Malware Analysis Report

2025-01-18 21:13

Sample ID 240324-vp365agf5s
Target 033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8
SHA256 033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8
Tags
adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8

Threat Level: Known bad

The file 033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8 was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer

Detects executables built or packed with MPress PE compressor

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

Modifies system executable filetype association

Adds Run key to start application

Installs/modifies Browser Helper Object

Enumerates connected drives

Modifies WinLogon

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-24 17:10

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-24 17:10

Reported

2024-03-24 17:13

Platform

win7-20240221-en

Max time kernel

155s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 2228 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2228 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2228 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2228 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2548 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2608 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2608 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2608 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2608 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2448 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2448 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2448 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2448 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2984 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2984 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2984 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2984 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2812 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1048 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 672 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 672 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 672 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 672 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2752 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2752 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2752 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2752 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1328 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2300 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2300 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2300 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2300 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2912 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2912 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2912 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2912 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1640 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1640 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1640 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1640 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1020 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1020 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1020 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1020 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

"C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

Network

N/A

Files

memory/2228-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-6-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1964a7d5e317318869148402f28617ca
SHA1 77afe289d7f67ddeb58af62a6156e2828c13dad8
SHA256 a0040dd7a8e6f63db1708cf65169809456eed179f8164818a21827a1441a8b87
SHA512 6cb8a28da144ad40ad4c54937ea21ddb7ad2beb2bd0572e07f41d0d6608695c4b74e9c3f0b7abaf6d39a541b2021386f3cc042139e05d2fc9af8879616281865

memory/2228-5-0x0000000002BD0000-0x0000000002C04000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2228-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8ceac449d7649a8ecb20238f158066ff
SHA1 431b314337e8a15ee91bc4ac13703f5594d7e503
SHA256 395535721ebacaa4c4389ba1879f104e10e9c1b50e990bdbeb84c52965e1d16c
SHA512 cab8dd03edaefb449fdcb98037c29bb5279546ff1bff69103b125454582bdb9bb08777907e536a2ed65cbd4169eb017cc695a0e45e67ddbb869f270654a4ea09

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0e533e6d529adcf159e6d936742cfd57
SHA1 4cac42b457dc43ce3eb20b7cc73485db0ab53dc4
SHA256 126fcf8786178f0a5d614cd2455a5d58bb871715ad1512670f80181cdba30cdc
SHA512 8a2885b76f4488dc4b1568a04e7ce49f176de34ffa72859e563e3ad0f778fcf0fc91d085e39ad1640850d736a6377120789b929309bc918229310674e5911425

C:\Windows\SysWOW64\drivers\spools.exe

MD5 81e6d06b3d6a9264d3448b761a887258
SHA1 4209d1b0627c9077de60eda4ba5c96767af17d00
SHA256 626acf3431b9b5ba30c6752b760c1a98f9e9dca12d3959e2c87aaf83ebc67eb7
SHA512 7e0acd27e1b58aebabac7064f447967f6250d95a1b17cc72976ff3dcdbb24d1167dfdfa2929a84e6097d367dcfee21f7b7c356a90f1f12d47e2584db3885e0b2

memory/2548-14-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/2608-17-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-19-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9bc568b16ca05c4074899290829c8a83
SHA1 bc28a0fd4a0f3aea3c857e265943100026c0e5e2
SHA256 7d7e4f439688da89fa2f47f9135b628e1648ace3e82d5e56c2e638b5b971f710
SHA512 361b775e8f40d959b30f56bc340e367dc22d2290b500d239cd5eacc19b3844599bdfe00af3c709009234a2a26a5a3fecf43d1d3e44315d745aaa16b18c5cb206

memory/2608-27-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4b26a3e25967e85d993471c18b019825
SHA1 14458c0dcee32ebbb93ae480da65fcb41d7525cc
SHA256 8d2cdb41b8cc935b6abc7158955e5316b8fe40a0f446388c674eb9c5913fe081
SHA512 cdd7c605cf1ba053d16384e90b3debc131ebfd95283f2335e796637daf08bd6ebb9c757f94993fc30046bdb43a88368c40c10e230013a224f019a5456af9097d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1c6b51aa331d5cbdb5d0457e16c10eae
SHA1 94357b19b7855f4487e0d21423d627f2fd79d709
SHA256 e570c77c5002c834a30b4145d40dec01cc44bdc9a7f73ed5cea3e4eff555387c
SHA512 479084c71cad36bec0800253fc5124d5d3ecd0dce0c13cb9a413148e64588bc489f18ce728a5d7d18e76bd535edbeb5967079cca95dc9d14374fe87805df108f

memory/2592-34-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2498034f196b56e9e6e30668f243795b
SHA1 d1257811679acb0648b3b1efbd1a1957544d0f21
SHA256 07cacabc99041fa35493c4184d60ad46f951883d0f50efcfa776f24f96b97f44
SHA512 a07b2d004538c26a9afa169ada9e26735753bd35b9ac6f3f51c4e13825d4537090d4a7ed2b0b7fd3251d10b3e1f7a7168b2942bea82cceff0db99a1ddd48517d

