Analysis Overview
SHA256
033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8
Threat Level: Known bad
The file 033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8 was found to be: Known bad.
Malicious Activity Summary
Detects executables built or packed with MPress PE compressor
Modifies WinLogon for persistence
Detects executables built or packed with MPress PE compressor
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
Modifies system executable filetype association
Adds Run key to start application
Installs/modifies Browser Helper Object
Enumerates connected drives
Modifies WinLogon
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-24 17:10
Signatures
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-24 17:10
Reported
2024-03-24 17:13
Platform
win7-20240221-en
Max time kernel
155s
Max time network
126s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
"C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
Network
Files
memory/2228-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2548-6-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1964a7d5e317318869148402f28617ca |
| SHA1 | 77afe289d7f67ddeb58af62a6156e2828c13dad8 |
| SHA256 | a0040dd7a8e6f63db1708cf65169809456eed179f8164818a21827a1441a8b87 |
| SHA512 | 6cb8a28da144ad40ad4c54937ea21ddb7ad2beb2bd0572e07f41d0d6608695c4b74e9c3f0b7abaf6d39a541b2021386f3cc042139e05d2fc9af8879616281865 |
memory/2228-5-0x0000000002BD0000-0x0000000002C04000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2228-10-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8ceac449d7649a8ecb20238f158066ff |
| SHA1 | 431b314337e8a15ee91bc4ac13703f5594d7e503 |
| SHA256 | 395535721ebacaa4c4389ba1879f104e10e9c1b50e990bdbeb84c52965e1d16c |
| SHA512 | cab8dd03edaefb449fdcb98037c29bb5279546ff1bff69103b125454582bdb9bb08777907e536a2ed65cbd4169eb017cc695a0e45e67ddbb869f270654a4ea09 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0e533e6d529adcf159e6d936742cfd57 |
| SHA1 | 4cac42b457dc43ce3eb20b7cc73485db0ab53dc4 |
| SHA256 | 126fcf8786178f0a5d614cd2455a5d58bb871715ad1512670f80181cdba30cdc |
| SHA512 | 8a2885b76f4488dc4b1568a04e7ce49f176de34ffa72859e563e3ad0f778fcf0fc91d085e39ad1640850d736a6377120789b929309bc918229310674e5911425 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 81e6d06b3d6a9264d3448b761a887258 |
| SHA1 | 4209d1b0627c9077de60eda4ba5c96767af17d00 |
| SHA256 | 626acf3431b9b5ba30c6752b760c1a98f9e9dca12d3959e2c87aaf83ebc67eb7 |
| SHA512 | 7e0acd27e1b58aebabac7064f447967f6250d95a1b17cc72976ff3dcdbb24d1167dfdfa2929a84e6097d367dcfee21f7b7c356a90f1f12d47e2584db3885e0b2 |
memory/2548-14-0x00000000003A0000-0x00000000003D4000-memory.dmp
memory/2608-17-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2548-19-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9bc568b16ca05c4074899290829c8a83 |
| SHA1 | bc28a0fd4a0f3aea3c857e265943100026c0e5e2 |
| SHA256 | 7d7e4f439688da89fa2f47f9135b628e1648ace3e82d5e56c2e638b5b971f710 |
| SHA512 | 361b775e8f40d959b30f56bc340e367dc22d2290b500d239cd5eacc19b3844599bdfe00af3c709009234a2a26a5a3fecf43d1d3e44315d745aaa16b18c5cb206 |
memory/2608-27-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4b26a3e25967e85d993471c18b019825 |
| SHA1 | 14458c0dcee32ebbb93ae480da65fcb41d7525cc |
| SHA256 | 8d2cdb41b8cc935b6abc7158955e5316b8fe40a0f446388c674eb9c5913fe081 |
| SHA512 | cdd7c605cf1ba053d16384e90b3debc131ebfd95283f2335e796637daf08bd6ebb9c757f94993fc30046bdb43a88368c40c10e230013a224f019a5456af9097d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1c6b51aa331d5cbdb5d0457e16c10eae |
| SHA1 | 94357b19b7855f4487e0d21423d627f2fd79d709 |
| SHA256 | e570c77c5002c834a30b4145d40dec01cc44bdc9a7f73ed5cea3e4eff555387c |
| SHA512 | 479084c71cad36bec0800253fc5124d5d3ecd0dce0c13cb9a413148e64588bc489f18ce728a5d7d18e76bd535edbeb5967079cca95dc9d14374fe87805df108f |
memory/2592-34-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2498034f196b56e9e6e30668f243795b |
| SHA1 | d1257811679acb0648b3b1efbd1a1957544d0f21 |
| SHA256 | 07cacabc99041fa35493c4184d60ad46f951883d0f50efcfa776f24f96b97f44 |
| SHA512 | a07b2d004538c26a9afa169ada9e26735753bd35b9ac6f3f51c4e13825d4537090d4a7ed2b0b7fd3251d10b3e1f7a7168b2942bea82cceff0db99a1ddd48517d |
memory/2984-39-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2448-43-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 47d91b2361865d2ff68e4cb382976c1d |
| SHA1 | c3b5071970fe458a919eeb9668c4028f594834dc |
| SHA256 | 66a186e42da88f5a13179a374ba99bda764fe567788741a6498091cd50f41bfc |
