Malware Analysis Report

2025-01-18 22:03

Sample ID 240503-wpvenacd4y
Target 006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5
SHA256 006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5
Tags
adware persistence stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5

Threat Level: Known bad

The file 006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5 was found to be: Known bad.

Malicious Activity Summary

adware persistence stealer upx

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Sets service image path in registry

UPX packed file

Modifies system executable filetype association

Modifies WinLogon

Enumerates connected drives

Installs/modifies Browser Helper Object

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 18:06

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 18:06

Reported

2024-05-03 18:08

Platform

win7-20231129-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1044 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1044 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 1044 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 2184 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2184 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2184 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2184 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2092 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2668 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2620 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2520 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2520 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2520 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2520 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2964 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2964 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2964 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2964 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2528 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2528 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2528 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2528 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1940 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1912 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1912 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1912 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1912 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2008 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2008 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2008 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2008 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2972 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2972 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2972 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2972 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1740 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1740 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1740 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1740 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 660 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 660 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 660 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 660 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1728 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1728 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1728 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1728 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

"C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe"

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/1044-0-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2184-1-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 926a9693b5be5e23a8df5e07dd5e9b3a
SHA1 af7b046e1815165437f72d2925024c5fe60908ab
SHA256 ba448655753d250e4bd0ccde0fb9f540224ddcb162c312f3e05b03574248be8a
SHA512 97188f88c72383ed6321714243612d7feb0a465ddb6fcfd8d90aab0e138ef2f36bba8f1f13fc15f0f83b98c2fb9e5939b71a1150f6986af2b4e2a9d64e0f7016

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/1044-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2184-11-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 aab5da8362356e79ac42e3028cf00363
SHA1 5ae0c52f44563e269ca51221e10daca6db48c475
SHA256 830b880b410f101f649983c6e7355186f9b0138fc93cdde8cd21fd27dc748a19
SHA512 08bbac32457376b0b416b769cb6ed6494674e9aadf8a0b0bcc3820e6846ace3bc063e93a461893f90f9f9d8b77204715f55c3c80051fe4b5ddb978d2a19381e4

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 d73a0177db4333fb1b4fa604b6c2c2cc
SHA1 3af1b9ee0d3e8df388b53fad58c46fab5d276c17
SHA256 c38dc00da8cf20005fb2d383ee2e204bbcf3e358a58f9636381a4f28efa25845
SHA512 01d3fcdf4a764cbcf27587dc3884cfc862674c8c6fbf16881fa4a57c3517258ec14c7d0ff48a6f07fa7791a32dbf012051e066d1078a6aacdb9b3a13adcb1250

memory/2668-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2092-21-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2092-15-0x0000000000260000-0x0000000000290000-memory.dmp

memory/2668-26-0x00000000006C0000-0x00000000006F0000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3793ff1cfb1356d410806ce1edace2aa
SHA1 603bbf51a9a7281ff5abaad4358cd12d7e2577f4
SHA256 70b7e92ffe64ba4aa0ed0618c6b156b692d23d8eb0397eb18993b43c5521a6f8
SHA512 c70ffac5c0b79a8db369fc1956a917f5252c2bf944d749aca74f5fa2d30dc3ac55f94f2f2e2b0d0b73d239f5aeaff7cb96bda570ec9e890e0dd0ab92878d8e9d

memory/2668-30-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3bd514c5f25925f1405e2148fb23c620
SHA1 a9845d82397938724b234b1ab2dc2dde9dc5eaa3
SHA256 5d666eabbf9a29758aa6c254b89d8116c325c429f067f17373de694d74c09d37
SHA512 d54d721b690de7f63be23ebd19fb9399409d071988a090376a7cfa64dbfce0a3ebaff2c3c38a301ef508ad8cb655356af5e6105063d5915f285aaf255ebdce47

