Analysis Overview
SHA256
6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b
Threat Level: Known bad
The file 6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
UPX packed file
Modifies system executable filetype association
Adds Run key to start application
Enumerates connected drives
Modifies WinLogon
Installs/modifies Browser Helper Object
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-02 22:55
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-02 22:55
Reported
2024-05-02 22:58
Platform
win7-20231129-en
Max time kernel
149s
Max time network
119s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
"C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe"
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/3060-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2132-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3060-1-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/1324-9-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ab60716488cc36c522350dcfac108a4e |
| SHA1 | 5bf33c1ea1538f4b0fb1b67b535d26e4c2e0f44e |
| SHA256 | 0970c532b9c393fbfc345337cda5889626d993e1f4ce757abd3f5d5fbcd37e89 |
| SHA512 | 04a9af63574dd8f79ec63c87bdaf05894fdd34ff93d5c864f76e526017ddbb6ff070c13520a3ef2fffaaba3b3800be225cdbe2f34f7e2d77a1c59187acc4d86f |
memory/2132-7-0x0000000000220000-0x0000000000250000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2132-12-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3060-13-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | baab1f506b8ff648a41050ee4cbabf1c |
| SHA1 | aa8df35baa20c8d022f145d1e79a6377a52c718b |
| SHA256 | 19a37a6202ef487e678001d5188cdc4ab7e7909d1f383beb8d2f6540e9aa06b1 |
| SHA512 | 2f4bbd60a1f297bb9b20c1643314e17728c07886f2a667c8683cc620361dc2f8a05588827b735c896ee9d7056c26f97ec28d73288b56d3df088dab53690525a2 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4ede260b2f87842224ef834ae409eb5b |
| SHA1 | 9d4f1736ab4758e4b3ea6083b206963d12f6a0f7 |
| SHA256 | e1478d3d2b8a7066a3f4f245408e32b4f86858e18755392c421107780f373d3c |
| SHA512 | c9123a40f555677fb837d53c34d2e4e31e1d2dfbcb4305410331e3a51ac8f13caead1c7f5e3405f9d7a1e5910584afc5eb2cfa3e98a115378de5a184fbafa507 |
memory/2668-20-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1324-23-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1324-19-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | eff30cc1c8db1791b7ab4ba8eb905780 |
| SHA1 | b65da6509627c0f50b0d90a106270f6c21736232 |
| SHA256 | 3efe49ebb06ca17a127599b415f0fee21288825f46c523c8a904c8fcb9e8272b |
| SHA512 | 03463349ddd06201c9c2df34484a85aef3e7e2b6b620149b0e5220e5672ea31d7e3c5fa309e67b79d1421ac1380cfd772ecde247d4dec8f533621eb76f4b1f7d |
memory/2556-32-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2668-28-0x00000000002A0000-0x00000000002D0000-memory.dmp
memory/2668-33-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 44e3f26d36eb092359c859e6c3aed5af |
| SHA1 | e22b9fb923823d018c0f1b46c29a0267f33ea88a |
| SHA256 | 2baf7c94a8ba73fd35ac9b504b520e776ed1c317563e7502c0fccafc986d65b7 |
| SHA512 | 61b51f75fbc3108d828a5e51b31e6582e50066574b3341b2c95b90c7e8a7df0df14b2d33b5a8afad9ad42ae38e72b870df23ec02fd7a5f1b13d9c09a3eea25d4 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a0263cc95e00ef44d04ab3833f509265 |
| SHA1 | 0ad753b5fff9198dd2e0d2cf99fdde75eedfd777 |
| SHA256 | 63be51f7f32e652fbf959adbe711676413b79869d61ed9ed49f414d39f4c6f80 |
| SHA512 | f01c25ae4135952a3f6991ddc4f50871fceac78a3c1f179b642400ba5c3115c7a9c55f8a78fb6eee69c35e50b1a9bc06d545cfb7734c40db9e70f02685e53c41 |
memory/1152-40-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2556-43-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2556-39-0x0000000000280000-0x00000000002B0000-memory.dmp
memory/2804-49-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1152-48-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | d49bb8f624ce3c2a7c29d4dc2e970168 |
| SHA1 | 7a5b6a6dee8998f6bb42f2570f7bdc52888ef00c |
| SHA256 | db085f0a2829fe6b8dd45806337593135f0efda9313fe9914febf6b2bec5dd48 |
| SHA512 | f6b500566cf9863b19d9113f4f2578f7ca8dce17e2e577b65110e9a9ce87fdd93e856baa2be699796d5fcd91016f77c1b42fd027e256837dd11ab3798bc29311 |
memory/1152-53-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b0c7f149cf9683dfd9a1c2e6ea0026f3 |
| SHA1 | d7b14727cf2b4df732ac08702daafe7a79152999 |
| SHA256 | f6718ab9acf27e19f2a65c7d6b60ca4e63485ced56b4192af12bf6c3fad0bf63 |
| SHA512 | 3b85869fbb8a9dfae01046d10e6bb98632d800662fe2268049b4b672ba8d87a6884ad24da7252a911aaf6c6b4a85edee46ee8ff704824f42288068f413504987 |
memory/2804-57-0x00000000003B0000-0x00000000003E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e3db2b23a941810fef6f21f476b35cc1 |
| SHA1 | 1267f7d1e90f30723b93e488b3a975aeb8fd2107 |