memory/2984-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2448-43-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 47d91b2361865d2ff68e4cb382976c1d
SHA1 c3b5071970fe458a919eeb9668c4028f594834dc
SHA256 66a186e42da88f5a13179a374ba99bda764fe567788741a6498091cd50f41bfc
SHA512 3a6dab864a198822fb6f59ba947428f4f5246498b4dbb3e0c0cd0f8ad9cf454a9b11f630355c19706c087c8caffd9437caffe88d864d1bfa18a9594b36117da5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 909b7d351208137047dcc17976946a76
SHA1 931a2d0f0eff70c948a05868faee3c47cfa2f495
SHA256 69925179a1d42d0c2b0d0f573afd91b481dbfb4d35d472cc1df389c49637c934
SHA512 d9140f075fe620f3fd74bf9b3ba87f8159c92d5c0bcbe8f1eccd5d9a66549b6d8402ff31b5d75321e533dd79764a48d34070fa304dbd3947f5cf84b9b833fc6f

memory/2812-49-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2984-51-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0be4d0d862d19b41f2b7e6457434b442
SHA1 19bb1cb09abc364a5adf9d0d3318872ce1bad8ef
SHA256 31189196691eee0a3ec67eb4fbb70248232bcf78d1aaf1516fd9fb0e811cd92f
SHA512 2e93f0ab67424a28a1cf779abab5fbf56bc1b1fd581c40414c16291a3c3a0354f1370357df3337409452ab1376af48d3bb4a7b768fef3532724d79a97a603aa2

memory/2812-59-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ee76f15cfa4c9749bdcc4e6da76a2150
SHA1 b9813df20782533337c0d17205a6b4c1bf274348
SHA256 6707e1272820e713ff544b034124bf142a9dea6a4db3c7c7f8b954077ed7c020
SHA512 3cea76e4bba566fb25dd120953e8459da9665a69b0f861a67f1f1b2f44e3814d2bb3c310af955ba66e94d12c0ac04e7db95711ae1008381911afd2181f99d2d2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9d7c0a2f9f58b62a39edde46d46efa28
SHA1 e5c5fe43814872dd9f66eef62fa52e3c6b8fe6df
SHA256 50eabdf232cc4a040f8d199f7e605106db45377d5d931d584b030b53c3e80a2b
SHA512 62566d43de57a892e9cb45a6f05317496d53f40cd54a5a9540a25e988a773e7555b4791caf757a0328f7d004ace964993b4b5713336629c9378ed6503e7d3fee

memory/1048-66-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b43826393f9cf6479a002a4d6c8f533d
SHA1 9d6b5609a83f33610f037f9e724a52f8683ffa11
SHA256 a0800df3397a8d3ee74d97ad0a7935f71fb7032264753cc44101966c5c30947f
SHA512 c73760a850f2eafd52b8e412aaa1e640b193d5cf02d385027b9b50abdd6931e6e70713e99511cfb04a6b6f91bb6292727954d79c5919feecf257d0415eddb5e7

memory/672-74-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 45446d327d0267570d6fa3f9af03effc
SHA1 e518800d0516264da72508ce54c4cf74a8794ed2
SHA256 37b59e4e82c7bc963a51e721abdf9b894366d7102896926b6ae9d595fce231f7
SHA512 36114a6d338b8a21200400639b4deb180f8fa7f67e8f8378237523f8f7b080856d2fad892f46945e6408475b588c21685b08f5001080d0a9d6d8120cd44b1cc2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d70cbe28ec123354785454e466813437
SHA1 768e19885a5f09cef93c824666a4875afcd05326
SHA256 31e5496f0280c459d41557756273dcf05973291e1f4d7bb754a79db9cd9955bc
SHA512 c28b64e7e2733c38e04c9796e6c234fcafb97a0599d64810dbf96f29d161a50472b74d4992850592781039ed89bf4c30803a3fb15272a038ebf90fce9900c22b

memory/1328-80-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2752-82-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ba3fc64f002607dc4f7677918c4d6f51
SHA1 4bd1424e1d3d144f22b8f9fdc55500f343796bae
SHA256 46447a85e2a0f8ae6b73fe18c940f90c0e79d5cd9e2402548858e4b8549a6b24
SHA512 f329602f107236c614c0d1f8963c266e9089c0ce869e6cacea6760ef57b5d121692106b6c144ea64f193c7ba8b73d4563afc1ac1026f46ce4d28a0eaec03d337

memory/1328-90-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8eaa9ed1b48afa5b22b4d53171886bc6
SHA1 22be9747dfd105e8115d8fb598ba02bd15c81fa2
SHA256 7d8907e5a5c6b2858c40ba687ade5e6649fd3d44270378eee9d6cdb016e0be73
SHA512 a8b28f4570cecfff4f110c226c4dec6e75079a28a035de8572be40a97ad9c7a3e8d398b02de52887e4cbde52ad95f156a369572f708a3e43f63c7171c3ccb470

C:\Windows\SysWOW64\drivers\spools.exe

MD5 72b98ed638f7504872ad492eaf897892
SHA1 ea4003db7000e727938841cc407615f96a2b0562
SHA256 1b13e53f5dab597f20762660237d798e7abf8aa736b9c456dd1007b2f56b66dd
SHA512 198b71292c350bd3b184b9a4bada02909c9e5d5c9b78f44b74b15b6b3e4549db019806a384147035cc70a9d2245fc452c0937f4bd42135d75700d087f354d30f

memory/2300-99-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2912-98-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2300-96-0x0000000000380000-0x00000000003B4000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 09c51a30c39bdf1b1d99b83ec3abcca2
SHA1 ca957ca08f711b274a12e24858149d20c70e1089
SHA256 3d8b4f9902a79b0db880162f2dbf8f602c26c6179531186ef28dbabb53025a92
SHA512 36326d4c23b012d8d1cb2e828f5f9daffa4e00c15b78ef92237b414b8de617bd447a8a21aced2948c66658333ed7ebd491435df8de3ba671ced3e4a3e137084a