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2cf310a84fa08bfcac446ad03cca8dd1
SHA1 4e771a49716106c4b0fd16cc9410df9da5266b75
SHA256 da6f69dafc1cc2b02c54b402936224887b87189def13f1132598fd5e1dacc5b0
SHA512 ee88ff97781c324b0deee46cfff6432eeacf51c7bda9ccb06118d41bc33c11c7778b05f841147fb678a6d6c539149a1356cca1b26ba9f84572318f8503d44491

memory/2620-38-0x00000000004B0000-0x00000000004E0000-memory.dmp

memory/2620-42-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2520-39-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9a3b5e4542cfb3163828ce32b4884b02
SHA1 0e2dd26e820c3b810761f821f8f13475cb32c815
SHA256 362eeb9023dad6631c67034cf75aad914cf597a6471b1134d11e29a4ee36ecf8
SHA512 3e756a78d532115b4dbeac0b417f557b6ca117eb2d6de9efdab3a562ebcda179ef30691225eb780450e349e94e88fae3d80af515596ab3d2cd9392848fb46bb0

memory/2964-47-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2520-46-0x00000000002E0000-0x0000000000310000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 71ec38af1ffb5e018ca9cc21fcdc0e59
SHA1 fefa6193c432faf4340d0067975f304facb5eb61
SHA256 34a0837972d95e1a0634559bcb6b93a988eeb40cca34a63f2b58ec87b7b12da5
SHA512 d75323659c25017609dc96241e044a03ce063d96ba34acf99bbde8ae584df3478d57732e22f1fda6cbf1af4761d6d1643815ff12614454ac5d14f5d9cf51fff6

memory/2520-52-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 99407fa779dae6c8be78d1ca43b1bf14
SHA1 dd50cb3b6755356259be890f77f3361c9d4d3772
SHA256 86517a8be004c175c492341d7ec4b7757624bdb6fc0cda73a3c49b54f5afd688
SHA512 d2eb8f38fafcb702daff387257f6eff55e98bb421ae5ee09513652ed9937f39435c2c33ae432fdbbe2b34daba7a4502fd9d081e8843cbaa4f17e28c7abf65e16

memory/2964-60-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1cca5e9fe107cf579e452bbe72aba10b
SHA1 97eecde696b655b66afa92e5321a39f7e41a5715
SHA256 e88a8af060c3aaf2325ee5a674559a151bac49038f5beb457ddb087256cac3c9
SHA512 46226be97b75d39fe273bff7774b74cd859b5903d07c7041319a42c8bf9390181747de0848b1fc3da6e685e5deddee1bdf19409f756214a02f7851b230b84543

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0fb2378162d6477733ee389b395b378e
SHA1 d274531886640fc1f8da103396470c90168c0d44
SHA256 45b771694646937ef0de5c3682633a06ed279c8e2b9bf612bafc4571f2814eed
SHA512 5a5152dd39373799538057a5e22fadb5dce575c5192ac887c8121ef6fd8c1080f9e40ce36876d0d699fb0c82172a55ab82a9e14f60e5f0f1c938c4ceb3510659

memory/2528-65-0x0000000000340000-0x0000000000370000-memory.dmp

memory/1940-68-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2528-69-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3afaef4cc072b2a03009d61b2f3614dc
SHA1 8f4e9b8d6d61a9bdd5f418d753217eea219c8351
SHA256 16fdac82809f3a0e1fbeeda31b13777c2cfc2c6b0eed8a3d393e9e7bb8b54410
SHA512 dfb15a84a0f56fdf90e31e14ff2f7a65d14ab57f5240e32b3963c21aa1f968ce96da93e7ecd2d2028f984e55f0294664dcb89b0d6c9563c8c454d055a838d9f3

memory/1940-79-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1940-74-0x0000000000380000-0x00000000003B0000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 eb7e8c052f8c19c8099ac3c5a6272a8a
SHA1 6dc42572f819709c4ff83c5559ddff3b70cef082
SHA256 328f1884056e5414b8bd364a2c2d224f79d67b1ee210116a7b45082deb7e35ab
SHA512 bf27fb53b91a6e46829ac32542cc263d07f82ae1da91f9dd6bf104b7b9bdc9b2632af8c4c1eb748ded94eb480c4aa62cc266c0539deace71590c26cc3fcfd015

memory/1912-86-0x0000000001F50000-0x0000000001F80000-memory.dmp

memory/2008-88-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1912-87-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 637e88f323b01e5d3875b0f2ae9a90fa
SHA1 e53d847156fa61335074bd9634d6a9101aa87035
SHA256 4eee13e4045c5c2538ee02a11483ea45d738d811d977d6a311d83b2cce87d892
SHA512 7ce507c60150ef8a58e891a52af21c4eabe99c70c0671b42e4dc41c30f3ea7f392130fc4d7b58245f743e839fe5acde8c89c2b3e7a37c1c8b8e2cbd813f1e878