| SHA512 | 3a6dab864a198822fb6f59ba947428f4f5246498b4dbb3e0c0cd0f8ad9cf454a9b11f630355c19706c087c8caffd9437caffe88d864d1bfa18a9594b36117da5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 909b7d351208137047dcc17976946a76 |
| SHA1 | 931a2d0f0eff70c948a05868faee3c47cfa2f495 |
| SHA256 | 69925179a1d42d0c2b0d0f573afd91b481dbfb4d35d472cc1df389c49637c934 |
| SHA512 | d9140f075fe620f3fd74bf9b3ba87f8159c92d5c0bcbe8f1eccd5d9a66549b6d8402ff31b5d75321e533dd79764a48d34070fa304dbd3947f5cf84b9b833fc6f |
memory/2812-49-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2984-51-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0be4d0d862d19b41f2b7e6457434b442 |
| SHA1 | 19bb1cb09abc364a5adf9d0d3318872ce1bad8ef |
| SHA256 | 31189196691eee0a3ec67eb4fbb70248232bcf78d1aaf1516fd9fb0e811cd92f |
| SHA512 | 2e93f0ab67424a28a1cf779abab5fbf56bc1b1fd581c40414c16291a3c3a0354f1370357df3337409452ab1376af48d3bb4a7b768fef3532724d79a97a603aa2 |
memory/2812-59-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ee76f15cfa4c9749bdcc4e6da76a2150 |
| SHA1 | b9813df20782533337c0d17205a6b4c1bf274348 |
| SHA256 | 6707e1272820e713ff544b034124bf142a9dea6a4db3c7c7f8b954077ed7c020 |
| SHA512 | 3cea76e4bba566fb25dd120953e8459da9665a69b0f861a67f1f1b2f44e3814d2bb3c310af955ba66e94d12c0ac04e7db95711ae1008381911afd2181f99d2d2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9d7c0a2f9f58b62a39edde46d46efa28 |
| SHA1 | e5c5fe43814872dd9f66eef62fa52e3c6b8fe6df |
| SHA256 | 50eabdf232cc4a040f8d199f7e605106db45377d5d931d584b030b53c3e80a2b |
| SHA512 | 62566d43de57a892e9cb45a6f05317496d53f40cd54a5a9540a25e988a773e7555b4791caf757a0328f7d004ace964993b4b5713336629c9378ed6503e7d3fee |
memory/1048-66-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b43826393f9cf6479a002a4d6c8f533d |
| SHA1 | 9d6b5609a83f33610f037f9e724a52f8683ffa11 |
| SHA256 | a0800df3397a8d3ee74d97ad0a7935f71fb7032264753cc44101966c5c30947f |
| SHA512 | c73760a850f2eafd52b8e412aaa1e640b193d5cf02d385027b9b50abdd6931e6e70713e99511cfb04a6b6f91bb6292727954d79c5919feecf257d0415eddb5e7 |
memory/672-74-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 45446d327d0267570d6fa3f9af03effc |
| SHA1 | e518800d0516264da72508ce54c4cf74a8794ed2 |
| SHA256 | 37b59e4e82c7bc963a51e721abdf9b894366d7102896926b6ae9d595fce231f7 |
| SHA512 | 36114a6d338b8a21200400639b4deb180f8fa7f67e8f8378237523f8f7b080856d2fad892f46945e6408475b588c21685b08f5001080d0a9d6d8120cd44b1cc2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d70cbe28ec123354785454e466813437 |
| SHA1 | 768e19885a5f09cef93c824666a4875afcd05326 |
| SHA256 | 31e5496f0280c459d41557756273dcf05973291e1f4d7bb754a79db9cd9955bc |
| SHA512 | c28b64e7e2733c38e04c9796e6c234fcafb97a0599d64810dbf96f29d161a50472b74d4992850592781039ed89bf4c30803a3fb15272a038ebf90fce9900c22b |
memory/1328-80-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2752-82-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ba3fc64f002607dc4f7677918c4d6f51 |
| SHA1 | 4bd1424e1d3d144f22b8f9fdc55500f343796bae |
| SHA256 | 46447a85e2a0f8ae6b73fe18c940f90c0e79d5cd9e2402548858e4b8549a6b24 |
| SHA512 | f329602f107236c614c0d1f8963c266e9089c0ce869e6cacea6760ef57b5d121692106b6c144ea64f193c7ba8b73d4563afc1ac1026f46ce4d28a0eaec03d337 |
memory/1328-90-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8eaa9ed1b48afa5b22b4d53171886bc6 |
| SHA1 | 22be9747dfd105e8115d8fb598ba02bd15c81fa2 |
| SHA256 | 7d8907e5a5c6b2858c40ba687ade5e6649fd3d44270378eee9d6cdb016e0be73 |
| SHA512 | a8b28f4570cecfff4f110c226c4dec6e75079a28a035de8572be40a97ad9c7a3e8d398b02de52887e4cbde52ad95f156a369572f708a3e43f63c7171c3ccb470 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 72b98ed638f7504872ad492eaf897892 |
| SHA1 | ea4003db7000e727938841cc407615f96a2b0562 |
| SHA256 | 1b13e53f5dab597f20762660237d798e7abf8aa736b9c456dd1007b2f56b66dd |
| SHA512 | 198b71292c350bd3b184b9a4bada02909c9e5d5c9b78f44b74b15b6b3e4549db019806a384147035cc70a9d2245fc452c0937f4bd42135d75700d087f354d30f |
memory/2300-99-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2912-98-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2300-96-0x0000000000380000-0x00000000003B4000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 09c51a30c39bdf1b1d99b83ec3abcca2 |
| SHA1 | ca957ca08f711b274a12e24858149d20c70e1089 |
| SHA256 | 3d8b4f9902a79b0db880162f2dbf8f602c26c6179531186ef28dbabb53025a92 |
| SHA512 | 36326d4c23b012d8d1cb2e828f5f9daffa4e00c15b78ef92237b414b8de617bd447a8a21aced2948c66658333ed7ebd491435df8de3ba671ced3e4a3e137084a |