memory/1640-104-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2912-108-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f55322b3d059ea8565e6c86cc1e1aff6
SHA1 8e953fff29c4d208a2cbd4b2ba353f3808e40810
SHA256 14f4e8e885ec0601646a5b7b2c54b865ff65bdff383e77165cfdc9bf6d5e303b
SHA512 e12983103de4a96e7e36b9b931fa21c91c840246a1a013435aeee675128493d08fa740b13fb46a4c31d3529740c41e15b3b76240c6e0b0a14aeda6248129634b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 637f36a009815a5d2789eb54c1303529
SHA1 d259a1a5db84f4dedc6e4f9358630ffca4493bc4
SHA256 1245106e80140754c715c104f8703c35bd8f83c140712eb5566c1cb63fad8aa8
SHA512 79fe60cbf6527155bd90ee0cb05eb3643d2112d285c1f2d980be5139e41914b4905b002b8a8abde924e640316dff0c31da426fa3745f817447ee9cc9a0dfc719

memory/1640-112-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/1020-117-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1640-116-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1020-122-0x0000000001F90000-0x0000000001FC4000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ada995b80d10688fd1b18a120ee3e11e
SHA1 1ec3dbe3d896283cb5842e9535896a7d30c28dc7
SHA256 47243668e5bf5acde74c40e4f74bd0bcf0c2bca925d6e900a23bfaadc106ccf5
SHA512 44b331e2b7218f1884549a0cd378fd1f6bc20ad712738d58eb9e1b9cc95ee235e76d7bde8c05a763a52ed10f7a03642e28c959559f286623b354a8d6a68a6d8e

memory/1020-126-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e1041c1c4b2b639b3a1184ef3dc8436d
SHA1 9f1ddf0c7e0b1e9ae86b9e0cb3af2a7f6fbc6243
SHA256 ac3d90a95462f027f663e52471f06582c44300613ae0b788602a8065388c9480
SHA512 d06095f1bdb095810b8906f8b5a73c234bd19855c832859804182b4bae071a528ef755ad07a1ca2a24f085dd4f9ef8536992b5ef080b80273f2605042b464f4a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 07f5de42b5eedf6924ec511489c87c8e
SHA1 1bae4b08bc2fd93a860dc045af139474e35db2a6
SHA256 4ced5cb9164391294f2abe6c030235f38b50054e5a0bbdcfc98af55adfb217f9
SHA512 690caeaf0e9bde819610b5f8b6e796d293e3d893fc7ab044aec87efd0b2f3ad8d4b5e2bf57bf2ccc922d199d4be6eeaa2af17619a551a4e0b5919a548679abe1

memory/332-135-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0b6e18b8dec350e64926213eb8ee5aa8
SHA1 69f9051d98164dac77fe03a67d3514681333953b
SHA256 dd2b4e365530f117f355f433e65658ef8ed29dd83b53f42db71e6d283c6cdbc3
SHA512 17ec53047ead0f9111381ee21b8de423cb1525c6e7ebc03c2a5d474e4a2b5fc8864963fd38fa525296ed32ebd977e114e2ff38f02f5b9c10095c48cfeb6fc7be

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e173bb7ab36e4d329939d65b65914f27
SHA1 5fda5e11210cb0d91d3332ab182247ff11d9b1ad
SHA256 d45c5f9a257fb766de540b8ddcac2a36a24137ede1cf3f8a497a515ddd4951ba
SHA512 964dfa27c05cf5cc071a5a3ffc6e26018493367aa5a33e18f57b94c3b1070909f9e6bee8373c00442bc5d4a7e02b07bc406a6738389dd5063c6b43ff745ca209

memory/1636-142-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5e869c7f3eaf86d259dce8ab4c8d6b72
SHA1 72e55448ea1c422ebe9fad90a563271050ac852d
SHA256 da44eb5514c527ca9df4d766b3968c54602591dae2b11f7182b8727f63fc3a13
SHA512 98300982d46116bde82e01a73a1023544430d2cac54f435dcb69aefc14ac1726720c4da4150d1abd4508dcddfd6cd1042447f0f3627db4f1d89fe589b9e73a26

memory/2108-147-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1996-151-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9495803e7c2e82888e478c38aa28a8aa
SHA1 04a5614882193cae955dcb0d5352606afd518222
SHA256 634e8219d99d445b6ad99d19853c8ff86423e2b89992dab4d7ee589ad52c55f8
SHA512 de32f3cc6d88d4c568527f0b58ff6eb1072654ffbc562f9cc499f2dca3643e34c264097124ed437022bcbb5d50b8f4cd137ae6c61baa9e7020e72ba56d469936

C:\Windows\SysWOW64\drivers\spools.exe

MD5 df9fa8eb8ad1e26455033ba3b312d9cb
SHA1 3907cb806a99f97a3e728a08e9384bdba1353ff4
SHA256 e01dfdb12892e615362c057c4bcf1c387b5341ee18c5963f0ff19ca950cd044f
SHA512 1758d601d053713f82dc3231e86957ab666460f6b982c96f06697521587223cef769415d99beb1c7aac6a15e1b0e099e8d6276b38865f5ffa933ff3d8b5b0f30

memory/2108-158-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5050197ffcad4a33a8b350377103da0e
SHA1 293c60603b801c6305e20b609c8c092139c81ee4
SHA256 d32f697357f6f280b6948a99d70902054c48b14df171e50ba0c3b127a815adec
SHA512 1aad3da39feb6d8e361cbc213d36c72da0e1ff195654c59e13c1d605489e954d2062911cdf5719651f1664117664bea83a8aa54783ce024c1058f549bdfb3763

memory/2952-166-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e9987134a9f747b31a757fa7a6caa6df
SHA1 2f73bdcae68d69a84bee9831ae166b5cb6fa59c3
SHA256 6226ab627e72bf6ee1422f8be2caa66831ca63358dc05d709291a1dd680cf60f
SHA512 ff1c12aeda86e0b966a052ebfd3f691be6acfb6a4245023d4506f7f9d37455e999832300f75c3da902b8813fc5d2e6f528be898572c18719940c8a6088d03780