| SHA256 | 57e24930a817cdfb7e0f4753dd3b2b421934679399cc3ba554949f2ad4c65151 |
| SHA512 | f2b9cb282901932e45091df311675d10a9bc8391d8fadb41b96a7359d77bd41c92791fe344e615fb300fd7a968e0c345ed330e2f7dde535f75b6f82ac5d770ed |
memory/2804-61-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1716-66-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4de2ae9de8800da6187b7773a588183a |
| SHA1 | 3befaeaea89cb84039e9040ac2f2f86ec4069969 |
| SHA256 | cc6ef612de942c0e7eeb55066e77837efd3c18caa32968d7e1c0de9ce6beb70f |
| SHA512 | 24279c9f6131cb5b3c796337e051d3e14940f5cc82f65c1e6495128004469d08e00bac3ccc690e09ce130c9f21f6a83c9c456cdd9d81df6c870844393ae56b10 |
memory/1716-70-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 85f718a0edb43e2748edb3d3dc6d8152 |
| SHA1 | b451408922d74d995130f81e69ad4d051dcbb165 |
| SHA256 | 474f7c1f14e92b234e4fd1f5451b32f374bb193ffe38f77fa31e26da27271f4d |
| SHA512 | b6f1abffb207fd9d21c4d79857f2b308df366dc569529d4f2ab358152c273876a5b3efb02b001b2441c2c97dd735709c3e15b88f4ee3176ddcec063e592738aa |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 738e0aee0b6130e7ed45517784168307 |
| SHA1 | 95492794caee4a0fa7a1caa1d5b069e91dff76e6 |
| SHA256 | 314959592e8110e90817ede5ba8731f0a2e6b398ac91cd8215efd0b925e7e812 |
| SHA512 | 2f38e0d8022fac9600ef36cd7601121dbd02236250b97c288721a7573b54f64d710f2b449716407c5072655f2423ef275e6691cfe8129306ee1ee342c945dc9a |
memory/1436-81-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2332-80-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 35b53d1c20f4eff732656d05a603a5f5 |
| SHA1 | d7f53a8d0228a1a4036690cfb391513a012684a6 |
| SHA256 | bc4ae4525a397315129383fe7d97ce72d1c1d1010ee602717e1282964634ff7d |
| SHA512 | 01b9625099be9d0f6c5faae304ec0fbe1a944285719671123b16265687f6fb19f1bf7f0dd59be1c216610837604e0918e0c5977f3e24f65cb3e397ca509bc21b |
memory/2772-90-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1436-89-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/1436-88-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e2c5eb451ea0f1db9e776727aa5fce72 |
| SHA1 | 43194eb1837d8062fd872245388d0c9fd0fd349a |
| SHA256 | d61ed0f39dd1f7e77f03e62edafe9c5df10e54502e28ecc88748ae242ed42564 |
| SHA512 | 2e5ebfc5fc181b4ca3628383d7fdca2f070fe13cf10fa6e8ad4a92c7d605cfa35ac092c04791a141043a75550100bfa54470d2bf87fb3bd8845714f7fdb5ec8f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 61310ca60889b621c8f827eb445bbbf2 |
| SHA1 | 334638ca2fff2698d53f11257df5bfbea476a5f0 |
| SHA256 | df16a19cd08ff9a0de13ae72561724553fc1651d359b2a8331f62f6fa09c5c2d |
| SHA512 | 62f11f68f3a4c0e298a84bf2ac65449f8647466be151847142060032ad5df3c4a5c3a0bb3f3e488942cd9d2b7efc8842dce28c5b493fcce5135fe4b6d5c4d485 |
memory/2772-100-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2772-95-0x0000000000260000-0x0000000000290000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5d11f957d5a809bb72a31e1bc7873b0c |
| SHA1 | 3a993d2ca5ec261fd720b15f574072380868bc16 |
| SHA256 | ded096729dc2d18520b7e355247f79d9313812bfd9bf35912c7f3f701cf40a8c |
| SHA512 | 6efa0c6fdf9fe1d15616ae7cbaf33975965c01cb90f5925f52b3791851d79b6aa118051680ac85ddb4b930ea5cb4525238497718860ee237f2df399bedb8d068 |
memory/2260-109-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1608-108-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1608-105-0x00000000002F0000-0x0000000000320000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0f186475fa56a67ab37dfc6232522e55 |
| SHA1 | 6d67024e599270056102dc3c773eb32a8702e34c |
| SHA256 | b742d00629f932e4251540d21cf7c43679624975b78a42368ce7d32b6601d880 |
| SHA512 | 325f7a911288d2df9543e4c9c8208836003189367152f762996a971c0851b53a2ffe4be0640d42bcbb361c97af0e384f797e9b76cb10abb35c25f5af4d1339ae |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5f8effd280e7abe0552b7e8f52911a8f |
| SHA1 | a31e5fd2ff31ab0fcec25d9faf796d8509b21a2a |
| SHA256 | 6a2703bb2dfe7261819aecbd5494377ac9d407f6bcf5bd8d67dae34bfe454a1f |
| SHA512 | 037f8d7bf9ba4c3b36fb6bf6ea5946b523b4ca40534b2f26f7435387e84318d56850a798645d6ab04f32e7609b6ad97c93daece04e57a631f43a16c23f5951dc |
memory/2260-116-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/288-117-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2260-119-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f00d56863db87c16440819451dc274fa |
| SHA1 | 87b82dca7a01419cba9829cd9c5ada830f429650 |
| SHA256 | df8986ea1fa4566761803a4ebd9d06985bcad2f9682ce1128fe4ca8c28e51d05 |
| SHA512 | 3341668a983f52094fcf4390601ae173caebe46aa562c0924ca95f82057aaeb7dc5f6c74bf82529ac02705b1044d5e16d2668a1d5c64170a8ddbd179b53e8b93 |
memory/288-123-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5c9c5df164b537092b09ca4b820cfb9f |
