Malware Analysis Report

2025-01-18 22:27

Sample ID 240502-2wdndaaf98
Target 6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b
SHA256 6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b
Tags
upx adware persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b

Threat Level: Known bad

The file 6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b was found to be: Known bad.

Malicious Activity Summary

upx adware persistence stealer

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

UPX packed file

Modifies system executable filetype association

Adds Run key to start application

Enumerates connected drives

Modifies WinLogon

Installs/modifies Browser Helper Object

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-02 22:55

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-02 22:55

Reported

2024-05-02 22:58

Platform

win7-20231129-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3060 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 3060 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 2132 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2132 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2132 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2132 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1324 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2668 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2668 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2668 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2668 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2556 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2556 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2556 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2556 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1152 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1152 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1152 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1152 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2804 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2804 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2804 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2804 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1716 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2332 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2332 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2332 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2332 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1436 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1436 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1436 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1436 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2772 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2772 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2772 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2772 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1608 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1608 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1608 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1608 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2260 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2260 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2260 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2260 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 288 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 288 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 288 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 288 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1036 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1036 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1036 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1036 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

"C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe"

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/3060-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2132-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3060-1-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/1324-9-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ab60716488cc36c522350dcfac108a4e
SHA1 5bf33c1ea1538f4b0fb1b67b535d26e4c2e0f44e
SHA256 0970c532b9c393fbfc345337cda5889626d993e1f4ce757abd3f5d5fbcd37e89
SHA512 04a9af63574dd8f79ec63c87bdaf05894fdd34ff93d5c864f76e526017ddbb6ff070c13520a3ef2fffaaba3b3800be225cdbe2f34f7e2d77a1c59187acc4d86f

memory/2132-7-0x0000000000220000-0x0000000000250000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2132-12-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3060-13-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 baab1f506b8ff648a41050ee4cbabf1c
SHA1 aa8df35baa20c8d022f145d1e79a6377a52c718b
SHA256 19a37a6202ef487e678001d5188cdc4ab7e7909d1f383beb8d2f6540e9aa06b1
SHA512 2f4bbd60a1f297bb9b20c1643314e17728c07886f2a667c8683cc620361dc2f8a05588827b735c896ee9d7056c26f97ec28d73288b56d3df088dab53690525a2

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4ede260b2f87842224ef834ae409eb5b
SHA1 9d4f1736ab4758e4b3ea6083b206963d12f6a0f7
SHA256 e1478d3d2b8a7066a3f4f245408e32b4f86858e18755392c421107780f373d3c
SHA512 c9123a40f555677fb837d53c34d2e4e31e1d2dfbcb4305410331e3a51ac8f13caead1c7f5e3405f9d7a1e5910584afc5eb2cfa3e98a115378de5a184fbafa507

memory/2668-20-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1324-23-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1324-19-0x00000000003D0000-0x0000000000400000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 eff30cc1c8db1791b7ab4ba8eb905780
SHA1 b65da6509627c0f50b0d90a106270f6c21736232
SHA256 3efe49ebb06ca17a127599b415f0fee21288825f46c523c8a904c8fcb9e8272b
SHA512 03463349ddd06201c9c2df34484a85aef3e7e2b6b620149b0e5220e5672ea31d7e3c5fa309e67b79d1421ac1380cfd772ecde247d4dec8f533621eb76f4b1f7d

memory/2556-32-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2668-28-0x00000000002A0000-0x00000000002D0000-memory.dmp

memory/2668-33-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 44e3f26d36eb092359c859e6c3aed5af
SHA1 e22b9fb923823d018c0f1b46c29a0267f33ea88a
SHA256 2baf7c94a8ba73fd35ac9b504b520e776ed1c317563e7502c0fccafc986d65b7
SHA512 61b51f75fbc3108d828a5e51b31e6582e50066574b3341b2c95b90c7e8a7df0df14b2d33b5a8afad9ad42ae38e72b870df23ec02fd7a5f1b13d9c09a3eea25d4

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a0263cc95e00ef44d04ab3833f509265
SHA1 0ad753b5fff9198dd2e0d2cf99fdde75eedfd777
SHA256 63be51f7f32e652fbf959adbe711676413b79869d61ed9ed49f414d39f4c6f80
SHA512 f01c25ae4135952a3f6991ddc4f50871fceac78a3c1f179b642400ba5c3115c7a9c55f8a78fb6eee69c35e50b1a9bc06d545cfb7734c40db9e70f02685e53c41

memory/1152-40-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2556-43-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2556-39-0x0000000000280000-0x00000000002B0000-memory.dmp

memory/2804-49-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1152-48-0x0000000000370000-0x00000000003A0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 d49bb8f624ce3c2a7c29d4dc2e970168
SHA1 7a5b6a6dee8998f6bb42f2570f7bdc52888ef00c
SHA256 db085f0a2829fe6b8dd45806337593135f0efda9313fe9914febf6b2bec5dd48
SHA512 f6b500566cf9863b19d9113f4f2578f7ca8dce17e2e577b65110e9a9ce87fdd93e856baa2be699796d5fcd91016f77c1b42fd027e256837dd11ab3798bc29311

memory/1152-53-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b0c7f149cf9683dfd9a1c2e6ea0026f3
SHA1 d7b14727cf2b4df732ac08702daafe7a79152999
SHA256 f6718ab9acf27e19f2a65c7d6b60ca4e63485ced56b4192af12bf6c3fad0bf63
SHA512 3b85869fbb8a9dfae01046d10e6bb98632d800662fe2268049b4b672ba8d87a6884ad24da7252a911aaf6c6b4a85edee46ee8ff704824f42288068f413504987