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8345daedecacac5d26f1f27bffb77138
SHA1 4a600c81ea81e50e3239750b512c8c0611ee181c
SHA256 26ddaa33bb65def6dbadbf2d62258123c3927a3b147c0aa1ff3dd9441db3bbf4
SHA512 5d76c6c5da7081ca1626e19effcc32e2ad7a3d4d07a804b18772ca94024ea9a229eac8d6a9143d65d6a2dcde92b6134846be4c410cd3950d32cf6bf4d269286d

memory/2972-98-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2008-97-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0cd6bc86ccb74e0c4de80476134e1938
SHA1 24173af987b707931886d7856858d9a5457b7349
SHA256 015a6509d6afb8cfc9036fd6ec314c590ff8826ff95c155df9d1ae707264d45a
SHA512 ccd5bf2f10ce7110a1083c6aaa3d6e368338abdd496dbab8e7df894838603aee50b4eccc7d4cfa2354649d2630e11222b741cbb23b7e282a431176cc238bd4ee

memory/1740-109-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2972-108-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2972-107-0x0000000000340000-0x0000000000370000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e53806af0d022a54b287c2b72c2ead54
SHA1 71d0d9fbdcca2e85727cfd9ae46f15dabde7e525
SHA256 88969bf975c44346c8815e6f31b91e2002ed9719792d5541b2b93e89c4a65729
SHA512 80b91d9c1488a41732ced44d9412f632f56b70afa57513b9937e94b95185b986bad276bfae691fed9c214180e8e4f4e44978616cc0de5743f654d1c8304f7eb3

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 46ba5b553ec27d09d80c09c5bca5ace6
SHA1 dbd6e88efed9942629d5280b12eadc29ae0e2c2f
SHA256 119ef033524cb6424336eee100e6b0138a9733b860f5504e3234a987bedcee00
SHA512 7e1434c51930a419a81e7875f2c6b6c303cb2a1aae73158327d8e84aaa8091d8a41a7663cd15a4e3bdf562e517d00531553a01e2146d4cdcdf4e06bcfaa00d97

C:\Windows\SysWOW64\drivers\spools.exe

MD5 abca37e52155227f0f82e54edcc0ab92
SHA1 8b2a9edb9ebcccb559f5bf0b869e55a624574b0d
SHA256 b49e892d93b36133bb6a287761975747cd988a66da58af79c10ec454b3ce4586
SHA512 8cbd996781e3bf7f8cf9404d9f0712d98b8c5013caf5e3324b3d8e03c94ba6ef2764afa2a666e6967764be32c7c9c608609689af6a50f138e591b7f32b108b8e

memory/660-115-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1740-117-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1728-122-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 775b04cf920c2aba98ce962cc8a2b948
SHA1 e770cb5516b5b1408e3887230dda46349cca3cf1
SHA256 beec87fb1045011f3fefcd2e8ea6c80139d57ec56d33469a5980ca8dfd16cca7
SHA512 9ceac88be009c6525013dcfcdbb57bb87f67dfa45839a0c5e06c7a58f59dea28ddafe877da11683dcb2cd310b160f14ebc6ea6f4b71804f7174d518d9d939608

memory/660-126-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6841856512b6378b1cc2091593133b29
SHA1 d8b89e314ed682f9077fe4310d0e19633f463e94
SHA256 4e26e88cfe7f0321cb6f40018357649c138969232aa5ba2c592cf8fbca4213c7
SHA512 d9bb4b79e0949a223aa1ebc8488352c8a67ba59d57aae83d78123bc6d6efcb7cdf0fb9d8204775e88109a37c19bd20cfb2614ec43583aa1098054a1be9dffb25

C:\Windows\SysWOW64\drivers\spools.exe

MD5 df68a39539c26956862b2240633d016a
SHA1 e834520e5d4c7f9b23380983f2f84fe1860a18c6
SHA256 ccdb6db1e24444e9d2bdcb78df5494269f260abcb2306c58fb157b30baee22c1
SHA512 cc7fe27686e9624d37a65bff097bde61e7e0665b7553549de3fcf86644d48d340f3c09502b7c0efeaff488e4d5d75fb365a9932b614c640c2505a6be31327333

memory/1960-134-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1728-136-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 15629e6541bc8f6869e3d27be1d59fc5
SHA1 a7b603fa18bdca547ad7fcd9f2d8e94dd00095fa
SHA256 53ffb46db550cc9306004799dc947adb7330958cd008e0c6ab9f7b11c35530cb
SHA512 478f3fbcf1329024f5b06ed43395b0d07fca1fc5fed3ce0e41f59d08b1596881785eb8f163682b7b74ca44fd4af5067ca6611cf67a378c036bd569acfafa13ee