C:\Windows\SysWOW64\drivers\spools.exe

MD5 bcd2905d994184883a70ed954e93b1b4
SHA1 bd5bed620a2709266a38b453d9515f7f849014be
SHA256 6e15005a8061be55ec6d66052ff4443d54af8d4803157eab549fd36a040831cd
SHA512 558060e05e50cefb0f8cd85e0c80a846e89fe056e84b36c2b590080f8dd57d2fd99da28fc54c2e0be7de313493d8bcc3a414c3602ace3e884929c2a91bae5bf8

memory/1520-173-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7083dfc9663b31a22a1d63704203db1c
SHA1 4d380a3b39dc2d566f5331b935b83559a049836c
SHA256 6649d61beff62188be2829f12a7ffbe5ea5297453b047f80dd45f7ea15e26c92
SHA512 7f1e82c1aba647372b079acfe81fa8a48bc5bb1431a7f0c326e809329092314ad01c66df248e227ec38ce0e901b66379a672bd7a5d07fe2b85bd2efa8aa24e97

memory/1724-181-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b363aeb0e6d8a65bb4f90e3dba9e59f0
SHA1 234eacb3bca0262b01d41336457fbbbb84d1574d
SHA256 fb58d86a1261a61cecf5c311df2efe2e02f0f80572ead30aba680d915b9f238a
SHA512 afe015dedd44511e07b512ebd1ed9a4197ff1ab35de9cb3a19e7514813c60a99a3f01256a368e8f70edd6c0c09326ceeeb0ccbf2a3441d7025d4541ae83f1546

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1624641670234890b8ea9de758cab4a2
SHA1 30afc149e6f4a4456617bb39ad1da2e68325b433
SHA256 8dee31e38c1ccd0bc0066a2cf85a81c8cdf593c3fc0d3fb8d909277c9a252d06
SHA512 8c9444419707ea9a3c2e5626714a8ff647dee161f9816b38ef975265d66854f3a72db7adc618a0787f513214d5f271c25bf7977fc148b6525181b49f5162d665

memory/2160-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e5a71e23df46d21f0a7f32f7dbde71bd
SHA1 a2845da7eda730e9b14754b609f134d0fc50a8d0
SHA256 324b83c80f05a7f53181f792337e6689bd663edccaeb3504a1f9f010b2a6dea2
SHA512 b737d91467333356b677ddb139c83f21d1da3e477ebe1edf851c9e3a6f205702e4d43d95b6145a1c8b4904eb4116ace5b4ab8111e42f2d4462b462b275505338

memory/2680-196-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5ab25b42c7c1014aa4f65e94105f1875
SHA1 f216ec0ea5b20b090a616e4f28b653fcfa246ea8
SHA256 7342bfad8654edc2ccbca3640676a0a9ca128c44cef9773a76ebf3e6c5a0afeb
SHA512 3f419db61312d5499cecfd393daa28cc1de14e77892afef76d87baa2adf5f2d54da786c3d6f0be55bf890f0c6d6b87a0d5a446381514a341970cd47d6afcd02e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9317160c3b015a48443c39e584825b29
SHA1 a48b46245a4f04be6dfef4ac63dc8282c15ef64e
SHA256 ae0ce7a180d8a0908d93333455ee4d8ede211179e69ba7e77154ffdd529cfaa5
SHA512 96617632208644a117656c28809f20d9b654aae91233027fdacefdfcfd92227a143304f3dd3980424a6297e880e14ffac85ecb28ea33a793754e552b0c23cb9b

memory/2580-203-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 25ea41c18253cfe7757675954e778be8
SHA1 b653578f733f4fde27628fbb9056812e60f07b98
SHA256 dab5d97208a60cd00bcdaacbb9590bce7d8fa05aca463267817842a3d3549a0c
SHA512 2e0e25e6995a118d94f1672dfe52d34d13306428777a8461ee48ad7f6169b9d1fab0482e26aea1ec79481c051050676b195292b040c3fd75857169973bf3e808

memory/2808-210-0x00000000003B0000-0x00000000003E4000-memory.dmp

memory/2436-211-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2808-212-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2436-217-0x0000000000390000-0x00000000003C4000-memory.dmp

memory/2140-220-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2436-219-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2140-225-0x00000000002E0000-0x0000000000314000-memory.dmp

memory/2780-227-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2140-228-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2780-234-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1332-240-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1836-246-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1504-252-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1668-257-0x0000000000360000-0x0000000000394000-memory.dmp

memory/1816-260-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1668-259-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1816-265-0x00000000004C0000-0x00000000004F4000-memory.dmp

memory/2288-267-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1816-268-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-24 17:10

Reported

2024-03-24 17:13

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 3296 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 3296 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Windows\SysWOW64\reg.exe
PID 3296 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3296 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3296 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3352 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3352 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3352 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2632 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2632 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2632 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4624 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1524 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1524 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1524 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4936 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3536 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3536 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3536 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 5072 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 5072 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 5072 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 540 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 540 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 540 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1544 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1544 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1544 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3140 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3140 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3140 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1732 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1732 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1732 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2128 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2128 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 2128 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3192 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3192 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3192 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 860 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 860 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 860 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1204 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1204 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 1204 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4556 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4556 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4556 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 5064 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 5064 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 5064 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4944 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4944 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 4944 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3536 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3536 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 3536 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
PID 624 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