memory/1640-104-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2912-108-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f55322b3d059ea8565e6c86cc1e1aff6 |
| SHA1 | 8e953fff29c4d208a2cbd4b2ba353f3808e40810 |
| SHA256 | 14f4e8e885ec0601646a5b7b2c54b865ff65bdff383e77165cfdc9bf6d5e303b |
| SHA512 | e12983103de4a96e7e36b9b931fa21c91c840246a1a013435aeee675128493d08fa740b13fb46a4c31d3529740c41e15b3b76240c6e0b0a14aeda6248129634b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 637f36a009815a5d2789eb54c1303529 |
| SHA1 | d259a1a5db84f4dedc6e4f9358630ffca4493bc4 |
| SHA256 | 1245106e80140754c715c104f8703c35bd8f83c140712eb5566c1cb63fad8aa8 |
| SHA512 | 79fe60cbf6527155bd90ee0cb05eb3643d2112d285c1f2d980be5139e41914b4905b002b8a8abde924e640316dff0c31da426fa3745f817447ee9cc9a0dfc719 |
memory/1640-112-0x00000000003A0000-0x00000000003D4000-memory.dmp
memory/1020-117-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1640-116-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1020-122-0x0000000001F90000-0x0000000001FC4000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ada995b80d10688fd1b18a120ee3e11e |
| SHA1 | 1ec3dbe3d896283cb5842e9535896a7d30c28dc7 |
| SHA256 | 47243668e5bf5acde74c40e4f74bd0bcf0c2bca925d6e900a23bfaadc106ccf5 |
| SHA512 | 44b331e2b7218f1884549a0cd378fd1f6bc20ad712738d58eb9e1b9cc95ee235e76d7bde8c05a763a52ed10f7a03642e28c959559f286623b354a8d6a68a6d8e |
memory/1020-126-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e1041c1c4b2b639b3a1184ef3dc8436d |
| SHA1 | 9f1ddf0c7e0b1e9ae86b9e0cb3af2a7f6fbc6243 |
| SHA256 | ac3d90a95462f027f663e52471f06582c44300613ae0b788602a8065388c9480 |
| SHA512 | d06095f1bdb095810b8906f8b5a73c234bd19855c832859804182b4bae071a528ef755ad07a1ca2a24f085dd4f9ef8536992b5ef080b80273f2605042b464f4a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 07f5de42b5eedf6924ec511489c87c8e |
| SHA1 | 1bae4b08bc2fd93a860dc045af139474e35db2a6 |
| SHA256 | 4ced5cb9164391294f2abe6c030235f38b50054e5a0bbdcfc98af55adfb217f9 |
| SHA512 | 690caeaf0e9bde819610b5f8b6e796d293e3d893fc7ab044aec87efd0b2f3ad8d4b5e2bf57bf2ccc922d199d4be6eeaa2af17619a551a4e0b5919a548679abe1 |
memory/332-135-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0b6e18b8dec350e64926213eb8ee5aa8 |
| SHA1 | 69f9051d98164dac77fe03a67d3514681333953b |
| SHA256 | dd2b4e365530f117f355f433e65658ef8ed29dd83b53f42db71e6d283c6cdbc3 |
| SHA512 | 17ec53047ead0f9111381ee21b8de423cb1525c6e7ebc03c2a5d474e4a2b5fc8864963fd38fa525296ed32ebd977e114e2ff38f02f5b9c10095c48cfeb6fc7be |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e173bb7ab36e4d329939d65b65914f27 |
| SHA1 | 5fda5e11210cb0d91d3332ab182247ff11d9b1ad |
| SHA256 | d45c5f9a257fb766de540b8ddcac2a36a24137ede1cf3f8a497a515ddd4951ba |
| SHA512 | 964dfa27c05cf5cc071a5a3ffc6e26018493367aa5a33e18f57b94c3b1070909f9e6bee8373c00442bc5d4a7e02b07bc406a6738389dd5063c6b43ff745ca209 |
memory/1636-142-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5e869c7f3eaf86d259dce8ab4c8d6b72 |
| SHA1 | 72e55448ea1c422ebe9fad90a563271050ac852d |
| SHA256 | da44eb5514c527ca9df4d766b3968c54602591dae2b11f7182b8727f63fc3a13 |
| SHA512 | 98300982d46116bde82e01a73a1023544430d2cac54f435dcb69aefc14ac1726720c4da4150d1abd4508dcddfd6cd1042447f0f3627db4f1d89fe589b9e73a26 |
memory/2108-147-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1996-151-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9495803e7c2e82888e478c38aa28a8aa |
| SHA1 | 04a5614882193cae955dcb0d5352606afd518222 |
| SHA256 | 634e8219d99d445b6ad99d19853c8ff86423e2b89992dab4d7ee589ad52c55f8 |
| SHA512 | de32f3cc6d88d4c568527f0b58ff6eb1072654ffbc562f9cc499f2dca3643e34c264097124ed437022bcbb5d50b8f4cd137ae6c61baa9e7020e72ba56d469936 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | df9fa8eb8ad1e26455033ba3b312d9cb |
| SHA1 | 3907cb806a99f97a3e728a08e9384bdba1353ff4 |
| SHA256 | e01dfdb12892e615362c057c4bcf1c387b5341ee18c5963f0ff19ca950cd044f |
| SHA512 | 1758d601d053713f82dc3231e86957ab666460f6b982c96f06697521587223cef769415d99beb1c7aac6a15e1b0e099e8d6276b38865f5ffa933ff3d8b5b0f30 |
memory/2108-158-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5050197ffcad4a33a8b350377103da0e |
| SHA1 | 293c60603b801c6305e20b609c8c092139c81ee4 |
| SHA256 | d32f697357f6f280b6948a99d70902054c48b14df171e50ba0c3b127a815adec |
| SHA512 | 1aad3da39feb6d8e361cbc213d36c72da0e1ff195654c59e13c1d605489e954d2062911cdf5719651f1664117664bea83a8aa54783ce024c1058f549bdfb3763 |
memory/2952-166-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e9987134a9f747b31a757fa7a6caa6df |
| SHA1 | 2f73bdcae68d69a84bee9831ae166b5cb6fa59c3 |