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a9799974d7cdbdf7b4d433165180c9e8
SHA1 29a3a26fcd3f681b1010d6a24e8fa41595aceb66
SHA256 8714173e425034cbeb8c12c271bd5da7d05d3d8735233eb24b0c4bf94f522040
SHA512 0e0b3b03c87b676e5d66a680f4ce8dea421bf1c2828e93fb15398d65806344f50d8b1378de4e071b39c5b5df11d1bf01e1d34f8052a9f102a7d0a7c0c2f59eaa

memory/2028-142-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1960-144-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 60529e608b6cab1b02f33fd7def497f2
SHA1 18b66a049d7604e1e2a1c703f395116eefe388b5
SHA256 abf56f925e5268c8cdfd29a0b45e91d2e720788e336ecf71223f0581f45078a8
SHA512 de9f4207e5779402f39502888177d220619c20c95cb88f11b16ab7ffcde1faa7c70bee027281132a77d48e514dc22240d1ca716ecd5265dd68d27e64b08ae569

memory/2888-152-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2028-151-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/2028-154-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0b4ca0a73f454fdd390171cd2379293a
SHA1 e9d58136db85d6aafef3f79028fd09a9bf192c19
SHA256 b2ac8bd459e4687a96ac987bf5e4374d24a92c4068ed934b9ec9c51d342b662c
SHA512 9a32cad9eabecc25c873b80c38ca31a990c13a108555c858bab7023cd6784af21f6e39a17ce74b8cede8c24d34bfbfe4b9ec2687e31e4abfee812b4c9de671a9

C:\Windows\SysWOW64\drivers\spools.exe

MD5 517858f826db9101e57bf263addf667e
SHA1 1a63be5ac77c5185b520d08ef1cd729f8f3231ca
SHA256 b801f70d44d2e00ce9d25b5bd6eade7f682a32f48c4c1e9669c0dec2e54ad750
SHA512 66e990982e422a141d874fe5571a117a7188972d6af256192cf9323754a4b5f7e252176de7d2f3d480193dedebd15b3928a047472490c92464ec04cdbcca6949

memory/2076-161-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2888-160-0x00000000001B0000-0x00000000001E0000-memory.dmp

memory/2888-163-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b455a4049de21adebf4c433bf092cc26
SHA1 80f3378165dbf24de29436d24a2b36d9a091db0b
SHA256 a75e6645c4f7e4bd4a26084774c80209965041c9eb12a00730ecf13544e7a79d
SHA512 9310165ca849bca34233cdb5f45a0c6d10b8ad8971519428ec63b112b5c8aa0b2950316f51fe97c40c89e01594f7e7f6d18c2eb4672e3fae211652f1bfb8ed9c

memory/2880-171-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2076-170-0x0000000000260000-0x0000000000290000-memory.dmp

memory/2076-173-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 5529a78c669174dca9ff6b7f6175d928
SHA1 f1dc7552044bea1843b2820eb70655c72f0fccdf
SHA256 e9d7f83d1d770c234e5210c41e7c0bc011aa2dceb1d09b28b0ad008e6145df01
SHA512 5f7cf6998936a2bb648b666c7ee2ca25dcfb5f0705f3e51031db8b2f06796c426a078c844c119782eabf3092e1101896c4e248415f71302dea2ccf9b6652f064

memory/2880-177-0x00000000002F0000-0x0000000000320000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b93f502b788d2bdd2170a58aba19e32e
SHA1 3f54705c4cd777bc264806016ad1bb200a8f0aab
SHA256 4facdf9c89d73f6187354a7b2866d8bb5106ac072411ac0ff968fdb0a7143127
SHA512 48c4df5cd4d28976c55af10beeb218ae06e7041e0278ec18c2e53d2cb2781308d7ed4abaaa683cc75545adf3d0d0126a126740d23f2ff90e3fff936331409345