"C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 bublikimanager.com udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.255.166.193.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 tcp

Files

memory/3296-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 676a2747311c1c23816381200cbfaef3
SHA1 6bde97b6bfec8f4435b6e295798073a81fdf8554
SHA256 dc189afeac0cdeffba883ec3d9846f90d981a2b8d8033893719a789d7ce00aa2
SHA512 f934370596d70ec4ead856e69263afa91e8555d66e493f1feabbc5a04431b27ddd49ccfa48eeb1bd935bf5eb7f8cae6b19c2455191aaf9faa86fc7c800f43955

memory/3352-7-0x0000000000400000-0x0000000000434000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3296-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0ef35182d170dc9732ddd2361c56c403
SHA1 a10f44fa244131185082e3506291b077b0f42f02
SHA256 a27919e33afaa14445f944f9724720c837c878f6d3f370e6ea469277c9f61eb2
SHA512 ffe87a84929af05ffe31d9acf3d418141f85ff7b2d51167bbd171ed25cf59d4ebdc1d55894e3745d2724e98ba824e94db5149708d89e9a23504fbfe47c9ddc25

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1f5e006348a53342e19d9f47fed08aff
SHA1 1b1128d8d3a688f19c8b4ad0f8580e2f417478bc
SHA256 e70ba7fd4e939c7177a97eb3600a8393bb01e88fed61c2c4d2879ae26bbd5867
SHA512 5c38d49b2196983d308533c65127eb6fb4f5ec28dc9521cf73803e10eb0608adba11b30c91cb9145b295db3e999acd6ce3a1d7b6a9366ea17fbf6ddcbc6885c8

memory/2632-18-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3352-22-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 35ff8b7c54db4ed8e8629f662867d942
SHA1 98ddbfc9623488d0f2f840a9bc4105c192f3e0be
SHA256 7af97e651748c87c1ecb1921a4947ad2ef3421bef21c12a67c5341e6d50e0db6
SHA512 8abc27e7ba7955128754fc648da5fd810c08849ddd3d005feb26adf4bbed4f619add8a2b19e99e5cb5156a27a3e1e601678b94e67eb5b25a62993ef9d5ab84eb

C:\Windows\SysWOW64\drivers\spools.exe

MD5 23aafdb944cc43d053a071ba029dafc8
SHA1 80b095fe2286c21210cae28a8f7852f490d991a1
SHA256 e0e4706294578f6d206af015a07f4506efb28d69db7dae13627fbd764be3ba20
SHA512 11d185efa11ad2935d03779e3cfc7a133246a0a6fe760e5ef6d5a12f7179395ae52f9b07054a76b7adc3618cf81381b6b4e12686beb94ec051de43386dbed28f

memory/4624-33-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2632-35-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2e1183e37c4fa640d0522cc96b9b9800
SHA1 a0a24126988866927868e649da3eb00941c6697d
SHA256 7be5b3d62a1f1e859d395dd0dd684cdf74d874a5c72fef21a93e27ce5d1a5e90
SHA512 35488d866024d5e0d9af9b9ad010dfc0f81bf8be2081c752d07f6b02abee6427504bd56cb5d1722c7bf440272e27c82773bce2cdac9e511418ec2d0ba9503e3e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 238361874769f4e06a453dea5c00acfe
SHA1 09f82597190172ce3eaa8423704aa92ee070fe95
SHA256 3f8e8f5116163d1d6adcf05305dc5205cca874c7d565d3e4d54153d60b0c53a2
SHA512 bfcb4c2d72ce1813c3c8c21bb7091e0860ff137fab201583b447c7c0a3b3cbf98d60924996b3195157cb786c9e54e0ddbdeb937cb8918feaa57b3c595f8e54c7

memory/1524-44-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4624-48-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 037f54a71d9415d652a5fb4c6b04550b
SHA1 11971ec1919c44c8a02f221402a09dc53497d9c8
SHA256 657085e3a9c92aa2061b5d059a757d19ed732b722aad551352656f4accbb7fe7
SHA512 bff6a9079e880982a0192f00f1fe63a4b6fb2051f265195bba7559c7643842ad11bfa355a9f81e2e555aae580defb96513c330c15d61bfad09231fa867e8cd92

memory/4936-57-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 785273c1b384da6066eb20122712ada7
SHA1 f7e16ad4b7177e174cc19030691a949e912d2932
SHA256 9b2076ddb7e6d976e060a1c5c94ce7062d04f985d133ffe06b7b053b4e6c9be8
SHA512 b22d6e5c31e5eef7c3159a5dc1614653bb01fd4173eee0f849e849f93a3bd5bbf5c3fcd1cc7d85fcb0bc1825ae64a07dba703cbf7d599ca61cf80b4ca5bed9ca

memory/1524-61-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 2a1ddd75462f60830957e764629affa5
SHA1 bcf843406acd74a094aa22825e8b68a3f2708008
SHA256 eb03d0abde1d7a5f6567253938a25f165ee4de0b8a7d89c4c0109ad55f9f6dfe
SHA512 99b26793154a7aef4ea1cbec2c4a59c16abca563770d67d94ae160f0ec16a708df926faa7f21361d710651e7f3dd8562a2abdfc90221806a3db1bb2be69fe1bd

memory/4936-74-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3536-70-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9286c71e3903b460cbe2f22f003bdb81
SHA1 ea80260a8bfaaece1334ab14c4ebf4258f02d2a2
SHA256 7de2e245b1efb7ed5d018f5c93f0a24215503ec241beb4057e38054d34552248
SHA512 c415ecd2002b4f527921f2e857d8805ffe5d1421a3a0fc097433bebacc6312d04dae7c6bdacfa4f3674040a7fce0acda6bb3d7f65c8f61af1ed0af4f3a5441b0