| SHA1 | 7d26cb29d028ecb14d4ba8ee19fdab15f8b6efb7 |
| SHA256 | d6b0dfdd4e507572919d485721708173d389e6dd4c9a22864a73881f7a731bb1 |
| SHA512 | 43d56ee8a688398d657b5679ae78e7c8098143db9e5947cb7d7d46136bfa9addb67e6a7acfd6aa7c759572064cfa9dde0944708e8d4130909eb03dd1af7a7dcc |
memory/288-127-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 111b3364021bff1232e066d7e3034562 |
| SHA1 | f6f719d5e6b59fcbb93ab85ea870b62523ebe6f3 |
| SHA256 | b6775c3f19a99a588dfe944675338e9cc1da01c6c88dd6dd6f332aeba41337fd |
| SHA512 | f2b17010c72818a5ce8047ca7c167ba832dc44b6eddf94a1341b795cb2ba0cb0d8f77619e89530093966cbb48a20cfff30ddd6ca84cc9503ab8d51efa61aa623 |
memory/2404-135-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1036-134-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/1036-137-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c69a222d569168a1fe946d349783588a |
| SHA1 | 3fc221a64f7097a40bc9116f5d22ac7ba3d29891 |
| SHA256 | b008cbdebcb7958ec7c49cf2de2403b5b53c917e6717db9074e68c50b9813668 |
| SHA512 | 364ba2ba072267e54c73235d5dad61dd554658b6a7d033bef19c1af2375292565aed55459ff61169bd2ffe3ae69658d277890dbd997a6466b956ee3c6f7f8a72 |
memory/1536-142-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2404-141-0x00000000003D0000-0x0000000000400000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7e534fe5c388ce047fe725a060fdb9d9 |
| SHA1 | 5e2389255b0cf89c8504a6bbdb480d0574b20866 |
| SHA256 | 877b48c4ff96096a5709f9af3cecf67f000aa2a450c5b777953fe2b399f0e4a0 |
| SHA512 | c5664e068223c24bab9caacc745d7313691c34c3c4fd607621e8e9017d91da8e00fdac84ba6559504d187a8cb7ae51a25db91183debb1f133f9d12a2c235abaf |
memory/2404-146-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1536-151-0x00000000004B0000-0x00000000004E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ef354d450d0cbfd9f4fb62e3962f1c6e |
| SHA1 | b940892f2952765a4e1c11fddb175eb4d6c4c38a |
| SHA256 | e96e6d9bb421d3140b063a71ea94361c9cf907d4c42e5b107143ffb9b2d53679 |
| SHA512 | a97b0b2adab958afb5597d6566ed2a67e432c94bc5f72579fb2a34988fb87b1e97a990aa61bf284b26272ec13e540c6f1b0a035d86adb333d6a56e9476ceda51 |
memory/1536-155-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6be03091a421148f0fda49b36f7a1ace |
| SHA1 | 96cf18e4da6fc51066c9c43e40629ef218b69d6c |
| SHA256 | d32c378b20986e3c64600fe98405e6ef7209724eaa2001c4bf0223c8dd0ba050 |
| SHA512 | f5a24bfb842f011799f21dc5f59a1bcd0c5113634c5e734b229fe6bc06176fa847b1b0c7709fade6f9d0caba54fa53345002feb1eb353c27f0d4219ee543d209 |
memory/1232-159-0x0000000001F40000-0x0000000001F70000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a74c6c2e081c3bb3637f06823ee88d71 |
| SHA1 | c691bce37fc89c3c168dfa529e6938c82c19fb08 |
| SHA256 | 893429d2b0f3545cb3b84e6c1b2caea1aa075e6f4300ee61de44e1a898fc9cb2 |
| SHA512 | f436bd0e291c2bc24e78db18f7ea612857d5d81af6635cf57fbc15bb4dae9a7bf1844d793ea9cead524302e7f3e9464ec4d7ef660ffe67932763016fd94d9064 |
memory/1232-163-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 488912a1ad83d548b5cb6741ae372c5c |
| SHA1 | 869f893f47470ea3062a6df6d3dd0d863a8eeacc |
| SHA256 | 9dd6766c4dc4b09526370f5b0884a7a75afbef9a9057924c316764cbef4f49e4 |
| SHA512 | cd89cc09ac319030c571d506fd2c4b62ec23417304b03e53c4b73a0bf19a5aec807cd61c1852bdfb08b01bbbd9d57beb33a63237454f591bb9ee4812678fdca2 |
memory/1672-171-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2056-170-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/2056-173-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4a318b490a96ba6268e83e01dcd8dcc7 |
| SHA1 | e43d6d089acc8205f22da9d06cd0e249873d74a8 |
| SHA256 | fd17594156979550daf19ad31def265131fb26e4d68de014a4c60e9117dcd35c |
| SHA512 | c683af1687467692442ea3199d6edae14941fe8c375d9935702dd96ecc741a21f45f4de2f50f33e727c7c3f2398ceda63bc8f446afe649d5cc27f4ae33fa32a8 |
memory/1672-177-0x00000000004B0000-0x00000000004E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4ac232c6cf2e27566aa84c69207c374f |
| SHA1 | 588684403f7b1307c7f09d23a785cb0b85831602 |
| SHA256 | 1398ed360adc416c3c7c5dac7dbfe0b36e916a5d82470fc9b30ed6fd156ebfbb |
| SHA512 | 4b086c8668ffa95f4f6980853c737a51d4cbb7835a6c3fbda99fe09ac79b3702b2373adf22219d1b29d813fc247de7fd45f7a5ab53af9a134418637bf8382236 |
memory/1672-181-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2068-186-0x00000000003B0000-0x00000000003E0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f9fc390dc480589cb8d67eaaf64d282a |
| SHA1 | 83dd3919b24f4758ab7ac02f6b364ce3547c07f7 |
| SHA256 | d793c4563bcc8a1b492b1466dc02ac0ea1d760307f7d44deb81621fed94c0a8d |
| SHA512 | b9bf49ebf18a92d52f3fc6a77a5287953e7a7939216e5f127730b83e8cb3fd8d60c0c83b02521c6717ecfa092afd17a54a9689851295ec338bd3420c132e02ba |
memory/2068-190-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e48eb53128ea670787c79b6116ced87c |