memory/2804-57-0x00000000003B0000-0x00000000003E0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e3db2b23a941810fef6f21f476b35cc1
SHA1 1267f7d1e90f30723b93e488b3a975aeb8fd2107
SHA256 57e24930a817cdfb7e0f4753dd3b2b421934679399cc3ba554949f2ad4c65151
SHA512 f2b9cb282901932e45091df311675d10a9bc8391d8fadb41b96a7359d77bd41c92791fe344e615fb300fd7a968e0c345ed330e2f7dde535f75b6f82ac5d770ed

memory/2804-61-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1716-66-0x00000000003D0000-0x0000000000400000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4de2ae9de8800da6187b7773a588183a
SHA1 3befaeaea89cb84039e9040ac2f2f86ec4069969
SHA256 cc6ef612de942c0e7eeb55066e77837efd3c18caa32968d7e1c0de9ce6beb70f
SHA512 24279c9f6131cb5b3c796337e051d3e14940f5cc82f65c1e6495128004469d08e00bac3ccc690e09ce130c9f21f6a83c9c456cdd9d81df6c870844393ae56b10

memory/1716-70-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 85f718a0edb43e2748edb3d3dc6d8152
SHA1 b451408922d74d995130f81e69ad4d051dcbb165
SHA256 474f7c1f14e92b234e4fd1f5451b32f374bb193ffe38f77fa31e26da27271f4d
SHA512 b6f1abffb207fd9d21c4d79857f2b308df366dc569529d4f2ab358152c273876a5b3efb02b001b2441c2c97dd735709c3e15b88f4ee3176ddcec063e592738aa

C:\Windows\SysWOW64\drivers\spools.exe

MD5 738e0aee0b6130e7ed45517784168307
SHA1 95492794caee4a0fa7a1caa1d5b069e91dff76e6
SHA256 314959592e8110e90817ede5ba8731f0a2e6b398ac91cd8215efd0b925e7e812
SHA512 2f38e0d8022fac9600ef36cd7601121dbd02236250b97c288721a7573b54f64d710f2b449716407c5072655f2423ef275e6691cfe8129306ee1ee342c945dc9a

memory/1436-81-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2332-80-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 35b53d1c20f4eff732656d05a603a5f5
SHA1 d7f53a8d0228a1a4036690cfb391513a012684a6
SHA256 bc4ae4525a397315129383fe7d97ce72d1c1d1010ee602717e1282964634ff7d
SHA512 01b9625099be9d0f6c5faae304ec0fbe1a944285719671123b16265687f6fb19f1bf7f0dd59be1c216610837604e0918e0c5977f3e24f65cb3e397ca509bc21b

memory/2772-90-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1436-89-0x00000000004B0000-0x00000000004E0000-memory.dmp

memory/1436-88-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e2c5eb451ea0f1db9e776727aa5fce72
SHA1 43194eb1837d8062fd872245388d0c9fd0fd349a
SHA256 d61ed0f39dd1f7e77f03e62edafe9c5df10e54502e28ecc88748ae242ed42564
SHA512 2e5ebfc5fc181b4ca3628383d7fdca2f070fe13cf10fa6e8ad4a92c7d605cfa35ac092c04791a141043a75550100bfa54470d2bf87fb3bd8845714f7fdb5ec8f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 61310ca60889b621c8f827eb445bbbf2
SHA1 334638ca2fff2698d53f11257df5bfbea476a5f0
SHA256 df16a19cd08ff9a0de13ae72561724553fc1651d359b2a8331f62f6fa09c5c2d
SHA512 62f11f68f3a4c0e298a84bf2ac65449f8647466be151847142060032ad5df3c4a5c3a0bb3f3e488942cd9d2b7efc8842dce28c5b493fcce5135fe4b6d5c4d485

memory/2772-100-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2772-95-0x0000000000260000-0x0000000000290000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5d11f957d5a809bb72a31e1bc7873b0c
SHA1 3a993d2ca5ec261fd720b15f574072380868bc16
SHA256 ded096729dc2d18520b7e355247f79d9313812bfd9bf35912c7f3f701cf40a8c
SHA512 6efa0c6fdf9fe1d15616ae7cbaf33975965c01cb90f5925f52b3791851d79b6aa118051680ac85ddb4b930ea5cb4525238497718860ee237f2df399bedb8d068

memory/2260-109-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1608-108-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1608-105-0x00000000002F0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0f186475fa56a67ab37dfc6232522e55
SHA1 6d67024e599270056102dc3c773eb32a8702e34c
SHA256 b742d00629f932e4251540d21cf7c43679624975b78a42368ce7d32b6601d880
SHA512 325f7a911288d2df9543e4c9c8208836003189367152f762996a971c0851b53a2ffe4be0640d42bcbb361c97af0e384f797e9b76cb10abb35c25f5af4d1339ae

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5f8effd280e7abe0552b7e8f52911a8f
SHA1 a31e5fd2ff31ab0fcec25d9faf796d8509b21a2a
SHA256 6a2703bb2dfe7261819aecbd5494377ac9d407f6bcf5bd8d67dae34bfe454a1f
SHA512 037f8d7bf9ba4c3b36fb6bf6ea5946b523b4ca40534b2f26f7435387e84318d56850a798645d6ab04f32e7609b6ad97c93daece04e57a631f43a16c23f5951dc

memory/2260-116-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/288-117-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2260-119-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f00d56863db87c16440819451dc274fa
SHA1 87b82dca7a01419cba9829cd9c5ada830f429650
SHA256 df8986ea1fa4566761803a4ebd9d06985bcad2f9682ce1128fe4ca8c28e51d05
SHA512 3341668a983f52094fcf4390601ae173caebe46aa562c0924ca95f82057aaeb7dc5f6c74bf82529ac02705b1044d5e16d2668a1d5c64170a8ddbd179b53e8b93

