256 14f7597555f0d3fe993bbaa21501b1a6f9483c0450aafd8e717442662db53362
SHA512 f5c5016dd0cebfe3cb64e93ce8251b752d5202d767415ecd8099f71d004daa6bc56af9786f87b55f24da177d1b2f18f12b6f75df36aad953fd7d4004d38ebd04

memory/1644-122-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1678d1c7fbc5fdfb65335a52f590959d
SHA1 f71850742b7fd1fdc82f6ba916782bcd6a148e03
SHA256 59019cbb627972e883de326ccd33ff1c42933f8d71b0baae2b8f039e26e926fd
SHA512 5eb4833dcde5eaf083b630a0f62a03fee3281e6289e8d8b8b68c3c1873a2ba47d92029a742c358411493a78613de89c4c940433c6279e4a8e0d1ced46e8fd690

memory/900-129-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7ec3e0a4a12dc4a3cf54ff55ec754538
SHA1 bdeaca9a9a25e1f54a1a52d8e356ce87128a2ad3
SHA256 b2cd77789b03ae6c4bc6375efb5f783c0c799c0ebcac97a4d508614c58c6a3db
SHA512 9454f61f23e13042ab1a36cb8f445ef9ac35b6e07469d8369ee750a8abbf0f62ac3d2a4a9df8746ff284f2525d49d97516d82f7d99fa1f5bf50424debf8727eb

memory/936-134-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1cde61ca66a81c7c4a3444ee91725b1a
SHA1 bc1edb8e048416f6ce0c7393d46c7fc8cad3342a
SHA256 006b13619f76bea869eb7f69dbf4b2eec21c2c896a3caa4914a84973da8959d5
SHA512 fbee6b78a21e52806196e50cf352f878410172ae30e23846b73decfd5a3b4cceccd69bc9435fa6460842afb9fcb0f2f2c09518d2fac9f40d9011ee9c024aa7c8

memory/2312-138-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cb246bdffb3f7b36947e19d375b56e27
SHA1 7ef2710710b094f08d1d500d3d07888c89992a32
SHA256 d98fa459ea6f488c011eb339c11c686ad0f8dd54a15fd956cf757fbb73f78eb5
SHA512 4ab14a6d5284fb3c373bcbc6bced7ad8754ab5e7c1da78e74a1df1b7d3939bec886c0e071510f0d7ad6153daa1848c6f0d2214b877d4b66388aae07f568131fd

memory/936-146-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 17e1011b7666d3b5bceb5c14a7f02b7d
SHA1 6867edbe087210438d0f081a0d3df21f3f8fea59
SHA256 dc16bff21e13682d06ddec800b6001ffbb38a6c034ab25d051c30a57556f5bb6
SHA512 240b87d6c4e34f3a845c8d0de635c7c7377ff9ac4bd518f91db4886e3c1d08e300492ab0fef0e18a1447924df28261d7201b47ad77d7646da6385c8bae4c2d93

C:\Windows\SysWOW64\drivers\spools.exe

MD5 711808fd3521242b4127f0fb96059283
SHA1 abf66aba476f63193eb00864fdb136b1b52ffd3d
SHA256 ec6db7af6d2f968c7ec1ff51f0b297cce1adeb047d1e43117cb8aaa7fd1a2cfd
SHA512 304df3d5a7ead006edffd3b6b435db3c176deb5a0f3ef17e37dac267de6d05287da7ee44f782ab8499a0df11c15f8c2fb33e3bf1b4f4a455cff578213f8e1f89

memory/1196-152-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1908-154-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3109810548f4b2380fcc5bc365167420
SHA1 27441355ccdae9774394737b66b44ad80751c0ee
SHA256 532d8eb7bb6b6fcb2f3628e48c117aefd9980c2318871e94a0d3cb3949ff7704
SHA512 759b1246221fd5c0e1172fcb69ab7adbd0f037ae1500de129da1e5afb705237034ff9cc2d767792a4a023dabf1dece70ea2c113a8ae356869d770f27a4754640

memory/1196-162-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cf331a3b0c0e96d03099441317a2ec33
SHA1 fb9862e8d31e26768f870e07c8925e03717d53cf
SHA256 1262f49c6346d0b24fcddeccae2b9347779dcb58a6e8e2263d5c599c6dddc63c
SHA512 f0798c0de5361df9ba2a26616a8549d223667b420b8a47b2ce137e076c094cace67a6bc4ba3809ae2e2aa22f37006164912fd09745af15607311200f939e5133