| SHA1 | 01d4c19cb991f4ec8d106118370e6a60c4b3ea4d |
| SHA256 | b61e40ce376833076e37c02dda9c5928f4401b3eac36c3d5b2990398d5562319 |
| SHA512 | 907ffcd7e1f6e8db5e784c168862a37f6d205d4140a6723189a28df667817de9240575a178220c5ba1be41069a37e4e72ef6f793c2dfdf3ca15b56b4294c3d0e |
memory/3004-196-0x0000000000510000-0x0000000000540000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1a098b59993eca08e615787cec843c15 |
| SHA1 | c668e7142e439420940d4ae90135a0c03fe8e0dd |
| SHA256 | 880878f7caa3b000c6e58239828f0fa62ada86478242d6a59824c023f9f2c071 |
| SHA512 | 39054616ed948d0adf014cf64d07ad98e76ee837bfbcecfc1ac7f2e74fd1633e92afb192457c6690450abe2153d5bd2aaa7e175acc16b0930acc0dc3c7653d8f |
memory/3004-200-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0f9eca79199ecabdd4f124db90fc363c |
| SHA1 | dc1971c70ed98e82ec28e8fd86d9b27eea7fd39d |
| SHA256 | 6547771a9c44c655edb9640e097c35f569930c8ddfe948d4fe8d3ebb732fcec0 |
| SHA512 | 5bb67a06c9c7cf570f15539042493aecf80695cf8805b7b50be7030565412c6179a2b01f54e9a3ed2e01d6114d21e8368079a234aa2d969e3ca81f0221a179cf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | dac4b3a418db9475b7a32cd120818694 |
| SHA1 | 4673b301e2c0d56b5c5b1a51e90d463dd7be3b22 |
| SHA256 | 8d396e074a2d421bc697a419f0b0a1816cdcbdaaab267da16a08a6bb1988c88c |
| SHA512 | fa91aad1c5da70d1f3cf3bdd8594dc168e5909a661f75df1094e9506a80ad1f31f2ee47c6c4e49c64587f7e4c2de3ccc279f9a3e84469859bdd2fffe195a1b81 |
memory/2548-207-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2192-206-0x0000000000360000-0x0000000000390000-memory.dmp
memory/2192-209-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2720-215-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2548-214-0x00000000003C0000-0x00000000003F0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4550f6d7c24289de805da7fa5f299791 |
| SHA1 | 56675432c8c0bab2351da17726d5d8ac0e833eb4 |
| SHA256 | f05a49ba6b72b7955dfe1875ee12be7bbe82d061f513cb048b58e5e5bcb3e33c |
| SHA512 | 2f0386787f656a76c48946e8317643d1ec040843125e4dfe6ce9da8f6db6dcfc108bd4eb6ba0bbff1e38f1c9fa575c5d1b13d74ea8508ee51dba8a56742a0f67 |
memory/2548-219-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ae047f3e58ae57ccbb57ad7228e87293 |
| SHA1 | 1f4dd2d4a005b2523e6a99889f4c8b98c4d83b1c |
| SHA256 | b4f313941deb5ca64295a01635fab4d98271dbddc7429479dcd475a95427757a |
| SHA512 | 273227afb7aa569e443fe8b4cc440d986ba5f11ca307a54b40ae16d5b751ffcddd5721b738869338896b8ebd9d40776b7eacb25cf43ae490e0343821c8efd65e |
memory/2720-223-0x0000000000380000-0x00000000003B0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 56a6a84968d91ce14b944a6307bb1136 |
| SHA1 | b21bed8b2903820deee3b2adc076598a47640af2 |
| SHA256 | 818b6b3b57fd49006a1e1979f1b3492ddcc1a067579560ebb2c9dc69fbafff2d |
| SHA512 | d748c10120e64fa1b51d887df1d6ecc3989e04a7b0232f279da8e903e1885eec9e6727e6339b06cac213f1f2f51ddddca200dad8ae0c385bcc62ece21355a2d2 |
memory/2720-227-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2468-232-0x0000000000370000-0x00000000003A0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7fa99ed1376a41412d5782ffdf5c7741 |
| SHA1 | 277d953cdf3d638d2508d5ea1c1642adba316ae3 |
| SHA256 | 505f5931369661bc3e289411511c85b32f693da572ec2b1e42c9e2cf45ce7363 |
| SHA512 | 80cbcb39c09e643a1eedc10b231aa9d5ea954d9b58a5ff80ed74682b16a9bd2638e0cb0851ce2717ea4cb167b819391773adad2b0cdf84c60511edfd3cb94e2e |
memory/2468-236-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 91a41974aadf31f6a08b6573053ec3d0 |
| SHA1 | 55e9c040ef2d843725e49df881708540655c8e84 |
| SHA256 | 062ee4ce49ce9ec5026efa8a7881f554f88a5c8e2d5692bf427b952b9152fcd5 |
| SHA512 | 9241e6f8d78c6e455d84ec3d2d201f0efde9358748fbc749d29c968aa5a60ca42a87449b9cd7ec08701de0f62e4ab57a802d4b017764a69ba05f977bfe966903 |
memory/2108-243-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2452-244-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2452-242-0x0000000000390000-0x00000000003C0000-memory.dmp
memory/2020-252-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2108-251-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2108-250-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/1416-260-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2020-261-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2020-259-0x0000000000360000-0x0000000000390000-memory.dmp
memory/1912-269-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1416-267-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1416-268-0x0000000000260000-0x0000000000290000-memory.dmp
memory/1912-275-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1436-276-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1436-281-0x00000000003C0000-0x00000000003F0000-memory.dmp