memory/2880-181-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 af0513645a9a905841adfcc0ce4ceeaa
SHA1 07dd3d9e029defec186fad1fde73302856cfe030
SHA256 fdc21cc6370d4476df6c34ff0cdbd1afdd61d4b82f616d9e3ef289154cbddb44
SHA512 ee0261302e5272274cf38c5348e12450c91d29c0cb67bdd211d728a2622363fe289cc4965acd68260d1f09dad5949e5273e2457438d80ba3fde19dae832bfc22

memory/1948-188-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3012-190-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e070f66c44975e75f045a77a06322aa4
SHA1 c364fd1c23a2cae9e5993b45b635d8b7434325a3
SHA256 37694db9230c1d84571666185c92f945d9e8d4af9799fba0d690703bc5d98b65
SHA512 8c3739460f7902555f4914c00fc2baa11fafa0fac8f419273871fcc3904c43d1b3aee1be15d4d881e61f8d77b17a096626cb77f375143b0109187277f2f70cd5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 ee82b64a5191f4210d6a750b6a54e00d
SHA1 82111a7968ac8fe62cbebf1334aa97abcc94c25c
SHA256 da732573a7d71b88f406379e22d907c3c9b25edcdfd4022b5491c4eee18d0b3b
SHA512 696172fbc413a1545e3fb401f077b931334b7c0051db85e035118431344972a81acdb5831fb6584859bd36d535bee7f631c4d022243e1da53c634681210505c4

memory/2372-196-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1948-198-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cc208efdf1b1ba8ab5cdd1b48756b275
SHA1 773ad152bad5c944ac0db5d900d64009921da260
SHA256 cac5399819f6d02c7705b86295d8490ded3eca00b96dbbf7292cb75bb12642d4
SHA512 cf2749b708df2293ddd6edcbbbae6df55658743d689bee2385e00be85f39b33f2e863a6e8173623aa36c82c3cbc3fe0f77c5ed6523ad501643141c81a5730eeb

memory/2372-206-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 f8b7d81972821ae14a20b7fa90b15fbf
SHA1 a7a049ee27f0140a2903bfe5e1f5a6b49e60e24a
SHA256 7c538f557355c6885378e5bc02bd25e828f3491f4f16a61e6195b77bcdeb9ea6
SHA512 f5561dd323d2bc622987a6848105b5a17689dd8b882a25e1813fe29e56f8b4dfa675ec3d17a0f355fd73566c2792314c9cb2f7838a381273d3307f60f6d447fd

C:\Windows\SysWOW64\drivers\spools.exe

MD5 68d77d59ac880dcc9076953c1b633d14
SHA1 fe12346956a5bef217d50aa0b56713a82024a107
SHA256 5ee36ae5925abcfe177e26e4120f1c862afccfb2c0129b6f7f603aa397bc8416
SHA512 2ba261de556840f8872b8edf1b0778c2a6e5317a06f4c18f619f4bfbc9166a739ac85898a93ad0d3999e80540dcf2530402c6732e47d7556c80bdf17f83e83dd

memory/1044-215-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 e76c643b7cbda92b97cc147809656ef7
SHA1 ab128376c02e4d2e21f9f7ccb28cf3cca80c187f
SHA256 879be64206970250d342394971d1ffecf27b944b4068bf3ddb251fe58701701b
SHA512 d070c90954dca7c46688520d4b2dafaee2b8db0c82d5ba802d1e05673594a370a17b1c304782f590c476427aeb4ece3a287a468fc31f81cd114514fd0c79717a

C:\Windows\SysWOW64\drivers\spools.exe

MD5 353b29fdbfc67c8fe0687fbba9185711
SHA1 e85bac45e90371d7e2415e6f0ab54c8244e60773
SHA256 dba172cbbbad0243669b984e9a934f78b26d6492a77b9e66eb857dfe8ebc353b
SHA512 5243fa76942a9ea4bd02429da57d664747664081fb0a7cb332758d463c24eb9fbc6520383f7789bca9f9630520f57854d8b96b4031a42d616d8e3f1dd9a8eb42