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ad37c6278a75172e10959cd494aca884
SHA1 faf8f0632c2e5c4006b28aa98ee4b46d941be2c7
SHA256 8bf8ae6cafe8ea9e89413a4d1f90f9f2d0d77c5146301aec727dda84a6d410f7
SHA512 1f475141da7eed321f27932ce599d3909275c34bce0920d5109c93f2ee87eef15c329e6cc98920850fba724b348a3c8c5a4d312f3ba5e2bd07833c66c7407ae9

memory/1996-168-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2340-170-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 53cf9ff665e327849e9ee8ba082f4836
SHA1 a401c92bb774bd0084c2e32abf2b4c3392d398bd
SHA256 72d8d2c4dd5b37f25ed6c4ab1a2adf848eb96b26ea49ae3d9503b4689151d06e
SHA512 a22ccb308e037d4a956dcbbbcf3817143094d3c7ff9fc5d829aabed038202265debe27950fe0916229dfc9b3f828c3a50c0d2b5f55924980c9d7aaedea21dbab

memory/1996-178-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8b1efefe1a604729fb0f84c20a92c0d4
SHA1 4f3880b4d9cb4e7a9ee507f59cf353c6ab67a596
SHA256 366e9ca8fcf18cd46ba582460406f6742d5698811f49edfa2b0f066c8542a76c
SHA512 de5167ae6180aa36ef1f38613d389b05d4b8a8a99f5069fa3024ebff9a419fa8c2a5b2cefb37bb4be064c252c54309e868712ae80064e1c61d065f232d48e240

C:\Windows\SysWOW64\drivers\spools.exe

MD5 912ae192015f7f58c37736aa17ad6aa7
SHA1 c3a1809c120a6483cbf64402527fb0ae36077146
SHA256 0a91d4fa3838a6a4177e95803bafef7c3532499686df32cd2e23169e2e79b9c4
SHA512 d88b86c10ae81f968b04304e91a6306fb21ee91bac41e42701181d293d32d278404306ef3fcc4ec1a455f1832a8789346a7356b21e911eee7cc822341f9686da

memory/1960-188-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2320-187-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 937eb6ecd29e1f78da1e38cc935fc53d
SHA1 60da6cc8f3998e88868ec7f773c65ec597e60d3b
SHA256 ed34cc8c9fad0b1b85c6357ab2eb92ffb090f8de6505b110616875266ede87e3
SHA512 57dd441f81b8d477090fe96057f39c55db4b849efb5160dae8b27c025bee3bee472af31e0bd98b7355cf18c903dccddd6e24ac379ae057178950b7e53e9f0f14

C:\Windows\SysWOW64\drivers\spools.exe

MD5 460cf7ad262f4c8ff7b8d0859af4bcbc
SHA1 27bc69dee4a064fdbd517b89814ab76c07bff6da
SHA256 552f9b0dee3ed93f071804289931e2d24f05705d9534c90d5fcc229135105ac3
SHA512 3bdc4edfd5a6756e58f3bb5a4e392d4becaf3d3d06a13bb77eb5d68b2017a61aabee8de08c54a1263915205608f3a3e7abdf08a780d3ecd317ec3c8969fd9756

memory/1960-193-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ffe6d652ad498abfdf480a159d365007
SHA1 f1da19f5b08f1767dbf17b04c50b520c69c3e4d0
SHA256 c178c86108764170fe96187c5eaf78813f07b619361632b020761018a736e429
SHA512 939f4c95443221d70db5893461a2ab538dcb4e962fdb771fab429eba9cd3acb25125136eac097ac1fac4d90aba0d646f941fcfda7c6d08ea1c9033dadd02fe01

memory/2236-202-0x00000000004C0000-0x00000000004F8000-memory.dmp

memory/2236-205-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2636-203-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ca6996b08373a024c229c0ef2761fd7e
SHA1 aa78e3115d6310f0eb9b2c3b30ff3a1ddba434bf
SHA256 01a258f77a623635e1f89a21e2c165671b7a9cd288fa2dcaedfed41abf4a90cb
SHA512 93c791f38746c18210078c00ad84aa5f3dd3c46edb799690de5d445185909e24be78a6a7e2fa917f8dcbd2021e8ef404e296b9e00a7c26228750efd1caf6ef75