| SHA256 | 6226ab627e72bf6ee1422f8be2caa66831ca63358dc05d709291a1dd680cf60f |
| SHA512 | ff1c12aeda86e0b966a052ebfd3f691be6acfb6a4245023d4506f7f9d37455e999832300f75c3da902b8813fc5d2e6f528be898572c18719940c8a6088d03780 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | bcd2905d994184883a70ed954e93b1b4 |
| SHA1 | bd5bed620a2709266a38b453d9515f7f849014be |
| SHA256 | 6e15005a8061be55ec6d66052ff4443d54af8d4803157eab549fd36a040831cd |
| SHA512 | 558060e05e50cefb0f8cd85e0c80a846e89fe056e84b36c2b590080f8dd57d2fd99da28fc54c2e0be7de313493d8bcc3a414c3602ace3e884929c2a91bae5bf8 |
memory/1520-173-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7083dfc9663b31a22a1d63704203db1c |
| SHA1 | 4d380a3b39dc2d566f5331b935b83559a049836c |
| SHA256 | 6649d61beff62188be2829f12a7ffbe5ea5297453b047f80dd45f7ea15e26c92 |
| SHA512 | 7f1e82c1aba647372b079acfe81fa8a48bc5bb1431a7f0c326e809329092314ad01c66df248e227ec38ce0e901b66379a672bd7a5d07fe2b85bd2efa8aa24e97 |
memory/1724-181-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b363aeb0e6d8a65bb4f90e3dba9e59f0 |
| SHA1 | 234eacb3bca0262b01d41336457fbbbb84d1574d |
| SHA256 | fb58d86a1261a61cecf5c311df2efe2e02f0f80572ead30aba680d915b9f238a |
| SHA512 | afe015dedd44511e07b512ebd1ed9a4197ff1ab35de9cb3a19e7514813c60a99a3f01256a368e8f70edd6c0c09326ceeeb0ccbf2a3441d7025d4541ae83f1546 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1624641670234890b8ea9de758cab4a2 |
| SHA1 | 30afc149e6f4a4456617bb39ad1da2e68325b433 |
| SHA256 | 8dee31e38c1ccd0bc0066a2cf85a81c8cdf593c3fc0d3fb8d909277c9a252d06 |
| SHA512 | 8c9444419707ea9a3c2e5626714a8ff647dee161f9816b38ef975265d66854f3a72db7adc618a0787f513214d5f271c25bf7977fc148b6525181b49f5162d665 |
memory/2160-188-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e5a71e23df46d21f0a7f32f7dbde71bd |
| SHA1 | a2845da7eda730e9b14754b609f134d0fc50a8d0 |
| SHA256 | 324b83c80f05a7f53181f792337e6689bd663edccaeb3504a1f9f010b2a6dea2 |
| SHA512 | b737d91467333356b677ddb139c83f21d1da3e477ebe1edf851c9e3a6f205702e4d43d95b6145a1c8b4904eb4116ace5b4ab8111e42f2d4462b462b275505338 |
memory/2680-196-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5ab25b42c7c1014aa4f65e94105f1875 |
| SHA1 | f216ec0ea5b20b090a616e4f28b653fcfa246ea8 |
| SHA256 | 7342bfad8654edc2ccbca3640676a0a9ca128c44cef9773a76ebf3e6c5a0afeb |
| SHA512 | 3f419db61312d5499cecfd393daa28cc1de14e77892afef76d87baa2adf5f2d54da786c3d6f0be55bf890f0c6d6b87a0d5a446381514a341970cd47d6afcd02e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9317160c3b015a48443c39e584825b29 |
| SHA1 | a48b46245a4f04be6dfef4ac63dc8282c15ef64e |
| SHA256 | ae0ce7a180d8a0908d93333455ee4d8ede211179e69ba7e77154ffdd529cfaa5 |
| SHA512 | 96617632208644a117656c28809f20d9b654aae91233027fdacefdfcfd92227a143304f3dd3980424a6297e880e14ffac85ecb28ea33a793754e552b0c23cb9b |
memory/2580-203-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 25ea41c18253cfe7757675954e778be8 |
| SHA1 | b653578f733f4fde27628fbb9056812e60f07b98 |
| SHA256 | dab5d97208a60cd00bcdaacbb9590bce7d8fa05aca463267817842a3d3549a0c |
| SHA512 | 2e0e25e6995a118d94f1672dfe52d34d13306428777a8461ee48ad7f6169b9d1fab0482e26aea1ec79481c051050676b195292b040c3fd75857169973bf3e808 |
memory/2808-210-0x00000000003B0000-0x00000000003E4000-memory.dmp
memory/2436-211-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2808-212-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2436-217-0x0000000000390000-0x00000000003C4000-memory.dmp
memory/2140-220-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2436-219-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2140-225-0x00000000002E0000-0x0000000000314000-memory.dmp
memory/2780-227-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2140-228-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2780-234-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1332-240-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1836-246-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1504-252-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1668-257-0x0000000000360000-0x0000000000394000-memory.dmp
memory/1816-260-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1668-259-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1816-265-0x00000000004C0000-0x00000000004F4000-memory.dmp
memory/2288-267-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1816-268-0x0000000000400000-0x0000000000434000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-24 17:10
Reported
2024-03-24 17:13
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Modifies system executable filetype association