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e4dd64972afe1ee063357ec097c70cd0
SHA1 dc15cbac7b3d8a81a0d4961cc1579f4e93ada090
SHA256 03b24357844dcb63ba828c7a7d3c75fc52fd9d3c27f075907710d90d2cd479d9
SHA512 1eb0a2fa4de523af0587a07dd6e63305f93f56086ab07c5c7f5558d8c6fbcdfcaf705bf25fbe614b1d16b1fcdda2533bd2f207a3edef13c439735636eb92659e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 53ce5be04d457b45955718870b7f3f85
SHA1 dfc543f69d88c9ebfb0869ef044f8229b2f4b368
SHA256 f0f9127039f85b0cb1a881eb6824a426d6583423309fd366f1133843d941584b
SHA512 df1d27a906ceaed06c7b1cddf56b311096feac995f9bf140c116f6acd7bec02a2d014c240aab7a7f4b0f7a718a64ae00faf3c6c7d09b224d0b4443c952f47577

memory/5072-85-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3536-87-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 feefb22f2140a5a52b71b32e51e9a850
SHA1 fd7d9f789a1e43a06414afc7d93fd94f6d7faea4
SHA256 9ccc8470bf3e41d4d514b381353ca98b85e61ae20f3e92875052f80aec0c1617
SHA512 393d59d0056beec684165b005502df99422dbf58d174de18877ab15900da2fd502945d446e3a5f1b115ae9ffd0c3bb2d034006739ec256a6c1d2a2b6c15f4709

C:\Windows\SysWOW64\drivers\spools.exe

MD5 6efd3bccd8611b8614e7ca3893c6a61a
SHA1 fc956d4c5b2805077b4a3f8653aa7e847532ad67
SHA256 8858b490723a7454350b20e81419028b17266b59617e729560864ee019905745
SHA512 3e0c9df4c94100c6cba9196f5b22d2fc08d73779d701c6605da66a4074130c3be2e5fa7414b9d4ce6d006fdcc25e5576d84a4f9cc7c71296e6833cb454b2b009

memory/540-98-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5072-100-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 19d12125e6de52f7705672a4cb4ada6a
SHA1 ee7527122f1c4ffd49a175cefaacaf3cea0e3675
SHA256 95a989e4eab3580185c22dcc755fdb913ff5d5f51cf62e58feadcc8c8811dfc7
SHA512 1a9db953d221121dad5793c96b0532cad487a63e57f4a266a21087af829d12f2e0a0bee0303523e1eea8bcf749c9a72371432f048dfd95ede746e6483486cca5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3deeb2da399e2aeb3936fb02e36142f9
SHA1 1952763652bac50d9483043a04a08a6a1f549c13
SHA256 f1785f1ca63d51d0c07d16ae62ef6163ea38fd2ee7413ed5314fd0f8efc32068
SHA512 2b93fa6bbaee9779b4ecd268fa7359e7699ce02c86a8d980958cf33d2f82cf19180fd5a8f4565e4ea826ca0b383d716d0f366d423bf7313de0424b3b49e70a15

memory/540-112-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a1b0f062ba9af55d3216c99ea7f661fc
SHA1 b10d23f78f528d4fcceff6b187ebded405b1fca9
SHA256 59a707c1251e2296fdc616f6d50adedc28f42ca1dc07ea26fd394ade742a9a39
SHA512 9ca5c6800cb7610d3c9b88e500bfc5e0ebb27edc56752ed5b20b239a6d4c7f52e4f49f9fe355e29b66b3a5f4244c2efc49178d8f11d4b1f0c8a9417fdd5bb4bf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 85819692b80fe18080a415de1801439b
SHA1 7725e8f977a949f57ebd658ebfe990b1e58969b0
SHA256 3744667c8018a7afa7e156a70b0e6d7dd946dd5007753debf6b779273c045c6c
SHA512 7015207de4cb79c3f140d503056f35ad108d0d29e3c40d316dde421363ad842bc896973290ec45f8a5cc47c9c01bc4a1f805bb9201fc2ef59f51f508ca849902

memory/3140-123-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1544-125-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b54957423a26ad54aaed0ee8aac5e6f6
SHA1 d3f4c509063c300448604174eb604adadbb493d5
SHA256 747fb405bdd23dd900d167b22e59ad653b05967a88d7a3d939fd22a87c62a499
SHA512 88fc47eace5885413f304ed8494e3f46de2d139d4d5c77bff69d5adbeca53ccec16a0b59a734bdf1c65b8552e394c42c9ec38261831390cdbb6efdfe7589b76a

memory/1732-134-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9b5ebf08df82151ed3ba6531f00246be
SHA1 4b6a59bdf866cd6af647cb6af17a100ec7196b73
SHA256 5bdbe40a36648ee283232a9415d313efd0d1bdf47d9b6bbcb5fdf08406019951
SHA512 de836613be0f27b4221059cfaa49bb11867b0fee5d9fd3fe60bb9d1992d69565927b44a43f9bf70e1a9b23c50f63c7e531bfcad7257121c9a3dbac053d00ee1a