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ceb7028746339c173173ff235136babc
SHA1 d999d2b36497058f2d879e6242e067b588c5b276
SHA256 1be9b3474824cf9d6928786b27009d3a55ea7cd9988944010259eb97a90546bc
SHA512 c3e56d0eb769d0923a213bf82fa7808893a1136dafa86e9da562abb41c7b8d7038a67f56885825a8421b5f019a4643a1923f45afba61276a64d9a83ff9410e63

memory/2636-214-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 38d032e8fdb9e8f17593f4607687526a
SHA1 0b4e6df8765c6602023159f6b094c458e80b6fa2
SHA256 04fce4e0f9cddff999fc15fe8b9b509ecb5cce7773d762f56278e7ccdf7064af
SHA512 8f0bb1b4c0cb1638b15201f0386bac30e2487dc4d0a7238c669f9ebbb34b6368ba4e90a84921e3b0915b0c7996a15f26de3fe2bfef66fa4fb7919523aecee9df

memory/1688-222-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1736-223-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c258906fdb9a9fb18e0ed3cba052bb80
SHA1 fbef028c1539bd8b8de02a56298976d4dc544bfd
SHA256 54961d9f1719cbdabd3f7612798f758f5dd8dcc4e586123f6e1611a0e96e6010
SHA512 89efd72416b950807e1c6c636e2efc546ac11ef475c7a732a5fe0dfcd7a6387cc1599a774daf2460b0cbaa21599c1e50e2df93201ddb5599b1a98814029a2364

memory/1688-218-0x0000000000390000-0x00000000003C8000-memory.dmp

memory/1736-230-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1736-228-0x00000000004B0000-0x00000000004E8000-memory.dmp

memory/2348-231-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2348-236-0x00000000004C0000-0x00000000004F8000-memory.dmp

memory/2464-238-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2348-239-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2464-244-0x0000000000840000-0x0000000000878000-memory.dmp

memory/2464-246-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2728-247-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2728-253-0x0000000000360000-0x0000000000398000-memory.dmp

memory/2148-254-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2728-255-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2148-261-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2632-267-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2680-268-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2632-274-0x0000000000400000-0x0000000000438000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 00:52

Reported

2024-03-24 00:55

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1556 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 1556 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 1556 wrote to memory of 456 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Windows\SysWOW64\reg.exe
PID 1556 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1556 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1556 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3212 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3212 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3212 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1676 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1676 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1676 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4648 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4648 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4648 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4412 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4412 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4412 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1784 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1784 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1784 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4608 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4608 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4608 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4624 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4624 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4624 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4656 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4656 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4656 wrote to memory of 440 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 440 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 440 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 440 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 5092 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 5092 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 5092 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1544 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1544 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1544 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1092 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1092 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1092 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4308 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4308 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4308 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3604 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3604 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3604 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3588 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3588 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 3588 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4812 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 768 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 768 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 768 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 4724 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2660 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2660 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 2660 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe
PID 1672 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

"C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

C:\Users\Admin\AppData\Local\Temp\cd3cb6dbf7b92f83393027b04e267d4345523cf5bde7f8087db77ec68c1e41b6.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/1556-0-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bcb92d53de7c37541a3e28bc61fc342b
SHA1 658dafeacc792aec0c81c721f57290099cf810aa
SHA256 8af7055dfe7333218a4a294da7f9641404e8e0177df4f1924526502ad44ad6d5
SHA512 abbd9a661f33602eee592080cdf353638dac4b326a447feac7acc9d771c9cf454aa485c4b89d8d6a995882ea7cbe8ea87855a03831e4909bf02ff6847597e0f0

memory/3212-6-0x0000000000400000-0x0000000000438000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1556-9-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 529623c50e878c65d39ee412ed018f1f
SHA1 341f84e97bb1853c99c3174e94195389dffc3a61
SHA256 e149fa40e3fa8861784fb5a09ea3e627dcb10295d741bc68d65b5876239518b4
SHA512 9195224dc92612b77ad9fa025829f8797f4985308da5dd8fcbbe0133c2c2d2388a0b7c0894bccceb37adbd9a6d897a1f9024e27327d8fc0af4c9bbaedc1cd904