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
"C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
C:\Users\Admin\AppData\Local\Temp\033cccb2dd1c2fff8074ebb5301a93dc7241aa28861c8e183c316c12fb95bab8.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bublikimanager.com | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.255.166.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | tcp |
Files
memory/3296-0-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 676a2747311c1c23816381200cbfaef3 |
| SHA1 | 6bde97b6bfec8f4435b6e295798073a81fdf8554 |
| SHA256 | dc189afeac0cdeffba883ec3d9846f90d981a2b8d8033893719a789d7ce00aa2 |
| SHA512 | f934370596d70ec4ead856e69263afa91e8555d66e493f1feabbc5a04431b27ddd49ccfa48eeb1bd935bf5eb7f8cae6b19c2455191aaf9faa86fc7c800f43955 |
memory/3352-7-0x0000000000400000-0x0000000000434000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3296-9-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0ef35182d170dc9732ddd2361c56c403 |
| SHA1 | a10f44fa244131185082e3506291b077b0f42f02 |
| SHA256 | a27919e33afaa14445f944f9724720c837c878f6d3f370e6ea469277c9f61eb2 |
| SHA512 | ffe87a84929af05ffe31d9acf3d418141f85ff7b2d51167bbd171ed25cf59d4ebdc1d55894e3745d2724e98ba824e94db5149708d89e9a23504fbfe47c9ddc25 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1f5e006348a53342e19d9f47fed08aff |
| SHA1 | 1b1128d8d3a688f19c8b4ad0f8580e2f417478bc |
| SHA256 | e70ba7fd4e939c7177a97eb3600a8393bb01e88fed61c2c4d2879ae26bbd5867 |
| SHA512 | 5c38d49b2196983d308533c65127eb6fb4f5ec28dc9521cf73803e10eb0608adba11b30c91cb9145b295db3e999acd6ce3a1d7b6a9366ea17fbf6ddcbc6885c8 |
memory/2632-18-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3352-22-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 35ff8b7c54db4ed8e8629f662867d942 |
| SHA1 | 98ddbfc9623488d0f2f840a9bc4105c192f3e0be |
| SHA256 | 7af97e651748c87c1ecb1921a4947ad2ef3421bef21c12a67c5341e6d50e0db6 |
| SHA512 | 8abc27e7ba7955128754fc648da5fd810c08849ddd3d005feb26adf4bbed4f619add8a2b19e99e5cb5156a27a3e1e601678b94e67eb5b25a62993ef9d5ab84eb |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 23aafdb944cc43d053a071ba029dafc8 |
| SHA1 | 80b095fe2286c21210cae28a8f7852f490d991a1 |
| SHA256 | e0e4706294578f6d206af015a07f4506efb28d69db7dae13627fbd764be3ba20 |
| SHA512 | 11d185efa11ad2935d03779e3cfc7a133246a0a6fe760e5ef6d5a12f7179395ae52f9b07054a76b7adc3618cf81381b6b4e12686beb94ec051de43386dbed28f |
memory/4624-33-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2632-35-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2e1183e37c4fa640d0522cc96b9b9800 |
| SHA1 | a0a24126988866927868e649da3eb00941c6697d |
| SHA256 | 7be5b3d62a1f1e859d395dd0dd684cdf74d874a5c72fef21a93e27ce5d1a5e90 |
| SHA512 | 35488d866024d5e0d9af9b9ad010dfc0f81bf8be2081c752d07f6b02abee6427504bd56cb5d1722c7bf440272e27c82773bce2cdac9e511418ec2d0ba9503e3e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 238361874769f4e06a453dea5c00acfe |
| SHA1 | 09f82597190172ce3eaa8423704aa92ee070fe95 |
| SHA256 | 3f8e8f5116163d1d6adcf05305dc5205cca874c7d565d3e4d54153d60b0c53a2 |
| SHA512 | bfcb4c2d72ce1813c3c8c21bb7091e0860ff137fab201583b447c7c0a3b3cbf98d60924996b3195157cb786c9e54e0ddbdeb937cb8918feaa57b3c595f8e54c7 |
memory/1524-44-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4624-48-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 037f54a71d9415d652a5fb4c6b04550b |
| SHA1 | 11971ec1919c44c8a02f221402a09dc53497d9c8 |
| SHA256 | 657085e3a9c92aa2061b5d059a757d19ed732b722aad551352656f4accbb7fe7 |
| SHA512 | bff6a9079e880982a0192f00f1fe63a4b6fb2051f265195bba7559c7643842ad11bfa355a9f81e2e555aae580defb96513c330c15d61bfad09231fa867e8cd92 |
memory/4936-57-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 785273c1b384da6066eb20122712ada7 |
| SHA1 | f7e16ad4b7177e174cc19030691a949e912d2932 |
| SHA256 | 9b2076ddb7e6d976e060a1c5c94ce7062d04f985d133ffe06b7b053b4e6c9be8 |
| SHA512 | b22d6e5c31e5eef7c3159a5dc1614653bb01fd4173eee0f849e849f93a3bd5bbf5c3fcd1cc7d85fcb0bc1825ae64a07dba703cbf7d599ca61cf80b4ca5bed9ca |
memory/1524-61-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 2a1ddd75462f60830957e764629affa5 |
| SHA1 | bcf843406acd74a094aa22825e8b68a3f2708008 |
| SHA256 | eb03d0abde1d7a5f6567253938a25f165ee4de0b8a7d89c4c0109ad55f9f6dfe |
| SHA512 | 99b26793154a7aef4ea1cbec2c4a59c16abca563770d67d94ae160f0ec16a708df926faa7f21361d710651e7f3dd8562a2abdfc90221806a3db1bb2be69fe1bd |
memory/4936-74-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3536-70-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9286c71e3903b460cbe2f22f003bdb81 |