memory/1436-283-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1740-290-0x0000000001F70000-0x0000000001FA0000-memory.dmp
memory/1740-292-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1752-291-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1752-297-0x0000000000380000-0x00000000003B0000-memory.dmp
memory/1752-299-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2952-307-0x0000000000400000-0x0000000000430000-memory.dmp
memory/696-306-0x0000000000400000-0x0000000000430000-memory.dmp
memory/696-305-0x00000000006E0000-0x0000000000710000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-02 22:55
Reported
2024-05-02 22:58
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
"C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
C:\Users\Admin\AppData\Local\Temp\6921e481a5b9d4ea566be543b78bed2287da7ae145e738ec4f5807fb41ce695b.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.64.18.2.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/2920-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 15d2befadc634195a0a9f827acf33d6a |
| SHA1 | 83fd3eead3c68d86946f69d9c107ca4ed5f9d948 |
| SHA256 | 77128149823a30a4d19dbea6824a82e7d1e0ee84851bf3ee5af6aa98b3e92852 |
| SHA512 | f13d8b51cd74692cf3e03c344aa1ac4b67e70fa44a46c8fd67c24a78a0001f3d67973d6fdb26a9cd8c7701a54ac99ab680370328dd121a78c255e74da72a4b1f |
memory/3192-7-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/2920-10-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 662859dc14ba101299bb980f175053e9 |
| SHA1 | 1f28d608741d7dce476599d00436a75c1985231c |
| SHA256 | 8f9c9026828b9e82e7eee34eca60e3101af56e5bfd8f08dd05b1051594944bbb |
| SHA512 | caa2aa8f972ec4a07c5c5dce87f41abc78db5a5dad423a87ff7b5cd707c4e12d411046d665ad382cdc170883dfcf8f3dff6cd8c0197e239a60faf472d7a0b4d5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c9e447e6094274bc4b517aa932e8d913 |
| SHA1 | cc3d14ed1e0f675f6c33076d655a6fc6500cd140 |
| SHA256 | 8738c0b923c59cc59c6c279bcacab4ccf7200edbe138056de7fdf7b3869974d9 |
| SHA512 | d0548b39e5206deb6719106d2c63f6e41ca045293d9753380eacdd6995c1a5f8d24b5995601eab95e4d7bfe494e614b5a41e403412901ccf0da3a6e29e8733a4 |
memory/2744-19-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3192-23-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 324915e5c240183a89943475de2f434d |
| SHA1 | a9716bce25f2f2206eed94539cb0945f89018b88 |
| SHA256 | aa01d8f8052520694cc3187e2dd9ca066bcc1e65b91d9f0af2f357af1c1a2b31 |
| SHA512 | 7262c674bfba0dccc9a39d0e5d406679cb256f5cbdfded251802848dab7d5b5882138b9a08b8b62c7cc1e630a6039833f5832a11f18da736a18dff28d71276e7 |
memory/3744-34-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2744-37-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ca01188c3ebcf471d2f9e8df83c2fb90 |
| SHA1 | 4a744ae126aa3d35677e9e7b54cde5fcf9884322 |
| SHA256 | ebc2ab718381ebbd520078b984c11f97f0f1143911dd29f51e563b754f8321f8 |
| SHA512 | 9629cd6c3a8703df571b3abddd0c55aa3c92f3c6cc237e85433da6d57fb22c2e453c7d47864727c5a8984767609014a7f4002dee66ab6f7726a2a8794e16fdee |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c284f203069c43c0c6cbb2406aad2d85 |
| SHA1 | 81f4ac587e0728d70c92da09e374a17357ead5b5 |
| SHA256 | 55b40299204de919e298b0c8ca4c7e8da66479d55a85c638c91f4b7ddcbf0553 |
| SHA512 | ed6fc33f94ca3b8f2eb12e17a1ea77ce62f9cf2ee2182ffac8e4f0641916bac83de3265bd49109ec237bfb1943e66d8d1803de5ff7aac8fb4ad0564de809b610 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0c4cadae408c30d06225e13da0ab9648 |
| SHA1 | 4ab7eab3ef2793c499f694553232f41cee40f98a |
| SHA256 | 52fb2389335eabb9ead1788d375b3608d3b8ed1e232989c95875ff0e57555e11 |
| SHA512 | acaa0ada5144dbe645085cc7915919633865aad04499de311a723560a2f6cfda6222aa7ca42905585d3426188f5e264599e9eed829d25da10af294f27d547432 |
memory/3744-49-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0e19e8f5f2761b0a7726ab373089b6c2 |
| SHA1 | eba6702981ebcd7f198299d26a211414f9d08a4d |
| SHA256 | f07062a742ce472247e44dde8107405e917fa21fe16dd4038c7e760c713c87f0 |
| SHA512 | d987838cb539889a9db28fc2dd57476f9671a1d59ccd26cb65b1fbab43b0d39835ab922daf20cbeeeadd71f0943bfd1f82af663ff040de566855e67d4ea42697 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5dc677dbab5156485fcf089a11abebce |
| SHA1 | 78bd0ffa40d4bc9a72928071c118f525e592d3eb |
| SHA256 | 804e434a551359e69473382fe92ec2e7b44f003a57560a08bb109667cfc54a36 |
| SHA512 | a496755ba6777a50a56c95a366e3d664451d8daf20314f9e36185935b4dc32dd1c207600cbd9381bab4cea34f6d66916c3f51ed64e373011778c4bcc95d3b74a |
memory/1224-60-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4084-62-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 92e371390f373c544e9134fe916e6738 |
| SHA1 | ef18b342b797104d111e856b33ddd378bd50a276 |