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ca28a8062dffca6298129580d8cb49ad
SHA1 18eade2ca033d479c35e7e0280bf5012c16dcb6b
SHA256 513941482f16113962bf988cb94247bdcd6366c2150cfc238d67f0511ae0b2d5
SHA512 5bdc591c285ea53878a508d840709a7bde8dc852344d48f04bea0f4ea6e51ac53bf2f9f7128f1795084826fd0160fe9094168cfbb930b008f89bb455d0fc6f28

memory/3212-21-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 78280b082bdf7bfa13f2b7eb341237ed
SHA1 beed4cd35ef04b988fa5ec11cae8a494ebf561f0
SHA256 12528da728d274579ea72d9df0b527a29031f60737ed8471941c3c7266c5564b
SHA512 0db823c4a0eca7b4eb4f46d5e8b45577a8d7b0e737cd0200356e39f82813016c5304ee16efbc016e5deeb59d9ff1a25b2d0b99c30268f17370fa8c82e92d82d4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 15fb83e2b038bf051d41f34e1ceddfa4
SHA1 37532187686801611337ad26b4cc3ad41523f109
SHA256 9f5488ca36c1216da8c699985aeb0f1e570554af13d61232189ea58f92870c83
SHA512 3e4d86ed865a8ba918ef4da9c0c917915c7483c99efb90514aa3445a35bf9ab755413bc0378eb84aa2262d9dfb7a23c2551e7e19aafab1fde29010f17725b00c

memory/4648-30-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1676-34-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 231280a66a7b462601c0642c13a390a7
SHA1 2ed11cf47e6d1c3d8fff556d476614fc4600ed63
SHA256 d16675b33486a13474c41c0ccef71d24418b520c5c4cc9e4516afcbfc47e0b3c
SHA512 5bbb380e6ae40f14ddbf90ced37c3378e5c296aae6fbf7686d3e94c2a18c24c0853caf44945dd7dd55a0f5cfb9d4cdbef698f3e94aa5ad9200ea3710e6ed79c9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3883ed0435af7c2ba7e61fe55febd7be
SHA1 247fe2d2fe67fac8d7b1e3532b9b35881fbb0b08
SHA256 945892504cc29f56f4cdb2fc3c1f7cdaed3bf0b0535f7380a512e45903655f80
SHA512 c90d5d9fb60fa85fcef5b91d678630ed0bf97965632846df0b3043a5cd561fb23c2ad16be0a026215cfe2f9366eaf234343b52a4227b99f757c13824992d5853

memory/4648-46-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9e4ea02a2cd220fa72f1c72c59c0f12c
SHA1 c92c14109d482c0b2d89aa2f2668d3762536f764
SHA256 72ef3a56812b631c5ba7d9e29a6a9045c2273d99f9085ff0d3eda31d02cea378
SHA512 e974636f77a9b20a6c4c8a9943af24d6fb66d717977d49132cce09f8def5ed0b3d20233980c93bc4e6fe7c6221f71a6fe8687e8a864a3f7b9ce29d523d6a6577

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2829fa13a96120c72ce6851d93260b20
SHA1 dd32861cc4944073efb53e73b0b94a664064d28d
SHA256 009c6f0385acfb445db91a47c3e6afd099b41bc519aef6be5fd6f49221fac3ae
SHA512 702aa46043bff70b00f098fa3b51965db8ca346b873223837cb3feeaf81283e572610946deed9f791dc0beec9d9b8b3b19e2ad7e1d6509d8080cccb7e9303906

memory/4412-58-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ee32e641e2e4c59ab8eefdeb87dc89be
SHA1 409dd22bf03c6eec13ea4e9e00590f9bf6381f47
SHA256 e5b4e57dd41008b0e6cdaf2225c2f13c2fe07fff214d4924f251999fd424c134
SHA512 583e985f9137183b6fc5b145aad36dc4a1c3504b00064210f645a23dddeebb3e98092c7cbceb375220ca1ffc0731ccc2ff0a93750b4844b59c747f3b2778d554