memory/288-123-0x0000000000370000-0x00000000003A0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5c9c5df164b537092b09ca4b820cfb9f
SHA1 7d26cb29d028ecb14d4ba8ee19fdab15f8b6efb7
SHA256 d6b0dfdd4e507572919d485721708173d389e6dd4c9a22864a73881f7a731bb1
SHA512 43d56ee8a688398d657b5679ae78e7c8098143db9e5947cb7d7d46136bfa9addb67e6a7acfd6aa7c759572064cfa9dde0944708e8d4130909eb03dd1af7a7dcc

memory/288-127-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 111b3364021bff1232e066d7e3034562
SHA1 f6f719d5e6b59fcbb93ab85ea870b62523ebe6f3
SHA256 b6775c3f19a99a588dfe944675338e9cc1da01c6c88dd6dd6f332aeba41337fd
SHA512 f2b17010c72818a5ce8047ca7c167ba832dc44b6eddf94a1341b795cb2ba0cb0d8f77619e89530093966cbb48a20cfff30ddd6ca84cc9503ab8d51efa61aa623

memory/2404-135-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1036-134-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/1036-137-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c69a222d569168a1fe946d349783588a
SHA1 3fc221a64f7097a40bc9116f5d22ac7ba3d29891
SHA256 b008cbdebcb7958ec7c49cf2de2403b5b53c917e6717db9074e68c50b9813668
SHA512 364ba2ba072267e54c73235d5dad61dd554658b6a7d033bef19c1af2375292565aed55459ff61169bd2ffe3ae69658d277890dbd997a6466b956ee3c6f7f8a72

memory/1536-142-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2404-141-0x00000000003D0000-0x0000000000400000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7e534fe5c388ce047fe725a060fdb9d9
SHA1 5e2389255b0cf89c8504a6bbdb480d0574b20866
SHA256 877b48c4ff96096a5709f9af3cecf67f000aa2a450c5b777953fe2b399f0e4a0
SHA512 c5664e068223c24bab9caacc745d7313691c34c3c4fd607621e8e9017d91da8e00fdac84ba6559504d187a8cb7ae51a25db91183debb1f133f9d12a2c235abaf

memory/2404-146-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1536-151-0x00000000004B0000-0x00000000004E0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ef354d450d0cbfd9f4fb62e3962f1c6e
SHA1 b940892f2952765a4e1c11fddb175eb4d6c4c38a
SHA256 e96e6d9bb421d3140b063a71ea94361c9cf907d4c42e5b107143ffb9b2d53679
SHA512 a97b0b2adab958afb5597d6566ed2a67e432c94bc5f72579fb2a34988fb87b1e97a990aa61bf284b26272ec13e540c6f1b0a035d86adb333d6a56e9476ceda51

memory/1536-155-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6be03091a421148f0fda49b36f7a1ace
SHA1 96cf18e4da6fc51066c9c43e40629ef218b69d6c
SHA256 d32c378b20986e3c64600fe98405e6ef7209724eaa2001c4bf0223c8dd0ba050
SHA512 f5a24bfb842f011799f21dc5f59a1bcd0c5113634c5e734b229fe6bc06176fa847b1b0c7709fade6f9d0caba54fa53345002feb1eb353c27f0d4219ee543d209

memory/1232-159-0x0000000001F40000-0x0000000001F70000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a74c6c2e081c3bb3637f06823ee88d71
SHA1 c691bce37fc89c3c168dfa529e6938c82c19fb08
SHA256 893429d2b0f3545cb3b84e6c1b2caea1aa075e6f4300ee61de44e1a898fc9cb2
SHA512 f436bd0e291c2bc24e78db18f7ea612857d5d81af6635cf57fbc15bb4dae9a7bf1844d793ea9cead524302e7f3e9464ec4d7ef660ffe67932763016fd94d9064

memory/1232-163-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 488912a1ad83d548b5cb6741ae372c5c
SHA1 869f893f47470ea3062a6df6d3dd0d863a8eeacc
SHA256 9dd6766c4dc4b09526370f5b0884a7a75afbef9a9057924c316764cbef4f49e4
SHA512 cd89cc09ac319030c571d506fd2c4b62ec23417304b03e53c4b73a0bf19a5aec807cd61c1852bdfb08b01bbbd9d57beb33a63237454f591bb9ee4812678fdca2

memory/1672-171-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2056-170-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/2056-173-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4a318b490a96ba6268e83e01dcd8dcc7
SHA1 e43d6d089acc8205f22da9d06cd0e249873d74a8
SHA256 fd17594156979550daf19ad31def265131fb26e4d68de014a4c60e9117dcd35c
SHA512 c683af1687467692442ea3199d6edae14941fe8c375d9935702dd96ecc741a21f45f4de2f50f33e727c7c3f2398ceda63bc8f446afe649d5cc27f4ae33fa32a8

memory/1672-177-0x00000000004B0000-0x00000000004E0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4ac232c6cf2e27566aa84c69207c374f
SHA1 588684403f7b1307c7f09d23a785cb0b85831602
SHA256 1398ed360adc416c3c7c5dac7dbfe0b36e916a5d82470fc9b30ed6fd156ebfbb
SHA512 4b086c8668ffa95f4f6980853c737a51d4cbb7835a6c3fbda99fe09ac79b3702b2373adf22219d1b29d813fc247de7fd45f7a5ab53af9a134418637bf8382236

memory/1672-181-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2068-186-0x00000000003B0000-0x00000000003E0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f9fc390dc480589cb8d67eaaf64d282a
SHA1 83dd3919b24f4758ab7ac02f6b364ce3547c07f7
SHA256 d793c4563bcc8a1b492b1466dc02ac0ea1d760307f7d44deb81621fed94c0a8d
SHA512 b9bf49ebf18a92d52f3fc6a77a5287953e7a7939216e5f127730b83e8cb3fd8d60c0c83b02521c6717ecfa092afd17a54a9689851295ec338bd3420c132e02ba