| SHA1 | ea80260a8bfaaece1334ab14c4ebf4258f02d2a2 |
| SHA256 | 7de2e245b1efb7ed5d018f5c93f0a24215503ec241beb4057e38054d34552248 |
| SHA512 | c415ecd2002b4f527921f2e857d8805ffe5d1421a3a0fc097433bebacc6312d04dae7c6bdacfa4f3674040a7fce0acda6bb3d7f65c8f61af1ed0af4f3a5441b0 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e4dd64972afe1ee063357ec097c70cd0 |
| SHA1 | dc15cbac7b3d8a81a0d4961cc1579f4e93ada090 |
| SHA256 | 03b24357844dcb63ba828c7a7d3c75fc52fd9d3c27f075907710d90d2cd479d9 |
| SHA512 | 1eb0a2fa4de523af0587a07dd6e63305f93f56086ab07c5c7f5558d8c6fbcdfcaf705bf25fbe614b1d16b1fcdda2533bd2f207a3edef13c439735636eb92659e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 53ce5be04d457b45955718870b7f3f85 |
| SHA1 | dfc543f69d88c9ebfb0869ef044f8229b2f4b368 |
| SHA256 | f0f9127039f85b0cb1a881eb6824a426d6583423309fd366f1133843d941584b |
| SHA512 | df1d27a906ceaed06c7b1cddf56b311096feac995f9bf140c116f6acd7bec02a2d014c240aab7a7f4b0f7a718a64ae00faf3c6c7d09b224d0b4443c952f47577 |
memory/5072-85-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3536-87-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | feefb22f2140a5a52b71b32e51e9a850 |
| SHA1 | fd7d9f789a1e43a06414afc7d93fd94f6d7faea4 |
| SHA256 | 9ccc8470bf3e41d4d514b381353ca98b85e61ae20f3e92875052f80aec0c1617 |
| SHA512 | 393d59d0056beec684165b005502df99422dbf58d174de18877ab15900da2fd502945d446e3a5f1b115ae9ffd0c3bb2d034006739ec256a6c1d2a2b6c15f4709 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 6efd3bccd8611b8614e7ca3893c6a61a |
| SHA1 | fc956d4c5b2805077b4a3f8653aa7e847532ad67 |
| SHA256 | 8858b490723a7454350b20e81419028b17266b59617e729560864ee019905745 |
| SHA512 | 3e0c9df4c94100c6cba9196f5b22d2fc08d73779d701c6605da66a4074130c3be2e5fa7414b9d4ce6d006fdcc25e5576d84a4f9cc7c71296e6833cb454b2b009 |
memory/540-98-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5072-100-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 19d12125e6de52f7705672a4cb4ada6a |
| SHA1 | ee7527122f1c4ffd49a175cefaacaf3cea0e3675 |
| SHA256 | 95a989e4eab3580185c22dcc755fdb913ff5d5f51cf62e58feadcc8c8811dfc7 |
| SHA512 | 1a9db953d221121dad5793c96b0532cad487a63e57f4a266a21087af829d12f2e0a0bee0303523e1eea8bcf749c9a72371432f048dfd95ede746e6483486cca5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3deeb2da399e2aeb3936fb02e36142f9 |
| SHA1 | 1952763652bac50d9483043a04a08a6a1f549c13 |
| SHA256 | f1785f1ca63d51d0c07d16ae62ef6163ea38fd2ee7413ed5314fd0f8efc32068 |
| SHA512 | 2b93fa6bbaee9779b4ecd268fa7359e7699ce02c86a8d980958cf33d2f82cf19180fd5a8f4565e4ea826ca0b383d716d0f366d423bf7313de0424b3b49e70a15 |
memory/540-112-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a1b0f062ba9af55d3216c99ea7f661fc |
| SHA1 | b10d23f78f528d4fcceff6b187ebded405b1fca9 |
| SHA256 | 59a707c1251e2296fdc616f6d50adedc28f42ca1dc07ea26fd394ade742a9a39 |
| SHA512 | 9ca5c6800cb7610d3c9b88e500bfc5e0ebb27edc56752ed5b20b239a6d4c7f52e4f49f9fe355e29b66b3a5f4244c2efc49178d8f11d4b1f0c8a9417fdd5bb4bf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 85819692b80fe18080a415de1801439b |
| SHA1 | 7725e8f977a949f57ebd658ebfe990b1e58969b0 |
| SHA256 | 3744667c8018a7afa7e156a70b0e6d7dd946dd5007753debf6b779273c045c6c |
| SHA512 | 7015207de4cb79c3f140d503056f35ad108d0d29e3c40d316dde421363ad842bc896973290ec45f8a5cc47c9c01bc4a1f805bb9201fc2ef59f51f508ca849902 |
memory/3140-123-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1544-125-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b54957423a26ad54aaed0ee8aac5e6f6 |
| SHA1 | d3f4c509063c300448604174eb604adadbb493d5 |
| SHA256 | 747fb405bdd23dd900d167b22e59ad653b05967a88d7a3d939fd22a87c62a499 |
| SHA512 | 88fc47eace5885413f304ed8494e3f46de2d139d4d5c77bff69d5adbeca53ccec16a0b59a734bdf1c65b8552e394c42c9ec38261831390cdbb6efdfe7589b76a |
memory/1732-134-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9b5ebf08df82151ed3ba6531f00246be |
| SHA1 | 4b6a59bdf866cd6af647cb6af17a100ec7196b73 |
| SHA256 | 5bdbe40a36648ee283232a9415d313efd0d1bdf47d9b6bbcb5fdf08406019951 |
| SHA512 | de836613be0f27b4221059cfaa49bb11867b0fee5d9fd3fe60bb9d1992d69565927b44a43f9bf70e1a9b23c50f63c7e531bfcad7257121c9a3dbac053d00ee1a |
memory/3140-138-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 414e747a7f186d2e66c4c553b419b7ff |
| SHA1 | 3ca7d9836dddb3236c29ca9ba23eebf1670d4ee0 |
| SHA256 | 806663d2aad2f76b1085dbf2fb52dd982d88420f1f4d975267f77c37857d3225 |
| SHA512 | ff2025b27545a72c4661c582abee0d0d7fe8d1c4a607ce95d7cf786c9d7936a33884b7eab15da51627ba9dc60beb459fd43a6286d81a2683e76e45c0e975388e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4e55eb5b65097405607a415218acebee |