C:\Windows\SysWOW64\drivers\spools.exe

MD5 043fb6c1a85627f22011cc1347c278ae
SHA1 8aaea76be77ca75cdc322a86b4b13d5718b58ccc
SHA256 cb7f095359df35604592c5aa49b48e3379165db082fe7d104f534b5e915bce36
SHA512 f433793a0e52591c22ba83a7287fae87aa66a44eed887eda0580482e3230d6ee4b46ddc4e1f70f6ace8624455a0aa364bc205cb3240218e10796df29809c17b3

memory/1784-70-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 43c2a50433f019141c8b3462c0e2afe7
SHA1 d803d9a55a2f9650b57e115d0e658a1a009899f1
SHA256 4dfdc6cd5972e41fea2f3984c6419849484f3a7b346d977b30d18e055c80b25e
SHA512 fc2b2b466dd6f5510d21968dfc240cb3dd87efc3ffcaaa15954e004b1b97aa97d2b98a4af89e5e240f7c7cf5576c9e31537f3aa07cef65c012ed0e77ca65b7cc

C:\Windows\SysWOW64\drivers\spools.exe

MD5 26d548b423af21029cf4ad77c3321639
SHA1 9ec5dbd4fe8c0740ae189033e07a0508ec0f5a1f
SHA256 d5a8577c0fc58e2b72f7509f725991a37cf6c3ef079cf1976c801dcd6fbe63d7
SHA512 a72bc22480bf1cc660a0087ef527de2ce605461dea608bd6dee36df8114555e2260672f6d808b58c853b248ce69be0167ee3aada4910e50649be53147a088c59

memory/4608-82-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 edad24c5e7b6eec3f62ac68a0ba4b7af
SHA1 c0e571b2c9413822a33a606830916b1937b5207d
SHA256 b63815a4775a4748cb3c62ea8e545537859c303e24ce83b826a49f5d198008a3
SHA512 d404b85e5efdbcc925332dcb9c1d64d346cae8f83239f17748f2a757944e2e2534506ec087978ed3769a05f51e86a1a0297d1616dd0591beea06672b1a37cb67

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5f6497799afc7b57ad7881d090d9a285
SHA1 5dd7f0287c9e42568cb9fa49524e26ff177c6c6e
SHA256 2ce3b7ae8b41fead8d8f664eecaf03fa70865478fac2b6c7a90fe1963d6520b4
SHA512 21161ed375a9a01315ea23a613b9e518bd6bf6c7aa29bab0771a150642c507a76465332bacbfb506f309c1a11d62e7cb889afa61569388e436ace5ec8199be10

memory/4624-94-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6d85734611ebca301c86a1e7160186a4
SHA1 20ee03089458857339deefd147b1f0d809f5d75e
SHA256 c895e23b80395ce34bd14af26b9eb27fc2f8ad188422e362daed4eb9c29fc251
SHA512 f45c3ad37136fcb2500f46e02a68b15ec862af63fe47f68ea9b35c22eac0c106812d219a0ee02e355535b2ca472eb10e1e9e2b59c0b8955e17323eea1781799f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9be8885a3b6787c370d36ca09aec446f
SHA1 88de330c524378a0c60f381a01b778b89615189f
SHA256 d95cfbe74a0c059ca381bad12402c832df72ec9398e24895c1b755cde4a2c8ea
SHA512 6e412f432804d820340f3cfce855d6bd8a99d24e9903af103e02df8e6b90c4516e42bdc50a420dc46ff65675ffac28d1d797093fc06609aa0abe69fe49c7700b

memory/4656-106-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fb7bb4676ebe152a40cc0967631ca1e7
SHA1 a8ad21a5a1551df29fe59897bfbfecb31e1016e2
SHA256 82d085e5de31e622d6eeec9f004289b47385eea4b2f1a81a0378c73850433131
SHA512 b6c20a9088effc322dadc03a36a312eb95816140b9ab3db313d8f17aaba2826e14f693b3557c1604225f3d4b999af64d45f0b314c2888ed97ff121cf601c1bce