memory/2068-190-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e48eb53128ea670787c79b6116ced87c
SHA1 01d4c19cb991f4ec8d106118370e6a60c4b3ea4d
SHA256 b61e40ce376833076e37c02dda9c5928f4401b3eac36c3d5b2990398d5562319
SHA512 907ffcd7e1f6e8db5e784c168862a37f6d205d4140a6723189a28df667817de9240575a178220c5ba1be41069a37e4e72ef6f793c2dfdf3ca15b56b4294c3d0e

memory/3004-196-0x0000000000510000-0x0000000000540000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1a098b59993eca08e615787cec843c15
SHA1 c668e7142e439420940d4ae90135a0c03fe8e0dd
SHA256 880878f7caa3b000c6e58239828f0fa62ada86478242d6a59824c023f9f2c071
SHA512 39054616ed948d0adf014cf64d07ad98e76ee837bfbcecfc1ac7f2e74fd1633e92afb192457c6690450abe2153d5bd2aaa7e175acc16b0930acc0dc3c7653d8f

memory/3004-200-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0f9eca79199ecabdd4f124db90fc363c
SHA1 dc1971c70ed98e82ec28e8fd86d9b27eea7fd39d
SHA256 6547771a9c44c655edb9640e097c35f569930c8ddfe948d4fe8d3ebb732fcec0
SHA512 5bb67a06c9c7cf570f15539042493aecf80695cf8805b7b50be7030565412c6179a2b01f54e9a3ed2e01d6114d21e8368079a234aa2d969e3ca81f0221a179cf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 dac4b3a418db9475b7a32cd120818694
SHA1 4673b301e2c0d56b5c5b1a51e90d463dd7be3b22
SHA256 8d396e074a2d421bc697a419f0b0a1816cdcbdaaab267da16a08a6bb1988c88c
SHA512 fa91aad1c5da70d1f3cf3bdd8594dc168e5909a661f75df1094e9506a80ad1f31f2ee47c6c4e49c64587f7e4c2de3ccc279f9a3e84469859bdd2fffe195a1b81

memory/2548-207-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2192-206-0x0000000000360000-0x0000000000390000-memory.dmp

memory/2192-209-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2720-215-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2548-214-0x00000000003C0000-0x00000000003F0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4550f6d7c24289de805da7fa5f299791
SHA1 56675432c8c0bab2351da17726d5d8ac0e833eb4
SHA256 f05a49ba6b72b7955dfe1875ee12be7bbe82d061f513cb048b58e5e5bcb3e33c
SHA512 2f0386787f656a76c48946e8317643d1ec040843125e4dfe6ce9da8f6db6dcfc108bd4eb6ba0bbff1e38f1c9fa575c5d1b13d74ea8508ee51dba8a56742a0f67

memory/2548-219-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ae047f3e58ae57ccbb57ad7228e87293
SHA1 1f4dd2d4a005b2523e6a99889f4c8b98c4d83b1c
SHA256 b4f313941deb5ca64295a01635fab4d98271dbddc7429479dcd475a95427757a
SHA512 273227afb7aa569e443fe8b4cc440d986ba5f11ca307a54b40ae16d5b751ffcddd5721b738869338896b8ebd9d40776b7eacb25cf43ae490e0343821c8efd65e

memory/2720-223-0x0000000000380000-0x00000000003B0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 56a6a84968d91ce14b944a6307bb1136
SHA1 b21bed8b2903820deee3b2adc076598a47640af2
SHA256 818b6b3b57fd49006a1e1979f1b3492ddcc1a067579560ebb2c9dc69fbafff2d
SHA512 d748c10120e64fa1b51d887df1d6ecc3989e04a7b0232f279da8e903e1885eec9e6727e6339b06cac213f1f2f51ddddca200dad8ae0c385bcc62ece21355a2d2

memory/2720-227-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2468-232-0x0000000000370000-0x00000000003A0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7fa99ed1376a41412d5782ffdf5c7741
SHA1 277d953cdf3d638d2508d5ea1c1642adba316ae3
SHA256 505f5931369661bc3e289411511c85b32f693da572ec2b1e42c9e2cf45ce7363
SHA512 80cbcb39c09e643a1eedc10b231aa9d5ea954d9b58a5ff80ed74682b16a9bd2638e0cb0851ce2717ea4cb167b819391773adad2b0cdf84c60511edfd3cb94e2e

memory/2468-236-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 91a41974aadf31f6a08b6573053ec3d0
SHA1 55e9c040ef2d843725e49df881708540655c8e84
SHA256 062ee4ce49ce9ec5026efa8a7881f554f88a5c8e2d5692bf427b952b9152fcd5
SHA512 9241e6f8d78c6e455d84ec3d2d201f0efde9358748fbc749d29c968aa5a60ca42a87449b9cd7ec08701de0f62e4ab57a802d4b017764a69ba05f977bfe966903

memory/2108-243-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2452-244-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2452-242-0x0000000000390000-0x00000000003C0000-memory.dmp

memory/2020-252-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-251-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2108-250-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/1416-260-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2020-261-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2020-259-0x0000000000360000-0x0000000000390000-memory.dmp

memory/1912-269-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1416-267-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1416-268-0x0000000000260000-0x0000000000290000-memory.dmp

memory/1912-275-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1436-276-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1436-281-0x00000000003C0000-0x00000000003F0000-memory.dmp

memory/1436-283-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1740-290-0x0000000001F70000-0x0000000001FA0000-memory.dmp

memory/1740-292-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1752-291-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1752-297-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/1752-299-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2952-307-0x0000000000400000-0x0000000000430000-memory.dmp

memory/696-306-0x0000000000400000-0x0000000000430000-memory.dmp

memory/696-305-0x00000000006E0000-0x0000000000710000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-02 22:55