| SHA256 | d787bba23232b812a801f70d55b11a11e83b320302b3f9c64f2deb7079585560 |
| SHA512 | 0e199e22d65c1451ea3ea6930f263a810c5a2bdf7921712c88952231da08891c08e2c9ec83abaf4d1ebd170e92e447c424d0383550f6c49f10301d70c0b3e36a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 81561715d621efc1ca297ec6eec03ae7 |
| SHA1 | d77282f639a4853c67dbaf082d2ffb2e5c277c34 |
| SHA256 | 87c3dc7c9d2d59671901a67db3715c412d6c2536814ae32551b24d3525379f68 |
| SHA512 | 71465f2f720d86285140468aa4137bb99d12751424f84d0a298fc305914299d7b25f26959931d43d6a5259e31d77feb788282847b3d95e5ef050b1bd0e669960 |
memory/1224-74-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 69bdcc3f3574a9cb292a33874c488f3a |
| SHA1 | cf1dc939e23ea8069f473cd1e5dc9c5af1cb3637 |
| SHA256 | 50239eb030500009676fa25d069a3cc775a14516c38f5b58be65380903756354 |
| SHA512 | 79c8e7689ed836ca7479ba24861daf107fbca2bf5b0a88bdfb165f55701846e08ec7413de6b6a4f4f62f0e1d14c4ccb81b4bee1de4de10230428f90ef21e4f03 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ec8627368f34cfb1f2e7a025e73c2066 |
| SHA1 | 1bb0b45e39792c3514efacb9aa3e4e773ef9c41c |
| SHA256 | 360afb92919ed52e3d804663b821ea129d4fea7fddb95cf6ba62786171809757 |
| SHA512 | cfacf1930b45f0fab2ef19d5d54243c969fc68c15ba7bc6690331df68bc2947b3111c1c6ca483d58ed73ab9eaf3d3d355fe8a640ea8b752e19a1acea91371ff5 |
memory/2480-85-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3768-87-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9eab2fa657d0b76d422fb6536b252292 |
| SHA1 | 6612dced4621a2b956afcb130740de14b649d6e1 |
| SHA256 | e45267a51f677e9bcba0ede3c967f636a84b68b22b8c4bffe8618c9df09504f5 |
| SHA512 | c2a28eca8710283649edd9c00baceb5ec5256868ad977121a0ec7ff8926ff10c3e702c9d3261e195c17243b0314249979267cbd0d1b819c449555af30cad5ac7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3b176333b2e4337c39197c947b542703 |
| SHA1 | b470f8283260553c94b599740391aef00589a130 |
| SHA256 | 828a655f6ed6cd3dd79d3e336b8b771b252b12011c5a00f69a4a35887dc5daeb |
| SHA512 | ed7baf3e9d529a9b3aee86eb9d9d7d6c6302097b9bf5371120cfc671fa208e9fa1d42a0be6236bdbca620723ffbb8bbb86fcec9592ab9e432c02f84aebce1dd1 |
memory/4752-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2480-100-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8d9fc8a2b03cfafbc6c98683a7ddac9e |
| SHA1 | 150e8c799037bc25a27f2d101efce80b573e113d |
| SHA256 | 2bfd4c08f273b084a788e8831b7319fea548ecc03fa856dcc9c6e77d381ee09e |
| SHA512 | 261817ad2e3f39d3bf940d4b41ab9da1329b053060ca8e6d9b716e68c07202d833462a1c5195c064ef27c42f06a17f923321a85c9b042cbfd6e6b7de4808e7d1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 423694815607cbe16492ec274d570f72 |
| SHA1 | c06c0d9e4ab94f5c62accb2c84b8be76cf2deea9 |
| SHA256 | 868ecb339db182509705e449f43fd49bd302184b5d7c1363e8d0a0f0afa01f75 |
| SHA512 | 58c9d78529bebba9a42f36f7496054a6864a1dea0cbdcfdee9ed0468c0e8b3e3859f6454317eff87f04d85b1d455ef24cd5b890884aa6fcd29bd39f05a757f58 |
memory/4060-111-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4752-113-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f585fb3bbd8cd7459a83ed3435af3fa0 |
| SHA1 | e0ea0b915f7c03d84ae1d8c00d9397e6bef7fd06 |
| SHA256 | 5299c042cf4021ff77bfd6cd82b1aac49a07b0dc85ddf205e3d1153920f356b0 |
| SHA512 | 75b18e73d4a8bfde561365340e5c32fe8cb6556d8fbd0b94a59427acba4a38167b5ee0a6b7a437cf6479f22a14c2db0868b634612627245d388e1560753c8374 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 15bbeedb594a762a27e7916a52d6a036 |
| SHA1 | 947585776f70ee70b88652edb3d265b07fa42472 |
| SHA256 | 3a4cd1ed328251271929186cffb7e41c2d46383e712af9eb494a9c57c52eb7d8 |
| SHA512 | f708af4cc0fa3a43485c09d108d2c8fba6064eed080e1b65e86c19ba4b4f2af1239a2835fc9ea169374aec22f864120c5fc9ba95624d7835f819efb6748c1b35 |
memory/4700-124-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4060-126-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 81c195690b166a875ab24bc008f38602 |
| SHA1 | 7407721efffd9b86b9c7293b3f411f1114c5f92a |
| SHA256 | f83646e1fdd3cc0ba82ee5577535a3112906295248c74592790f503ad71026cb |
| SHA512 | 9398d20713e4a580067256e90314c0ea1db07fb273d37f408e2d933c5e3cfe1e6325e29020865b40a57fc51636434e21a72f082711dc4686a89cd3cb8406ab05 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8da6bf3ae6da82ec98a0cf572ee0bad4 |
| SHA1 | 837f74c5d38a26d3726dfac4bf1a4b23dcab6397 |
| SHA256 | 3cbb3c2a9dfc099d7199168c34515363a32a1643190da5b73e6a46fe6d17eb5e |
| SHA512 | 2dbbd11eb027e80bcd7ec7bfddb28a9b54f22051ca586d6bcedfad5cd66f69a8be3ebebc5ac1287ee0086ccffa19405a97972bf670313390b5694bafe0716f9a |
memory/1440-137-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4700-139-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 920b944c28551e6e0dfaec4c212631a5 |
| SHA1 | dcb421e99baf892a2eba619cbee416cc4f4c6b5a |