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2fd2047745133d33cf84d34871c9f886
SHA1 8ad24f2fced93d856f6e79403eeaf8539f50308c
SHA256 bb097133f3e0495c26fbe04b72cabf057fd278d00c930e98f76ea8721dfdaffe
SHA512 608f7112436081d7b5b7481031670f7194afb9d842b1f686a6f3bce59a5768e07e4034496dfc984a34574ec4a5172aac465983a64180348b7b7e00658657a87e

memory/440-118-0x0000000000400000-0x0000000000438000-memory.dmp

memory/5092-119-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 937c94a7455cc4522fc8b66f619e398d
SHA1 9804e8833e5212d4f9e69900cc78e9e348c9f4dc
SHA256 01574aa6d352509098fb33f6f33d759f73b32ce399ceff346fd7f64c908194cd
SHA512 e25624a67be953c1f36763889ff4ed1fcc63e8f103515f1156e4937ac9f7218630b13b7003a9781f97196697e845930f580aecb329ad8a3023ea47622329ddf6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 13dc0ea4d9e6b4f85256300cef506267
SHA1 6e88799eb977897f6a28aa169b54c0bd1da57b7d
SHA256 8eb1e1285813a0316c78852dcc6c5189102090911bac5079d402becd835e37d4
SHA512 e41e4b01a3f94d3e31a0556402320df2db900ddf156e7d5d3af3a75e8917df352746c2f65af1b1e09774fd66f9a396a54654b215d64c4cba5b3b9aad2ad3dd55

memory/5092-131-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c21a4d0ac5d48cd78f81d8eca76e59a0
SHA1 1d37f7ee720761534cc59b1d09c9dd0e4e8b275e
SHA256 db2fbbb85e81f7bf4c816d6f3f6aa287847fa3bb0884e41a8649368e2ab278b6
SHA512 b9de8aff6f59d4e6c8cf8c8a4fac8c48315ea592648fb9ff18cd4e11b68c7fc66f9fb500db808461c72e009e8692c01497777bfd80b753f585b0506a3e1455f2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9d547a5569b6d655676a05d9ade49091
SHA1 e120351abefd48b4b089d255d1d7d170f4091e21
SHA256 5f6725c34fb16cd564e5aac7b85a538fe09a2335b5ec34225e4b1351de8cdc53
SHA512 6aeedb08fe814b4c8ee535ebf360c4bded3f129e995fe7fc59160376de0f34b4b19e2ec3a07843baae37bcb76e220113055f2139c9f4a1f295a378e1626b0738

memory/1544-143-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ea5e15c5e321000132be2872c44ad27a
SHA1 49b6b7b9f3787ba130d86c72dcd45c9c94bc4fc4
SHA256 31fc9ec64d2c2927204f633675377fc76d0c02e3cf358c26fd1985fbd5bc192a
SHA512 72a8464f22633fa637fc16bc3a08d3a8f831a2c4f8db7244f76f3170e0e79ef0d881bac480b9e7d1533d243d9a1143823090cea37c608328750d44b3bf1e04ff

C:\Windows\SysWOW64\drivers\spools.exe

MD5 daa07927ddec5398018d9be9f87f2236
SHA1 38e7ec81aaed363f64beaa8fae6da790c8db5712
SHA256 813c88fc7f2bbb85164a5f23d263bec8362c676edb4ab32c0df1f0cc2b7f2538
SHA512 b5edf5d011a7a9d73e32d3572a30d7ac3231dd92a0a0fb7f8693da3eeb15cfbc6f08157a23da48a3b0c5d7e17310a706e8755e3e317345e0a59af39af2fa2a8e

memory/1092-155-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 618d8ff779a0719c555f180817cc6d4b
SHA1 02d55f159b1bfb0b40beae730754620009308aa8
SHA256 12ce005747ee864c3085ec937b1e8a74c69318e68d449266125333edd5ae83a1
SHA512 15e1209ab8141d96d929c602482b4ee7236ce566191a50ec76ddb36613201ce7f8ae2d9d88708c7785fb88d9fa45ea0b5abd2c033fd8447f7c27ce71a9ab3a67