Reported

2024-05-02 22:58

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 2920 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 2920 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Windows\SysWOW64\reg.exe
PID 2920 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2920 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2920 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3192 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3192 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3192 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2744 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2744 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2744 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3744 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3744 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3744 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4084 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4084 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4084 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1224 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1224 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1224 wrote to memory of 3768 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3768 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2480 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4752 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4752 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4752 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4060 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4060 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4060 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4700 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4700 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4700 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1440 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1440 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1440 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4736 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4736 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4736 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 532 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 532 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 532 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3852 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3852 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3852 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 552 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 552 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 552 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2180 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2180 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 2180 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3700 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3700 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 3700 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4196 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4196 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4196 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 4848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
PID 1988 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

"C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 214.64.18.2.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/2920-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 15d2befadc634195a0a9f827acf33d6a
SHA1 83fd3eead3c68d86946f69d9c107ca4ed5f9d948
SHA256 77128149823a30a4d19dbea6824a82e7d1e0ee84851bf3ee5af6aa98b3e92852
SHA512 f13d8b51cd74692cf3e03c344aa1ac4b67e70fa44a46c8fd67c24a78a0001f3d67973d6fdb26a9cd8c7701a54ac99ab680370328dd121a78c255e74da72a4b1f

memory/3192-7-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2920-10-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 662859dc14ba101299bb980f175053e9
SHA1 1f28d608741d7dce476599d00436a75c1985231c
SHA256 8f9c9026828b9e82e7eee34eca60e3101af56e5bfd8f08dd05b1051594944bbb
SHA512 caa2aa8f972ec4a07c5c5dce87f41abc78db5a5dad423a87ff7b5cd707c4e12d411046d665ad382cdc170883dfcf8f3dff6cd8c0197e239a60faf472d7a0b4d5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c9e447e6094274bc4b517aa932e8d913
SHA1 cc3d14ed1e0f675f6c33076d655a6fc6500cd140
SHA256 8738c0b923c59cc59c6c279bcacab4ccf7200edbe138056de7fdf7b3869974d9
SHA512 d0548b39e5206deb6719106d2c63f6e41ca045293d9753380eacdd6995c1a5f8d24b5995601eab95e4d7bfe494e614b5a41e403412901ccf0da3a6e29e8733a4

memory/2744-19-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3192-23-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 324915e5c240183a89943475de2f434d
SHA1 a9716bce25f2f2206eed94539cb0945f89018b88
SHA256 aa01d8f8052520694cc3187e2dd9ca066bcc1e65b91d9f0af2f357af1c1a2b31
SHA512 7262c674bfba0dccc9a39d0e5d406679cb256f5cbdfded251802848dab7d5b5882138b9a08b8b62c7cc1e630a6039833f5832a11f18da736a18dff28d71276e7

memory/3744-34-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2744-37-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ca01188c3ebcf471d2f9e8df83c2fb90
SHA1 4a744ae126aa3d35677e9e7b54cde5fcf9884322
SHA256 ebc2ab718381ebbd520078b984c11f97f0f1143911dd29f51e563b754f8321f8
SHA512 9629cd6c3a8703df571b3abddd0c55aa3c92f3c6cc237e85433da6d57fb22c2e453c7d47864727c5a8984767609014a7f4002dee66ab6f7726a2a8794e16fdee

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c284f203069c43c0c6cbb2406aad2d85
SHA1 81f4ac587e0728d70c92da09e374a17357ead5b5
SHA256 55b40299204de919e298b0c8ca4c7e8da66479d55a85c638c91f4b7ddcbf0553
SHA512 ed6fc33f94ca3b8f2eb12e17a1ea77ce62f9cf2ee2182ffac8e4f0641916bac83de3265bd49109ec237bfb1943e66d8d1803de5ff7aac8fb4ad0564de809b610

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0c4cadae408c30d06225e13da0ab9648
SHA1 4ab7eab3ef2793c499f694553232f41cee40f98a
SHA256 52fb2389335eabb9ead1788d375b3608d3b8ed1e232989c95875ff0e57555e11
SHA512 acaa0ada5144dbe645085cc7915919633865aad04499de311a723560a2f6cfda6222aa7ca42905585d3426188f5e264599e9eed829d25da10af294f27d547432

memory/3744-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0e19e8f5f2761b0a7726ab373089b6c2
SHA1 eba6702981ebcd7f198299d26a211414f9d08a4d
SHA256 f07062a742ce472247e44dde8107405e917fa21fe16dd4038c7e760c713c87f0
SHA512 d987838cb539889a9db28fc2dd57476f9671a1d59ccd26cb65b1fbab43b0d39835ab922daf20cbeeeadd71f0943bfd1f82af663ff040de566855e67d4ea42697