| SHA1 | 65ce0ef73ffcfaff674228280c29dcf9fd82625a |
| SHA256 | ab0c23e9690d9dcfdad6ca647f3b6c7d8fe2e2fb4837ebd8e74068ba50a37bb3 |
| SHA512 | 29c9acc062216a8dfac7d4d1b3ad44f5c19203be230ed8c7019f1a65eca1683d05763d647cab80b6ae3ef88192e07961a7fd4e5168f68b19a883bdbdf7c7ae67 |
memory/2128-149-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1732-151-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 167a842cebff462a0221bd39b845305f |
| SHA1 | 0b4eca2d407fcf2b7e3193ee1cbb53c376fba308 |
| SHA256 | 41d32626775c134b496fe7217d4e5d510652c996f7c9c63407d5dbdb9d1a3463 |
| SHA512 | 6f59f2d8fc911085a8842024e5cb573d7760b020c64194e52e39fa4dd4bf58bc29ebc88b04322c3945efe9b17840e651bc94a4229bb7d50ceeb8bcec84e6232b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e52a6e115df78e00e1cc8c9bbab94f6d |
| SHA1 | 0b2146298b260171a11671911c00de415baea0fe |
| SHA256 | acd9776d5ccd1fd06f9c7a91dcb76d523803c5bdb7a4228e7b5cff697199677b |
| SHA512 | a99b75ba9bc67c9df3e3fbb44407806c8faff0ffb95c689cb13b658183da9fe63b577b11888d427bb06d1e0552ac50f1c2add258acf9c0ef7cba9039a8ef25fe |
memory/2128-163-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 219f80e978904514dccf47e62c198074 |
| SHA1 | c7ec1d65f99567c2eda182c2b44782bf7be863b7 |
| SHA256 | 01328463d07250d43de278ad5193966a1dae8a86865c420513ec12d204dc3a97 |
| SHA512 | c9c8fef43c046ccb74ef0fe4a188c5c84b38e3b637b9d51b38c330bead96668d709574de8003526bd4dbd3ea556f82f7004a820a5b7f9ff55f53c390e2490f36 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0cd69bc97eafa4b14761e1c93c2e9c36 |
| SHA1 | dfe48ac845d36b759bc09da72f9683a41a85cf19 |
| SHA256 | deafb00c7ff23e41092397c555944e46c0a1680682860d00a8bfbe2e7a761e0a |
| SHA512 | 67bad7ed7885f553f140912a2de5956781d3f9e40676e8d6b21d09115736fc666684191d975e62852b9f42958fc604572d6f478b422031195a1ff7f07f74fcf0 |
memory/860-174-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3192-176-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5c1d2f58914fd0d95f378666dd5d7210 |
| SHA1 | 659268cea64770489be0db9a25c246a0df3547b0 |
| SHA256 | 94912d95c0a1a94009e7451f0c563e56a596032a8b49d2a58c263623e951fdfb |
| SHA512 | 663ba54069304018d338773b5dc670d2aab515a436acbb49b639906a40357f7c819f0540302d1e17891c86ab05bb431241cddcbe06da60d13c14686f25e65d53 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7a45e821ddb8dc1248e359012a5f0155 |
| SHA1 | 47560a41742954076dc5084739ae16ee2030733b |
| SHA256 | 442e2c6862abbc0c3729b6f2a00ec41259fe386b3a7736726530472f9eafcb28 |
| SHA512 | 5c890e439eae536bd034496ce64380d4a94212e0d5b6109cc3a0baacde65b9fb5a7e8285d1dda330014cbc82da94dd00e8567a94d9f0b0833cde0488a95eeec5 |
memory/860-188-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f8cdd6db0b666c1e94b5db7abe4d536f |
| SHA1 | 34014e0c2f778791139dd95436176e6e33b5b674 |
| SHA256 | 29115454ece12de6ffecb09890657d5711312e6297a0439336aa4a6fa5115a2c |
| SHA512 | b72845344483aef061e1584d726e5a2ea295fc4c7ab6409dcc7fea7a2c4081dc25f0a15184e57812356f7b653c1b7189c38962c66ef14dc2d7397e5b719f0bcd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2d002793cc1cfafbcaa3cb7ad97c7274 |
| SHA1 | 232efc01643bec45725eb7e3266e614ccc93bac4 |
| SHA256 | 60dcff510b78c13d2e98a3bf816cf35ca6ee1eef90a8a143247afd12d27ba62a |
| SHA512 | bffd9e19071e9fed9d744f34025611a26d618f6bae543ea3be9465241e212941f92ceeff20f517bcf896d9f1623258bdea5fa5bda532e312781ef65cb7f87b25 |
memory/4556-199-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1204-201-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | dff332dbf3c074c495c10b6d720d3ec9 |
| SHA1 | 0a3a2beda0169c718ecc36979e69b797ebe86fc8 |
| SHA256 | 0b5c13228b4ef7c0527e185fd2a509ea7fa7932a547ae4fc47c5e22c551fbc89 |
| SHA512 | 3f6c4944a24e46674f36bc84f4875601e9bede369f739bc708a6b649899cdb78099640320f1c15c9dcc476265e2f2c7ebb3a6cb5c1e7ee4dc1399b1726f7f1ce |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9edc7e2f02f4ac98b99ef29f28c25f89 |
| SHA1 | 95417fcbb589a9fb08d2587177184d017e11556e |
| SHA256 | 5faa7247aa188559ceaaea206f665e88f00bfc99dbefc4e8a383bf070785a2bd |
| SHA512 | 7b96fa4d736b20d5d4362a1b29db9260f8c284d14c1802127d1c69a423556ab766018b7fdca305b1102341b8d3b5b930ac72d9d81097069125e18c63ab450c84 |
memory/4556-213-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5064-214-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 84acc395c49680c084064d08e0620e73 |
| SHA1 | b7b93baac3049c0427b7713d68f436653812bf8a |
| SHA256 | b02b7d665d5caa94df927cf79239a4a249f6aaa0797a90350dcb5ff394978365 |