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b770a5e400b877d01e0d96ae6e37bc48
SHA1 d51e05eec89f9a4caf009bcae6d470910f2e2a6c
SHA256 b704d33707d8adca5b85c193c479c2b0376cec7303bf813347706eed8d86cb64
SHA512 4363de8baf4bd28a90a0d5cb95f46bbbfe8ea8412d9dc782312cf0c3aa65717294b7df0ad539f2790b1d76bb2978272b035c1eab5ac2e66615481a548fe090b4

memory/4308-167-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 46eb25ce51819948e87718f081167c9c
SHA1 5d267e6641b3033e8ccf86882ead66060c7d1a8a
SHA256 ae30a568c8cf45be36d5fe8db1b4239498f99a4d65d43d6da2fcc319dff0c428
SHA512 157e589eb0ab3d74e2e0f885cbc51f948492bad44e2e7d9d4155ddb008147da83cb95165a12662d90bceef53f76311f8b2db6e946b568d5787de5cb8369e57c9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8cf6fe53dacebd20a9f18facdf389445
SHA1 59de657c4d929d4b3a29c1df38da7f5279aa9def
SHA256 92b2c25792c0bc5510ee9e00dc1bf67d9e61a157bdfdeff2ede598877a113034
SHA512 894e5461e82c0dd9dec00b4c20c291445c9466f0d3a3b4a54ca126714ccca021f0ebf20d5edc9424615c7944e5398d4675fa3ccb576d002be1b7fe7ce59579b3

memory/3604-179-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ee05f1b2bfd7b2eeb04e486eaba44d49
SHA1 00a674e3e1230decf58968d7cce97a982a0136fe
SHA256 58bb9a048f6f13d7a9c1dfcb0bd6fab492cda92ae9377d90039572ab25fa10a0
SHA512 defd63a9afdc5432c91bd0c0908d7edfb86cd73da888efc4b125842d28d88bce742e5172666f3b7bd039c6b514615ad58df3a843b1fb432ea5f3532065f928d7

memory/3588-188-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2192-190-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f2959b9c777f84b206526da3356845ec
SHA1 5a7c1891f14b003160f19f3c86fe8cdbe517b109
SHA256 0c10950fff05a8c76711ceddad55eb3e6e1cc7ff294a59d34bd3120d56ee5bd9
SHA512 69b2e172b2649a97ec16bd1745411ed6d50660b284ad342961f596963198e3e83877fc019d2144b74946c729784aa321bec899a22fee15f6b88e6502c15a520f

memory/4812-202-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c85e8b259a0c3f20c8adb603f122a992
SHA1 be5ac5e80c3443ee28c75ecdac26c061ca6a61e8
SHA256 540d4b1439da5b2422e06768ef5c6d993908d86c4c182814b3acc6ab2723c587
SHA512 a627352c6b9587fcb02bb6ef47a440c3b0b2eae3c1a5b3bc38e1a9f157065387095b4103916ac0949f09d1ab7a98ca373b5eba82b8aba0db50598e3390c53913

C:\Windows\SysWOW64\drivers\spools.exe

MD5 15f2f3668cab1dd5dd5638feca3e138d
SHA1 f247b76ccfa27d37fdb9a5fbc9cab50a672ca583
SHA256 e2f404835bbd007e560613b00c25482859e47a6cd2b5bb96652242c6ca8ab5b0
SHA512 de40a24f0ded1891b56fd570e59d1318bd3744e6ee71911cd808ac3887fde225a52c6361b605f8c4ecb6753702f5c0961fbc241c0b6c76fd4abb5b98e9ac55c0

memory/768-214-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 872702a299320dc9a5ef1a21f6847ab1
SHA1 bda001670dbcb71b4286dd05aa05d9a15249ffb7
SHA256 95746bc440751b4f125c698278f5b563b4e64b37d23f588b952758e6e3e0b0d1
SHA512 87685011e66c2b5352aa9a48bacfae111038d6bd2623b0d3f71fcb405c990a41f9ca286da884a79a7e5868558ef2b6ca8c3cf750424d43c597252b7682508200