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5dc677dbab5156485fcf089a11abebce
SHA1 78bd0ffa40d4bc9a72928071c118f525e592d3eb
SHA256 804e434a551359e69473382fe92ec2e7b44f003a57560a08bb109667cfc54a36
SHA512 a496755ba6777a50a56c95a366e3d664451d8daf20314f9e36185935b4dc32dd1c207600cbd9381bab4cea34f6d66916c3f51ed64e373011778c4bcc95d3b74a

memory/1224-60-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4084-62-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 92e371390f373c544e9134fe916e6738
SHA1 ef18b342b797104d111e856b33ddd378bd50a276
SHA256 d787bba23232b812a801f70d55b11a11e83b320302b3f9c64f2deb7079585560
SHA512 0e199e22d65c1451ea3ea6930f263a810c5a2bdf7921712c88952231da08891c08e2c9ec83abaf4d1ebd170e92e447c424d0383550f6c49f10301d70c0b3e36a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 81561715d621efc1ca297ec6eec03ae7
SHA1 d77282f639a4853c67dbaf082d2ffb2e5c277c34
SHA256 87c3dc7c9d2d59671901a67db3715c412d6c2536814ae32551b24d3525379f68
SHA512 71465f2f720d86285140468aa4137bb99d12751424f84d0a298fc305914299d7b25f26959931d43d6a5259e31d77feb788282847b3d95e5ef050b1bd0e669960

memory/1224-74-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 69bdcc3f3574a9cb292a33874c488f3a
SHA1 cf1dc939e23ea8069f473cd1e5dc9c5af1cb3637
SHA256 50239eb030500009676fa25d069a3cc775a14516c38f5b58be65380903756354
SHA512 79c8e7689ed836ca7479ba24861daf107fbca2bf5b0a88bdfb165f55701846e08ec7413de6b6a4f4f62f0e1d14c4ccb81b4bee1de4de10230428f90ef21e4f03

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ec8627368f34cfb1f2e7a025e73c2066
SHA1 1bb0b45e39792c3514efacb9aa3e4e773ef9c41c
SHA256 360afb92919ed52e3d804663b821ea129d4fea7fddb95cf6ba62786171809757
SHA512 cfacf1930b45f0fab2ef19d5d54243c969fc68c15ba7bc6690331df68bc2947b3111c1c6ca483d58ed73ab9eaf3d3d355fe8a640ea8b752e19a1acea91371ff5

memory/2480-85-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3768-87-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9eab2fa657d0b76d422fb6536b252292
SHA1 6612dced4621a2b956afcb130740de14b649d6e1
SHA256 e45267a51f677e9bcba0ede3c967f636a84b68b22b8c4bffe8618c9df09504f5
SHA512 c2a28eca8710283649edd9c00baceb5ec5256868ad977121a0ec7ff8926ff10c3e702c9d3261e195c17243b0314249979267cbd0d1b819c449555af30cad5ac7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3b176333b2e4337c39197c947b542703
SHA1 b470f8283260553c94b599740391aef00589a130
SHA256 828a655f6ed6cd3dd79d3e336b8b771b252b12011c5a00f69a4a35887dc5daeb
SHA512 ed7baf3e9d529a9b3aee86eb9d9d7d6c6302097b9bf5371120cfc671fa208e9fa1d42a0be6236bdbca620723ffbb8bbb86fcec9592ab9e432c02f84aebce1dd1

memory/4752-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2480-100-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8d9fc8a2b03cfafbc6c98683a7ddac9e
SHA1 150e8c799037bc25a27f2d101efce80b573e113d
SHA256 2bfd4c08f273b084a788e8831b7319fea548ecc03fa856dcc9c6e77d381ee09e
SHA512 261817ad2e3f39d3bf940d4b41ab9da1329b053060ca8e6d9b716e68c07202d833462a1c5195c064ef27c42f06a17f923321a85c9b042cbfd6e6b7de4808e7d1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 423694815607cbe16492ec274d570f72
SHA1 c06c0d9e4ab94f5c62accb2c84b8be76cf2deea9
SHA256 868ecb339db182509705e449f43fd49bd302184b5d7c1363e8d0a0f0afa01f75
SHA512 58c9d78529bebba9a42f36f7496054a6864a1dea0cbdcfdee9ed0468c0e8b3e3859f6454317eff87f04d85b1d455ef24cd5b890884aa6fcd29bd39f05a757f58

memory/4060-111-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4752-113-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f585fb3bbd8cd7459a83ed3435af3fa0
SHA1 e0ea0b915f7c03d84ae1d8c00d9397e6bef7fd06
SHA256 5299c042cf4021ff77bfd6cd82b1aac49a07b0dc85ddf205e3d1153920f356b0
SHA512 75b18e73d4a8bfde561365340e5c32fe8cb6556d8fbd0b94a59427acba4a38167b5ee0a6b7a437cf6479f22a14c2db0868b634612627245d388e1560753c8374

C:\Windows\SysWOW64\drivers\spools.exe

MD5 15bbeedb594a762a27e7916a52d6a036
SHA1 947585776f70ee70b88652edb3d265b07fa42472
SHA256 3a4cd1ed328251271929186cffb7e41c2d46383e712af9eb494a9c57c52eb7d8
SHA512 f708af4cc0fa3a43485c09d108d2c8fba6064eed080e1b65e86c19ba4b4f2af1239a2835fc9ea169374aec22f864120c5fc9ba95624d7835f819efb6748c1b35

memory/4700-124-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4060-126-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 81c195690b166a875ab24bc008f38602
SHA1 7407721efffd9b86b9c7293b3f411f1114c5f92a
SHA256 f83646e1fdd3cc0ba82ee5577535a3112906295248c74592790f503ad71026cb
SHA512 9398d20713e4a580067256e90314c0ea1db07fb273d37f408e2d933c5e3cfe1e6325e29020865b40a57fc51636434e21a72f082711dc4686a89cd3cb8406ab05