| SHA512 | 445b4227298cf603db54b85acb2d50df36cb289259ba41c9e51e11e0004c0d9bd978d18f83db99bdf7ce11e44eeede6e26fa00846326bd088f513f14f4490d36 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0380a8a6093d51db43ff4bfae9da3bc4 |
| SHA1 | 1c8fbece728e9d4542e8e69eea18fd3eecb14376 |
| SHA256 | a76e1107e0fc255db669e8f0f7471f93f35026a7493dd48f736c217b319d8f82 |
| SHA512 | e706107003a19021ddc6d8fb5a0de9afdd2c5879c6ef67bb54679914af7971747b8ad7594477701b87ed7b4401b57e5574c7d80d2b6e2b24162cd52196a82efb |
memory/4944-225-0x0000000000400000-0x0000000000434000-memory.dmp
memory/5064-227-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 17dbb0392ac9e9d2d86b9111f1232cd1 |
| SHA1 | d342e3d2906217b087b80d05327337010a335e52 |
| SHA256 | 6a2a38b881762c99fbf01fbe4c042ae09a24b2c6563258adc67983ea2227547a |
| SHA512 | f9a330f003c9e907d735a29a714b013f744b27875e4786a1eabe674859170ff4e8e78f4ade269b987dfdddc5174fa2297cacd36fde4b501094c79ef71fe9d4a8 |
memory/3536-236-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | fefcc34ec326604a9d1783eceabec2f4 |
| SHA1 | c38d3cf40111b6f283dcd96ac6eb43045d6fcf76 |
| SHA256 | 4a776e0e40033a038e7619e81476e4092ee07dfd782d592eab92624a8887f56f |
| SHA512 | 41c2dba7bc499596e7403b6b4f31b408ac4f8b8f3efa18e0db7faf28ee4c9bc345503b55ff0f02875f03b9343d2d3d5991a8f1c93fae019149a57b02832296e3 |
memory/4944-240-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 68a5a8a0c87e8e9b2d3e62edc695806c |
| SHA1 | 92f8cfc590db8763ed52f51306790b97a78c1f53 |
| SHA256 | 609cb4ac76185b7a3e2ca56175c4b6654e36674baf5487f71eb50b9c826f8a3a |
| SHA512 | d3d749b3f9bb3c02ef734b15a7baee7e1feec5d99e90d5d52abc46d1d9b68c07f55de8ff48b3895a03545ab7afa2a20349fe4edec22b9a1d25460b3e8019bcd6 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0140e62e08c017360177c9f09bd17912 |
| SHA1 | ad2a9447adc2a869af3371d2d1bfdadc95820b1a |
| SHA256 | 9ef5fc2f13f4b90f53cd67593c0fc458e006752a125cdc123fcd40e7be9f5312 |
| SHA512 | 1987d2c30eb27304a45e1f037063892043b073be76cf83a1b551126a0a534bf490ad94d010a8311c0063c1b45ae21ca7fc00af690ee100c5a9013f96ba24955f |
memory/624-251-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3536-253-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f4b237f856fb933038575c24c8b0079b |
| SHA1 | e2f740693e1613f9966d4b0e125c41c123d43965 |
| SHA256 | 8372bcd5ddcdb4f0d9104539ac5c3208f32554fe4cd14024da93efbe8c6c5a73 |
| SHA512 | e3fb01f2fbf511efc10a4ad6454ac64b2d62f1791bb857c846320a1613c887926bf16964094fafdd86112d76a2b05980cff5fddaa85d62b1b3cd89f9259cfb9e |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ace1dd847e132985d45cc64e816337d9 |
| SHA1 | 7782310f597c579740504b8d59e217984d35271d |
| SHA256 | 535ec15c27ff79287c44d9e55abae2a96ac3353a6617d6ce7c026e67adbb7638 |
| SHA512 | 3010123970db04ac71e08a8b6250644568deedac28802ee8866ff35d2b8e51b22d03a4e31f7a411d52393d7c239dd839443bc5fae6b345d6a8bd5cef2776a3fa |
memory/624-266-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3052-265-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 66779dc772b32023b34c4eae3ae9b1c9 |
| SHA1 | e69f46cdd3c1393ae952ed5cf00b8d777c8159bc |
| SHA256 | 7abd74bfca44eb41d19c1a15d1b8c6c960fdb04a09cd9ca6ff2455325efb8e1b |
| SHA512 | 17645c98edf8a14fc50eb93ca127df8d5c9ef5f24f4e36f9663a9abbd03c2094d9c6d00a88c34fd3cafaad4c64097a99268bf2cfd808b3b61f8245ee30788581 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c2f0fd124fb101730f00eddda8d5d045 |
| SHA1 | 810eea2d3ad69d5d89782327889b8734ae254396 |
| SHA256 | ed03655bfae3776e24d71acc3cd9c642d3ae12d640bcd2ab09586b8845ea68df |
| SHA512 | cd379cda80988cfe16afcc9306c82aa4255e919c115e4c8ccd702d2580e0bbd18a7b08162cbe6018a7a05f291d07f9ee0e7550ecacd02e0d943425670000c4f9 |
memory/4824-277-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3052-278-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2992-286-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4824-288-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4932-297-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2992-298-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3864-306-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4932-308-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3992-317-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3864-318-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4732-327-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3992-328-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2948-336-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4732-338-0x0000000000400000-0x0000000000434000-memory.dmp