| SHA256 | 369c1bbe4ccda50ec520a1ac19b7a8bf972621e219382723dc9ffc0f3c5fd405 |
| SHA512 | cdd94fad581823e0988b752214cb2c162c022b0b8189b2a6b86787ede827ee606cf24bafe6087c21fbd652bed85e48c48608b6629d23abff600706acec94ccd7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9305b61e1cea3c45b4630a24b2c5a22f |
| SHA1 | 9db86bc448b53ba6fb7bd6156c757b0753bfa4c0 |
| SHA256 | 80a483eaeec5bbceaeafd80de4da83a3fdb9090fcd947d327b7010134514a9ac |
| SHA512 | a24ad24f04409a9e00ba67873cef73313e2cbd42a727dd154daee2fd85d42a775908ad257d01d696bbbbfeb9d642b92306a73aa56ccb30f2f22df51bce74b1d0 |
memory/4736-150-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1440-152-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c60a30085826e2281504b4764458a4fe |
| SHA1 | efd40feaf3becd879e7c2ae5c475f6c52db6105f |
| SHA256 | 38ec0f033dc7e3a1d85c1186c2afbb882641f9886aa4b53eba3f6f83b4a526d9 |
| SHA512 | 974ef6240199c0e383a421039f4da75ec03b3e2c04d53211018ef9e72c078b463e16cbe18eeb4ff2f0f59b15ae4e3fd0a331540a287e73dcfd0c9ec8cc9262bf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 23358a5799e1b921cd99db39453ee17e |
| SHA1 | 136bc0e7792e9bc03bf31970302356f463ef8dc3 |
| SHA256 | eda764d9293955466f91f982cec020fd3341e3ef3ae4bfb312f6022ceb9d3ac4 |
| SHA512 | 7db126ecf79be94d8823486268c53267046de61dc5f5770b45759e6efd624579d7a24eddd74c979d6474c504986b8c47e106af812ab32a044f4d942076d5fbed |
memory/532-163-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4736-165-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4c8ad5d6901ec3f458f3afe0f231a7a4 |
| SHA1 | 89baddb8f4ca6924c329843a11f13e7c7d54e0f9 |
| SHA256 | 159507375d698733eab7fb9d712ae55a9868f4e1692fcc99f25e926799b5bbd9 |
| SHA512 | 6eec466fb3a6621852d73fd1b05fd20a0ee042f5e34384279fd36212c33287201645f74014ba052bc788859b3b0583932ebbe27e6b3fb4800c5992476ce79df1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 7ac621b93292ae3c04c463bac8f0a469 |
| SHA1 | 295ab0d1a38076d97431bb9424206a58eb36bb2e |
| SHA256 | 430c5e8fe4142b509c3a87f66c014a6e4f051105752d90243f758d1ac17e23d3 |
| SHA512 | 6d93d28bca3c398dd2f531ae4d90e92114912c71e7bd0cdd6a1bcc6473b378b3234317faba820e01ee666b237edcde20acabd5f3b9416487108c577842267a85 |
memory/3852-176-0x0000000000400000-0x0000000000430000-memory.dmp
memory/532-178-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4a05b6809319e32109ac87f5646db42d |
| SHA1 | 26b6b199966d5a3323a9533e60db183ad4b2f115 |
| SHA256 | 7805e05939f4bb27facf24044c5bf15823b87202af545b1e34d5c86bb57ab075 |
| SHA512 | f88976a5cb288bfa731122cecfa860fb5e136830ad081990bf1f778f0fcbb8eb5d9363b8d7c909715a4c8d8eb25e105d2efb7ad5454032baab97f58f022db9d1 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | aaae849e4f569f0f8a20965bcdf70c9b |
| SHA1 | 8e75ada4744a0a5e72cdf8eae337f70c25ddb2e0 |
| SHA256 | 1d6c06ae97ea4273acc6d56396161daf8c82d72b2eaa3b43dcca90771b344333 |
| SHA512 | f737965ee6c6b7298b4674837dc7cf53ece07c9583eadaf4b65911843c59bbb89d1fe1a6d26e42e5df367635bb05131c975322a226d7a90a7c2dfc6d1ad93a52 |
memory/552-189-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3852-192-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | de8ef51a9245490411762d0ed4727466 |
| SHA1 | bebc17413bd5507c8e3b7e12412c7afea5165150 |
| SHA256 | 7fd4b6163cd261c94ba03e828ae01af558de744cdc42baf65beabc371ac628ee |
| SHA512 | 01226992eede8cb9bcca519109e65b9475a36efe7ac407fc18e957e9a16a9ca2979818aae6c445ebda51a77a3f190409cad36e0c0c7bcf754d6d57cc8b4b8073 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 36022f7d03ee5c80b33415c6cc7d87fe |
| SHA1 | 33dcddd2ad85576ebfc7176c896640ccdeec4e82 |
| SHA256 | 6866f17b2a2eb5ee4b84959ea64a54fb087d6701a3024f123d297c295e7c462a |
| SHA512 | 6f77888cd094d5904143e1617967747c6a803b8f4fbb3a8bb2475959ac507ce55104928ca33070a11b168a3f0f210240ed27d234f106b75b435af5fd8f41b300 |
memory/552-206-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2180-205-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 40faf7747f2091641e0557e9482c52a7 |
| SHA1 | 2cdf71db18aaf09e229f00424ee56c643fbc8d8b |
| SHA256 | ae3a291a5dc2b1c5829ad19ffa6f1af33a1f77d4a05f78e715d1f4a6b8ca0045 |
| SHA512 | 0719f22b1d1c8b8702ce97437d34b68b36791f6b02a80240e862f226cf6f35f05ed5b85b58a1f11d8d20d173eed5081ccb74373b0b94a00623f3535ae5ebb0a7 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4b77e555d8b4cd6c8aee04899b12f7fd |
| SHA1 | cdcb808e724ecacce9fce04e562c2b59ab109edf |
| SHA256 | c705777158289e889370b5c5dab11c2bf3542c6c87196ffff4b5bd4a69ed49ce |
| SHA512 | 4803e688766918772699a9066331c68b6507e1483c2c3104f03f0294bf682c546d05e49587452c6c48d966cc23ea0a2ab996d2e138ffaa3f8c7b7eec125b9747 |
memory/3700-217-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2180-219-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 4f3a5ad912d01294f8155ff4d6d9dec7 |