C:\Windows\SysWOW64\drivers\spools.exe

MD5 566e500a3f5129a0fd384c2a59578872
SHA1 5797c3e95c094272b1092a7f1612000fe77e5e19
SHA256 cca1b813c00c96074e3a47ac2893d309d74da88fb8c96b2fdea807e4bb0b8cff
SHA512 45e9178bbd5078eb9eba2b7fd1bf0ed765cfff92f7c498884b7657725e9ffbb8ead36b1376cb1060763263dd21dd810f66c79a7c526daf28b515c3e0c075f5f1

memory/4724-226-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 dbd636cc09d624edb482f467c887bfb1
SHA1 e6833d9eee425ecd9f0751f236e6f552e8e43932
SHA256 525c96b29472f3ca41d750a666bf2d872fd64cbc39fcec31fd1ff71756cb3460
SHA512 95b6ad906c8a6c7b985de8bcb329c9d41b77f52c92279163c638a38b659fecb0ebf7d18132bac1500a0025def93b886ed40448a02d7c73c8502bd202414b83b7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 965d68cc5c98e81f3d21b49910640191
SHA1 444e8eafbd1026bd03fa9f65f1492d9a7b086c9b
SHA256 5216d70dc979ccf5645b51d4dafd08e29e10162c4e3f61b229d1b03527187645
SHA512 d6012b5a26166e8a23d6fc857e530e366012c9b9f2ad41a7f3ffe915875c7d5ea41b2a3c3516b6f60a4066f28b45d04c8c65fd5e36ffe5a54cf91e0ebb2eb4f1

memory/2660-238-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9cedb58fe3d08d4bc5935026264ff926
SHA1 9298ab1b64c68db5eca1a69dd0095620a366d242
SHA256 90a99f6609c13ec0460b0797296a13d8dde8a5b4310b1bca4f2f63b415fe75bd
SHA512 8ad06fd3fd6c6f96a8dbf6bd7deea2410e13448ac2678d0df103e1de090dcc5958dbe597e214380088730d743c1551a9dffc841d2477ad8d84b27fc89d618e85

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3a3e04147859896ea6fd371f47bfc20a
SHA1 7df3f62db79a0ddd5aa1b6bb5797b8bbf50ca707
SHA256 2f6a2b6635b13633298fc1806833e46091ee21f43370475479ffae3e9f38851c
SHA512 95cd4d89a120f33e7eea6f4f4b8dd39b9b143123f4d7819725a36d0c42f33809979cb86b192da02b6266b713813f49a3030cfb2b7d3efe9438a9ffa1e2e08551

memory/1672-250-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c323fc0d819ab70c5d92788158b4a4ee
SHA1 2866a55c41ff7d29c96ed62b905bbffea4f9cad8
SHA256 c92b934f958f7a5610d8a1624fcd83f16b004b16942a5e94c5ca38671877c2d6
SHA512 632f44d71f5f7f8914f3475dc327017702e3879a7c7bd07b0cd9f7c5dffe9529e80cc9d7c13ca01f6264a96cd4b6d1436b250260715f219b75eb29d3462837e7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2d0f268109f1e905c6fd3b60f8f037a7
SHA1 835013e8415fbfdc31ed1bff5bc9433e4469cf84
SHA256 dd4692805e67d091fb72e70caa238ce32d066e679fca161434f1b22533de0067
SHA512 00993e42b69ed60f7d30cd72a5fe9959df90e6d9228027a4594fca475d97bf9ee77761b2a17a9f1e1c066270c4b7dcb8e152e44feeff2188f91402ed1bec727e

memory/1456-262-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0515ba26f1060fb353a0cd3a58048369
SHA1 a4e3b728df21dc7881ef835fb179b8f40339d128
SHA256 71730e1df7c01750d0233a552ce08d68bde7c5618ced4d832c34e4ef9bdc7439
SHA512 d0aeb4d13a233be3b12a9a8b02e30fe53a89d26a532317cf335dcd2102fb5b4982db56074a417f1efd04d0569cb27224183ae266554cb9c53322bfcaf77453e4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1c945e348756eb14687061273e1568ff
SHA1 2dbaf710bb3636d29112c05e052c4e0dacdc7797
SHA256 25a7c8c9fae9b0168f8fd73511a5f6f621ff2448614137ecfddcd3eba6f989e6
SHA512 86040e8d03ae53b4db0b713d8e495d169b0c9c20c9d7f925f880101e3e684e604be9a841b5805ebe77e1d1e0e5dde3562a21a94152858184a4e2d6493db39df4

memory/3616-273-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3056-282-0x0000000000400000-0x0000000000438000-memory.dmp

memory/740-291-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2316-300-0x0000000000400000-0x0000000000438000-memory.dmp

memory/220-309-0x0000000000400000-0x0000000000438000-memory.dmp