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8da6bf3ae6da82ec98a0cf572ee0bad4
SHA1 837f74c5d38a26d3726dfac4bf1a4b23dcab6397
SHA256 3cbb3c2a9dfc099d7199168c34515363a32a1643190da5b73e6a46fe6d17eb5e
SHA512 2dbbd11eb027e80bcd7ec7bfddb28a9b54f22051ca586d6bcedfad5cd66f69a8be3ebebc5ac1287ee0086ccffa19405a97972bf670313390b5694bafe0716f9a

memory/1440-137-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4700-139-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 920b944c28551e6e0dfaec4c212631a5
SHA1 dcb421e99baf892a2eba619cbee416cc4f4c6b5a
SHA256 369c1bbe4ccda50ec520a1ac19b7a8bf972621e219382723dc9ffc0f3c5fd405
SHA512 cdd94fad581823e0988b752214cb2c162c022b0b8189b2a6b86787ede827ee606cf24bafe6087c21fbd652bed85e48c48608b6629d23abff600706acec94ccd7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9305b61e1cea3c45b4630a24b2c5a22f
SHA1 9db86bc448b53ba6fb7bd6156c757b0753bfa4c0
SHA256 80a483eaeec5bbceaeafd80de4da83a3fdb9090fcd947d327b7010134514a9ac
SHA512 a24ad24f04409a9e00ba67873cef73313e2cbd42a727dd154daee2fd85d42a775908ad257d01d696bbbbfeb9d642b92306a73aa56ccb30f2f22df51bce74b1d0

memory/4736-150-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1440-152-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c60a30085826e2281504b4764458a4fe
SHA1 efd40feaf3becd879e7c2ae5c475f6c52db6105f
SHA256 38ec0f033dc7e3a1d85c1186c2afbb882641f9886aa4b53eba3f6f83b4a526d9
SHA512 974ef6240199c0e383a421039f4da75ec03b3e2c04d53211018ef9e72c078b463e16cbe18eeb4ff2f0f59b15ae4e3fd0a331540a287e73dcfd0c9ec8cc9262bf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 23358a5799e1b921cd99db39453ee17e
SHA1 136bc0e7792e9bc03bf31970302356f463ef8dc3
SHA256 eda764d9293955466f91f982cec020fd3341e3ef3ae4bfb312f6022ceb9d3ac4
SHA512 7db126ecf79be94d8823486268c53267046de61dc5f5770b45759e6efd624579d7a24eddd74c979d6474c504986b8c47e106af812ab32a044f4d942076d5fbed

memory/532-163-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4736-165-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4c8ad5d6901ec3f458f3afe0f231a7a4
SHA1 89baddb8f4ca6924c329843a11f13e7c7d54e0f9
SHA256 159507375d698733eab7fb9d712ae55a9868f4e1692fcc99f25e926799b5bbd9
SHA512 6eec466fb3a6621852d73fd1b05fd20a0ee042f5e34384279fd36212c33287201645f74014ba052bc788859b3b0583932ebbe27e6b3fb4800c5992476ce79df1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 7ac621b93292ae3c04c463bac8f0a469
SHA1 295ab0d1a38076d97431bb9424206a58eb36bb2e
SHA256 430c5e8fe4142b509c3a87f66c014a6e4f051105752d90243f758d1ac17e23d3
SHA512 6d93d28bca3c398dd2f531ae4d90e92114912c71e7bd0cdd6a1bcc6473b378b3234317faba820e01ee666b237edcde20acabd5f3b9416487108c577842267a85

memory/3852-176-0x0000000000400000-0x0000000000430000-memory.dmp

memory/532-178-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4a05b6809319e32109ac87f5646db42d
SHA1 26b6b199966d5a3323a9533e60db183ad4b2f115
SHA256 7805e05939f4bb27facf24044c5bf15823b87202af545b1e34d5c86bb57ab075
SHA512 f88976a5cb288bfa731122cecfa860fb5e136830ad081990bf1f778f0fcbb8eb5d9363b8d7c909715a4c8d8eb25e105d2efb7ad5454032baab97f58f022db9d1

C:\Windows\SysWOW64\drivers\spools.exe

MD5 aaae849e4f569f0f8a20965bcdf70c9b
SHA1 8e75ada4744a0a5e72cdf8eae337f70c25ddb2e0
SHA256 1d6c06ae97ea4273acc6d56396161daf8c82d72b2eaa3b43dcca90771b344333
SHA512 f737965ee6c6b7298b4674837dc7cf53ece07c9583eadaf4b65911843c59bbb89d1fe1a6d26e42e5df367635bb05131c975322a226d7a90a7c2dfc6d1ad93a52

memory/552-189-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3852-192-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 de8ef51a9245490411762d0ed4727466
SHA1 bebc17413bd5507c8e3b7e12412c7afea5165150
SHA256 7fd4b6163cd261c94ba03e828ae01af558de744cdc42baf65beabc371ac628ee
SHA512 01226992eede8cb9bcca519109e65b9475a36efe7ac407fc18e957e9a16a9ca2979818aae6c445ebda51a77a3f190409cad36e0c0c7bcf754d6d57cc8b4b8073

C:\Windows\SysWOW64\drivers\spools.exe

MD5 36022f7d03ee5c80b33415c6cc7d87fe
SHA1 33dcddd2ad85576ebfc7176c896640ccdeec4e82
SHA256 6866f17b2a2eb5ee4b84959ea64a54fb087d6701a3024f123d297c295e7c462a
SHA512 6f77888cd094d5904143e1617967747c6a803b8f4fbb3a8bb2475959ac507ce55104928ca33070a11b168a3f0f210240ed27d234f106b75b435af5fd8f41b300

memory/552-206-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2180-205-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 40faf7747f2091641e0557e9482c52a7
SHA1 2cdf71db18aaf09e229f00424ee56c643fbc8d8b
SHA256 ae3a291a5dc2b1c5829ad19ffa6f1af33a1f77d4a05f78e715d1f4a6b8ca0045
SHA512 0719f22b1d1c8b8702ce97437d34b68b36791f6b02a80240e862f226cf6f35f05ed5b85b58a1f11d8d20d173eed5081ccb74373b0b94a00623f3535ae5ebb0a7