| SHA1 | 8e066553f7290f1f7414f82f47f5f7aa86387e7d |
| SHA256 | 5797215f21d249cda8397f1bafaadaac69f268443b643a76b29179a2c7602d95 |
| SHA512 | 8ae1b80c6a45be9178cedad50ade63d0cb7e56ab868ea330f5707fe9e273a50cfb33e37123c808b58f0f1a2b32260df7e5657dc107d917b924a0a2746380b0fe |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0fabb5ef997c84ef65bfa7b33923dc48 |
| SHA1 | 9df2096463c0399084dfda7e865e771e6f3e57d9 |
| SHA256 | f32480046d7f7dd580a16d2d6aa3af722bca5338b4de9c389fca533f79e25b99 |
| SHA512 | 966ee5f08ae5d6b50968ecb5a6730aaf4eb4b1854d32b320b00c57cf0ee419ab38ff563a5f971111e99570815cd84aad9f8146635fad5b2cc15544b1eda0572c |
memory/3700-233-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4196-232-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | a613da87d57bc60564ba320c85ef18d6 |
| SHA1 | 553e6173a4c7c71c161d53739bdbd714f537544b |
| SHA256 | aaaa11c689c711bbae1e021b4ac77981dba0b04320935b27ff0a245d6485a321 |
| SHA512 | d61de0675d252f3029ccd95aea8b6e9899e74ce3d212f25856807655b60208cb469cd2b5ee89fc826b5d026980ee700dd9d0ad5107080afee83fc06101024e55 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 1564e7e1c658d6f29ad3186d415d2c4b |
| SHA1 | cae9c535aea0fbea37b80a59d2f1297ec59ea049 |
| SHA256 | 4dd12d3246b3cff8ab944d646c2166e9c82ce0364018114a0ed5f393833e2ae1 |
| SHA512 | a430009982b8028db0793a85381222a94d562c5200032d8df81b278bd9baf63e6ffb1ab0c7781e6284408607e5c484a1ed16fa14afee0c708576296226692e3f |
memory/4848-244-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4196-246-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 125936428ea7e1271dbc500622b22cbd |
| SHA1 | d362bdd5ad4515a514137bb781503b9f6940dbbc |
| SHA256 | 6652e2c55b4bd3e1999cf225816a21d6b93f17dd0bd730042588a7de34ecf79d |
| SHA512 | f2585c4ff4bc0ae46e91218b61bb17eab6ceb0d0033e4249ba078c3d9675da15cdcb8df6b7486e02cf47cb046eb1c4de323f4ff5c6ebe0ce9112c93afd8da324 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 05f4811f934380565832fd2f2041169d |
| SHA1 | 8ff104662a87433d630b4ce801541c0e3a5f302e |
| SHA256 | c3e218211fac8e4092f8e763e27d63a163447fc6c7153722ad3e580c2badea32 |
| SHA512 | 4078899f5446688a67769bda63d263a8f812fc6a8f4c59e060254815e0c4d415bedfdc082054ae7f2363b7896c4fec28c1c70b1602b01b73b256472b81fcb140 |
memory/1988-257-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4848-259-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b6a179801163782a9dec5e3be79b118e |
| SHA1 | f40c892d820b435f91e02b7f1f9793d3bb6d9dcd |
| SHA256 | 9aaa716ecbbb9b71986f21c27714d78aa6970a06ea875ce5736c77bc4460d4c6 |
| SHA512 | e7754d48874f6841224dbd446a4bc229d80560dafecc5b3a462ae978ea0779335738f0f4b9e022d8f6a91e4fa84391d22501bb81f1c1d1c78d2b9f33128f44f2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a417eb5520af0eafc6b92ee4323b7425 |
| SHA1 | aa5bc6cd3f21896f05f0a1dffcde4a5997359046 |
| SHA256 | ddc71412601de70b90953d1249beb833451bd3e68b3e493fd35493dac912e70b |
| SHA512 | 9c2ed63becbeb8bba101eb18d4a144a29a6c3562d090566ee4098890d9503a8e0af68c458ca83be0170baecd5291d21eb700fefe6718e26c4df84d446e9ded0b |
memory/3508-270-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1988-272-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | df2dd9f9f831a1e64ac4b828b109582b |
| SHA1 | 3fa27cfb0435146db8557ac36adb8270b3d0b4b1 |
| SHA256 | 15c24a305e75443999b5b8b560327ea58b3b7837b32e758495c9c28761d303d4 |
| SHA512 | 4c1019525ecd90cbadb3b71bdeba240db8fc8261f2ef6bac4ab6ca083c18ce15cb25372bc864305209c7348f69265ccce1414a5274754faea1454d450ce64d18 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0b4f56e06882abe568cf5b780bba9712 |
| SHA1 | 3e11a7a6d03a526fe1b73ce004ee086a0d55c212 |
| SHA256 | 3f5c2806a910e390b0dd4047d44245a0e02c134fc7f17dce2da86a24ed9f8eac |
| SHA512 | 2a1de5b69b96f826301ebaf9c62648b5b712a28c0e4fdb99d99815dbc59568e2ed12fda99ba81f554c5f08fd63a235e7aa09d85dda79d5fd757f357a776509c2 |
memory/3460-283-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3508-284-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4972-293-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3460-294-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4308-303-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4972-304-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2620-313-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4308-314-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2212-323-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2620-324-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4092-333-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2212-334-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5116-342-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4092-344-0x0000000000400000-0x0000000000430000-memory.dmp