memory/2484-223-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2712-225-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fee421d1bb58344307716121cdee9995
SHA1 17131a20bbb0eda0300a251f620436af465a3ba6
SHA256 97326b534cadea3504f5430e7698ff726997a7460100459abca9a1b5d15388cd
SHA512 d1861ec3ec5066f6a2033302b17b696e434cf4bf73c0a32e4fc5375d768e3e8a97134f5570677263f1b0edef7f47c22077e5aeaf252a96b92db0e42a8ef96c6d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 72ce3b3410d6d10fa5f91707ce45596a
SHA1 643cf081558ab9d59010ab93cabb37cdec5d790e
SHA256 579ca26beb4c9f8e3d4ad39e613692219553c7127331819f39bbcb1c70c123a7
SHA512 0df41678451b482316394a972be9bb8c02529244b5fa0a450d8979d7beae3a016c4aa5f3892333a5be8cbff630e597b2afeaa25c7c493f36c6296a1f1ff37034

memory/2484-231-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2620-237-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3044-244-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1672-245-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3044-242-0x00000000004A0000-0x00000000004D0000-memory.dmp

memory/1672-252-0x00000000002E0000-0x0000000000310000-memory.dmp

memory/1672-254-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2828-253-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2828-261-0x0000000000370000-0x00000000003A0000-memory.dmp

memory/2828-263-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1756-262-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1756-270-0x00000000006E0000-0x0000000000710000-memory.dmp

memory/2836-272-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1756-271-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2836-278-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-284-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2980-286-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1792-285-0x0000000000470000-0x00000000004A0000-memory.dmp

memory/2980-291-0x00000000003B0000-0x00000000003E0000-memory.dmp

memory/2980-293-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2388-301-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1508-300-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 18:06

Reported

2024-05-03 18:08

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File created C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\spools.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\SysWOW64\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 5092 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 5092 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1636 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1636 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1636 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2484 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2484 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2484 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1560 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1560 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1560 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3652 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2380 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2380 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2380 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1456 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1456 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1456 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3624 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 628 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 628 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 628 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2464 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1120 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1120 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1120 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1916 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1916 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1916 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 4204 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 4204 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 4204 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3936 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3936 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 3936 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 740 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 740 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 740 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1636 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1636 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1636 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 4136 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 4136 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 4136 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 876 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 876 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 876 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2752 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2752 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2752 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2820 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2820 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 2820 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
PID 1196 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

Processes

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

"C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe"

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bublikiadministrator.com udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 193.166.255.171:80 bublikiadministrator.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp
FI 193.166.255.171:80 bublikiadministrator.com tcp

Files

memory/5092-0-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 19801aa5946c40976916e2bf860ebd07
SHA1 48f945ea733dd75a8ee809ca56cb43b5505d4cd1
SHA256 cbd49788d5cb1163f559572a80d0a148d14ee50305c89e4043ceacc0f8ec4550
SHA512 6eb8e171c51eb2ef075d04ac439e7f3c62c5010f3084eb84f7164bfb59b38472ede4ff38c2cfc7487617296dd07de5c147aab9dd499be561d9a00d87b6cabf0d

memory/1636-8-0x0000000000400000-0x0000000000430000-memory.dmp

memory/5092-9-0x0000000000400000-0x0000000000430000-memory.dmp

\??\c:\stop

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1baa6e22efb363fa0d72d7d756b4ef51
SHA1 adc0cba104c6ba93286a452493ae014729bdb4f1
SHA256 7bbce62c0987e2bba39c6069a5854709b68eb458f736af8dabcbad0ff5062406
SHA512 7743e4fe27ff58095c97949d8e1621bc187f77326ac21fa1c28f3339dfed7a3f1e18bfe985092c3209942b441d2210bcec928cc8d0bc5e43dcc604b3caa30995

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8c9ecc5d22916d3245633edb8a223206
SHA1 bea4b06becaf10a5977d7b819371ee0188191ab7
SHA256 773017a31659bb34bb02587d985c23061b301690519ecad48e675b4a84e112be
SHA512 11b883c68272f46251797df94a7037c06cafe26d13137042d6117ebfaa2b2cec0402c08ad2fc41c97e74f64310333f5c247a10b48d5d2c10e5504b02a9b22dc9