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4b77e555d8b4cd6c8aee04899b12f7fd
SHA1 cdcb808e724ecacce9fce04e562c2b59ab109edf
SHA256 c705777158289e889370b5c5dab11c2bf3542c6c87196ffff4b5bd4a69ed49ce
SHA512 4803e688766918772699a9066331c68b6507e1483c2c3104f03f0294bf682c546d05e49587452c6c48d966cc23ea0a2ab996d2e138ffaa3f8c7b7eec125b9747

memory/3700-217-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2180-219-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 4f3a5ad912d01294f8155ff4d6d9dec7
SHA1 8e066553f7290f1f7414f82f47f5f7aa86387e7d
SHA256 5797215f21d249cda8397f1bafaadaac69f268443b643a76b29179a2c7602d95
SHA512 8ae1b80c6a45be9178cedad50ade63d0cb7e56ab868ea330f5707fe9e273a50cfb33e37123c808b58f0f1a2b32260df7e5657dc107d917b924a0a2746380b0fe

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0fabb5ef997c84ef65bfa7b33923dc48
SHA1 9df2096463c0399084dfda7e865e771e6f3e57d9
SHA256 f32480046d7f7dd580a16d2d6aa3af722bca5338b4de9c389fca533f79e25b99
SHA512 966ee5f08ae5d6b50968ecb5a6730aaf4eb4b1854d32b320b00c57cf0ee419ab38ff563a5f971111e99570815cd84aad9f8146635fad5b2cc15544b1eda0572c

memory/3700-233-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4196-232-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 a613da87d57bc60564ba320c85ef18d6
SHA1 553e6173a4c7c71c161d53739bdbd714f537544b
SHA256 aaaa11c689c711bbae1e021b4ac77981dba0b04320935b27ff0a245d6485a321
SHA512 d61de0675d252f3029ccd95aea8b6e9899e74ce3d212f25856807655b60208cb469cd2b5ee89fc826b5d026980ee700dd9d0ad5107080afee83fc06101024e55

C:\Windows\SysWOW64\drivers\spools.exe

MD5 1564e7e1c658d6f29ad3186d415d2c4b
SHA1 cae9c535aea0fbea37b80a59d2f1297ec59ea049
SHA256 4dd12d3246b3cff8ab944d646c2166e9c82ce0364018114a0ed5f393833e2ae1
SHA512 a430009982b8028db0793a85381222a94d562c5200032d8df81b278bd9baf63e6ffb1ab0c7781e6284408607e5c484a1ed16fa14afee0c708576296226692e3f

memory/4848-244-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4196-246-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 125936428ea7e1271dbc500622b22cbd
SHA1 d362bdd5ad4515a514137bb781503b9f6940dbbc
SHA256 6652e2c55b4bd3e1999cf225816a21d6b93f17dd0bd730042588a7de34ecf79d
SHA512 f2585c4ff4bc0ae46e91218b61bb17eab6ceb0d0033e4249ba078c3d9675da15cdcb8df6b7486e02cf47cb046eb1c4de323f4ff5c6ebe0ce9112c93afd8da324

C:\Windows\SysWOW64\drivers\spools.exe

MD5 05f4811f934380565832fd2f2041169d
SHA1 8ff104662a87433d630b4ce801541c0e3a5f302e
SHA256 c3e218211fac8e4092f8e763e27d63a163447fc6c7153722ad3e580c2badea32
SHA512 4078899f5446688a67769bda63d263a8f812fc6a8f4c59e060254815e0c4d415bedfdc082054ae7f2363b7896c4fec28c1c70b1602b01b73b256472b81fcb140

memory/1988-257-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4848-259-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b6a179801163782a9dec5e3be79b118e
SHA1 f40c892d820b435f91e02b7f1f9793d3bb6d9dcd
SHA256 9aaa716ecbbb9b71986f21c27714d78aa6970a06ea875ce5736c77bc4460d4c6
SHA512 e7754d48874f6841224dbd446a4bc229d80560dafecc5b3a462ae978ea0779335738f0f4b9e022d8f6a91e4fa84391d22501bb81f1c1d1c78d2b9f33128f44f2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a417eb5520af0eafc6b92ee4323b7425
SHA1 aa5bc6cd3f21896f05f0a1dffcde4a5997359046
SHA256 ddc71412601de70b90953d1249beb833451bd3e68b3e493fd35493dac912e70b
SHA512 9c2ed63becbeb8bba101eb18d4a144a29a6c3562d090566ee4098890d9503a8e0af68c458ca83be0170baecd5291d21eb700fefe6718e26c4df84d446e9ded0b

memory/3508-270-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1988-272-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 df2dd9f9f831a1e64ac4b828b109582b
SHA1 3fa27cfb0435146db8557ac36adb8270b3d0b4b1
SHA256 15c24a305e75443999b5b8b560327ea58b3b7837b32e758495c9c28761d303d4
SHA512 4c1019525ecd90cbadb3b71bdeba240db8fc8261f2ef6bac4ab6ca083c18ce15cb25372bc864305209c7348f69265ccce1414a5274754faea1454d450ce64d18

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0b4f56e06882abe568cf5b780bba9712
SHA1 3e11a7a6d03a526fe1b73ce004ee086a0d55c212
SHA256 3f5c2806a910e390b0dd4047d44245a0e02c134fc7f17dce2da86a24ed9f8eac
SHA512 2a1de5b69b96f826301ebaf9c62648b5b712a28c0e4fdb99d99815dbc59568e2ed12fda99ba81f554c5f08fd63a235e7aa09d85dda79d5fd757f357a776509c2

memory/3460-283-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3508-284-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4972-293-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3460-294-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4308-303-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4972-304-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2620-313-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4308-314-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2212-323-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2620-324-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4092-333-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2212-334-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5116-342-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4092-344-0x0000000000400000-0x0000000000430000-memory.dmp