memory/3140-138-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 414e747a7f186d2e66c4c553b419b7ff
SHA1 3ca7d9836dddb3236c29ca9ba23eebf1670d4ee0
SHA256 806663d2aad2f76b1085dbf2fb52dd982d88420f1f4d975267f77c37857d3225
SHA512 ff2025b27545a72c4661c582abee0d0d7fe8d1c4a607ce95d7cf786c9d7936a33884b7eab15da51627ba9dc60beb459fd43a6286d81a2683e76e45c0e975388e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4e55eb5b65097405607a415218acebee
SHA1 65ce0ef73ffcfaff674228280c29dcf9fd82625a
SHA256 ab0c23e9690d9dcfdad6ca647f3b6c7d8fe2e2fb4837ebd8e74068ba50a37bb3
SHA512 29c9acc062216a8dfac7d4d1b3ad44f5c19203be230ed8c7019f1a65eca1683d05763d647cab80b6ae3ef88192e07961a7fd4e5168f68b19a883bdbdf7c7ae67

memory/2128-149-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1732-151-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 167a842cebff462a0221bd39b845305f
SHA1 0b4eca2d407fcf2b7e3193ee1cbb53c376fba308
SHA256 41d32626775c134b496fe7217d4e5d510652c996f7c9c63407d5dbdb9d1a3463
SHA512 6f59f2d8fc911085a8842024e5cb573d7760b020c64194e52e39fa4dd4bf58bc29ebc88b04322c3945efe9b17840e651bc94a4229bb7d50ceeb8bcec84e6232b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e52a6e115df78e00e1cc8c9bbab94f6d
SHA1 0b2146298b260171a11671911c00de415baea0fe
SHA256 acd9776d5ccd1fd06f9c7a91dcb76d523803c5bdb7a4228e7b5cff697199677b
SHA512 a99b75ba9bc67c9df3e3fbb44407806c8faff0ffb95c689cb13b658183da9fe63b577b11888d427bb06d1e0552ac50f1c2add258acf9c0ef7cba9039a8ef25fe

memory/2128-163-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 219f80e978904514dccf47e62c198074
SHA1 c7ec1d65f99567c2eda182c2b44782bf7be863b7
SHA256 01328463d07250d43de278ad5193966a1dae8a86865c420513ec12d204dc3a97
SHA512 c9c8fef43c046ccb74ef0fe4a188c5c84b38e3b637b9d51b38c330bead96668d709574de8003526bd4dbd3ea556f82f7004a820a5b7f9ff55f53c390e2490f36

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0cd69bc97eafa4b14761e1c93c2e9c36
SHA1 dfe48ac845d36b759bc09da72f9683a41a85cf19
SHA256 deafb00c7ff23e41092397c555944e46c0a1680682860d00a8bfbe2e7a761e0a
SHA512 67bad7ed7885f553f140912a2de5956781d3f9e40676e8d6b21d09115736fc666684191d975e62852b9f42958fc604572d6f478b422031195a1ff7f07f74fcf0

memory/860-174-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3192-176-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5c1d2f58914fd0d95f378666dd5d7210
SHA1 659268cea64770489be0db9a25c246a0df3547b0
SHA256 94912d95c0a1a94009e7451f0c563e56a596032a8b49d2a58c263623e951fdfb
SHA512 663ba54069304018d338773b5dc670d2aab515a436acbb49b639906a40357f7c819f0540302d1e17891c86ab05bb431241cddcbe06da60d13c14686f25e65d53

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7a45e821ddb8dc1248e359012a5f0155
SHA1 47560a41742954076dc5084739ae16ee2030733b
SHA256 442e2c6862abbc0c3729b6f2a00ec41259fe386b3a7736726530472f9eafcb28
SHA512 5c890e439eae536bd034496ce64380d4a94212e0d5b6109cc3a0baacde65b9fb5a7e8285d1dda330014cbc82da94dd00e8567a94d9f0b0833cde0488a95eeec5

memory/860-188-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f8cdd6db0b666c1e94b5db7abe4d536f
SHA1 34014e0c2f778791139dd95436176e6e33b5b674
SHA256 29115454ece12de6ffecb09890657d5711312e6297a0439336aa4a6fa5115a2c
SHA512 b72845344483aef061e1584d726e5a2ea295fc4c7ab6409dcc7fea7a2c4081dc25f0a15184e57812356f7b653c1b7189c38962c66ef14dc2d7397e5b719f0bcd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2d002793cc1cfafbcaa3cb7ad97c7274
SHA1 232efc01643bec45725eb7e3266e614ccc93bac4
SHA256 60dcff510b78c13d2e98a3bf816cf35ca6ee1eef90a8a143247afd12d27ba62a
SHA512 bffd9e19071e9fed9d744f34025611a26d618f6bae543ea3be9465241e212941f92ceeff20f517bcf896d9f1623258bdea5fa5bda532e312781ef65cb7f87b25

memory/4556-199-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1204-201-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 dff332dbf3c074c495c10b6d720d3ec9
SHA1 0a3a2beda0169c718ecc36979e69b797ebe86fc8
SHA256 0b5c13228b4ef7c0527e185fd2a509ea7fa7932a547ae4fc47c5e22c551fbc89
SHA512 3f6c4944a24e46674f36bc84f4875601e9bede369f739bc708a6b649899cdb78099640320f1c15c9dcc476265e2f2c7ebb3a6cb5c1e7ee4dc1399b1726f7f1ce

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9edc7e2f02f4ac98b99ef29f28c25f89
SHA1 95417fcbb589a9fb08d2587177184d017e11556e
SHA256 5faa7247aa188559ceaaea206f665e88f00bfc99dbefc4e8a383bf070785a2bd
SHA512 7b96fa4d736b20d5d4362a1b29db9260f8c284d14c1802127d1c69a423556ab766018b7fdca305b1102341b8d3b5b930ac72d9d81097069125e18c63ab450c84

memory/4556-213-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5064-214-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 84acc395c49680c084064d08e0620e73
SHA1 b7b93baac3049c0427b7713d68f436653812bf8a
SHA256 b02b7d665d5caa94df927cf79239a4a249f6aaa0797a90350dcb5ff394978365
SHA512 445b4227298cf603db54b85acb2d50df36cb289259ba41c9e51e11e0004c0d9bd978d18f83db99bdf7ce11e44eeede6e26fa00846326bd088f513f14f4490d36

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0380a8a6093d51db43ff4bfae9da3bc4
SHA1 1c8fbece728e9d4542e8e69eea18fd3eecb14376
SHA256 a76e1107e0fc255db669e8f0f7471f93f35026a7493dd48f736c217b319d8f82
SHA512 e706107003a19021ddc6d8fb5a0de9afdd2c5879c6ef67bb54679914af7971747b8ad7594477701b87ed7b4401b57e5574c7d80d2b6e2b24162cd52196a82efb

memory/4944-225-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5064-227-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 17dbb0392ac9e9d2d86b9111f1232cd1
SHA1 d342e3d2906217b087b80d05327337010a335e52
SHA256 6a2a38b881762c99fbf01fbe4c042ae09a24b2c6563258adc67983ea2227547a
SHA512 f9a330f003c9e907d735a29a714b013f744b27875e4786a1eabe674859170ff4e8e78f4ade269b987dfdddc5174fa2297cacd36fde4b501094c79ef71fe9d4a8

memory/3536-236-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 fefcc34ec326604a9d1783eceabec2f4
SHA1 c38d3cf40111b6f283dcd96ac6eb43045d6fcf76
SHA256 4a776e0e40033a038e7619e81476e4092ee07dfd782d592eab92624a8887f56f
SHA512 41c2dba7bc499596e7403b6b4f31b408ac4f8b8f3efa18e0db7faf28ee4c9bc345503b55ff0f02875f03b9343d2d3d5991a8f1c93fae019149a57b02832296e3

memory/4944-240-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 68a5a8a0c87e8e9b2d3e62edc695806c
SHA1 92f8cfc590db8763ed52f51306790b97a78c1f53
SHA256 609cb4ac76185b7a3e2ca56175c4b6654e36674baf5487f71eb50b9c826f8a3a
SHA512 d3d749b3f9bb3c02ef734b15a7baee7e1feec5d99e90d5d52abc46d1d9b68c07f55de8ff48b3895a03545ab7afa2a20349fe4edec22b9a1d25460b3e8019bcd6

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0140e62e08c017360177c9f09bd17912
SHA1 ad2a9447adc2a869af3371d2d1bfdadc95820b1a
SHA256 9ef5fc2f13f4b90f53cd67593c0fc458e006752a125cdc123fcd40e7be9f5312
SHA512 1987d2c30eb27304a45e1f037063892043b073be76cf83a1b551126a0a534bf490ad94d010a8311c0063c1b45ae21ca7fc00af690ee100c5a9013f96ba24955f

memory/624-251-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3536-253-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f4b237f856fb933038575c24c8b0079b
SHA1 e2f740693e1613f9966d4b0e125c41c123d43965
SHA256 8372bcd5ddcdb4f0d9104539ac5c3208f32554fe4cd14024da93efbe8c6c5a73
SHA512 e3fb01f2fbf511efc10a4ad6454ac64b2d62f1791bb857c846320a1613c887926bf16964094fafdd86112d76a2b05980cff5fddaa85d62b1b3cd89f9259cfb9e

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ace1dd847e132985d45cc64e816337d9
SHA1 7782310f597c579740504b8d59e217984d35271d
SHA256 535ec15c27ff79287c44d9e55abae2a96ac3353a6617d6ce7c026e67adbb7638
SHA512 3010123970db04ac71e08a8b6250644568deedac28802ee8866ff35d2b8e51b22d03a4e31f7a411d52393d7c239dd839443bc5fae6b345d6a8bd5cef2776a3fa

memory/624-266-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3052-265-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 66779dc772b32023b34c4eae3ae9b1c9
SHA1 e69f46cdd3c1393ae952ed5cf00b8d777c8159bc
SHA256 7abd74bfca44eb41d19c1a15d1b8c6c960fdb04a09cd9ca6ff2455325efb8e1b
SHA512 17645c98edf8a14fc50eb93ca127df8d5c9ef5f24f4e36f9663a9abbd03c2094d9c6d00a88c34fd3cafaad4c64097a99268bf2cfd808b3b61f8245ee30788581

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c2f0fd124fb101730f00eddda8d5d045
SHA1 810eea2d3ad69d5d89782327889b8734ae254396
SHA256 ed03655bfae3776e24d71acc3cd9c642d3ae12d640bcd2ab09586b8845ea68df
SHA512 cd379cda80988cfe16afcc9306c82aa4255e919c115e4c8ccd702d2580e0bbd18a7b08162cbe6018a7a05f291d07f9ee0e7550ecacd02e0d943425670000c4f9

memory/4824-277-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3052-278-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2992-286-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4824-288-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4932-297-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2992-298-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3864-306-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4932-308-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3992-317-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3864-318-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4732-327-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3992-328-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2948-336-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4732-338-0x0000000000400000-0x0000000000434000-memory.dmp