memory/2484-18-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1636-22-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7a9cd2994bd2ecde7f3ee4bee621ca2f
SHA1 7601b1c7cf6a4f83f87a5b92405f9ba1f15afa4e
SHA256 85e93ff711b52c102de22cac5ed1201af5c696e3147db114f3e6246e5829844b
SHA512 0198f9c5eada21875e4b3b716b43ab5dfe63b203027ac7ee13e3130b5c02f90421949e7280d9b79036b106ae97187950bb84278a363739e6c3618b3d864ceb4c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 936a2b9764f982e85eab0d26a28604ed
SHA1 94422d14375a8a925480cf23586beec698e1f48c
SHA256 9e314956dc64b21b543f586cc8efef2db09c6eac8d678b278bf3ce767d1ba92a
SHA512 2547143580b8e835ab06ff3337914054bbc94b010cc53026d729673cc413d6aba2b63d9f93ab00d60966f989724992728bd18611f0292b1c5d22ba5af527d431

memory/1560-31-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2484-36-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7f58476a36e73582c44814434b65af9a
SHA1 99e63f3bcde1bda20cea902b2a0f0bad2c207da7
SHA256 67b8351bfc7fc0beaa468a92677242538fa8d5c772e90df515685252d3e3d092
SHA512 5606eb14fec7574a64b1b5cf987e1c2317c5c6c71efdc9a606a4fa44532686f11c76cef735274ce0d52356768feff20dc609a978702e30fe5d59be9661e6d6ba

memory/3652-46-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 00bb6910fea763b3249b7488507e5817
SHA1 359f4969ff84b479a1dd72438a61c5d55cc19579
SHA256 9a52a80eb71ec2d2abd3984aa3c040c7ab56abb63ab42910edbbd2ac4f91634a
SHA512 bab00838c8e40594d885965a78d76999b7807c72c01f8fef1ba54c723405c060023aaf19c1ac4bae441a5fa71b330473d04f3ee9df377c8bae342a43a255a0d1

memory/1560-49-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 fed3bb7d05ac63fb349c8bb42d962725
SHA1 5edf5c4acf7ff42d566d47160ca511b1442bb06f
SHA256 ac02a049c50a3b4211502bc861e7cf97e6d999833c708a839d04cc3d6de6c42d
SHA512 2d2ff4de63a19c00fa9652fbd79895cf790148cccdf6251df53462fa0ba45b7941ecaf2bf2a4a3211496f878962f183d56ab778df7ae52016099ce4891684baf

C:\Windows\SysWOW64\drivers\spools.exe

MD5 199fea0e94632c5dcdf5fa96574017bc
SHA1 8c854ddc85610233fbf0bfa121b740a542a85221
SHA256 d3e63d83303178aaec48f20ab52a431376791d401107b7dda6eccacb323b9045
SHA512 7f6daceef272b4d72497b6cfd5881b00882697ef6915615e35f855b9dd325213683693b04463aa11181d9bf01c3b185990e9a1123f2724018b5a60b1e7da7524

memory/3652-61-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 cb24c2d513b42528cf48842aade55830
SHA1 547ba86e83b8638c4aa7f4bc7eeeabf136e10957
SHA256 49456d71e8be5e1533b99e2ab6f162fc95ba2130abf9bbb59e4716a50b92404e
SHA512 0004aa3b5ed4cf16183edca069ba325c4de566a6c11346adfa1b60df4c1d6a2b08e40df2fd4192a936d45b52346548ef08a2ae3153ff78bafa6ece08827f1a21

C:\Windows\SysWOW64\drivers\spools.exe

MD5 c3bf0c9891400bfe2d95e4de57497ee4
SHA1 5f135a7ae02aa906dbf701ae396feb2f3f58af1a
SHA256 a1487bfb2e577cad60fce8da94e3c2ba886a9871062390ec74e0ec567430a6d9
SHA512 19d93a5a628be91f3a40f864eaa6216e65aeeab0e9669561d5d28c35c230f8dc3d2fabd9ebc6ef48943badb0506eb243ce7d681b2028bdbfad4be97feca14131

memory/2380-73-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c1cdae9f8bc20e1bf20c477b21d887ae
SHA1 b3beb0309a80935687207cfb39d4c140489ec6ef
SHA256 047500cabe9cbd13601ced61d0fc614eb0b2ce16d6a658c7411373c9e5a9f23a
SHA512 e7b48524ac5db92318ba7e2623e354814379ae8d5ab4c5c9492624c2236c29b15d4ad3ccfb8d278a89eb2dfd25e304c29c44ee52ca05581b06b92ac0fdfa4c6c

C:\Windows\SysWOW64\drivers\spools.exe

MD5 9237ee41179571c343eff87a7f878913
SHA1 4d6e3f5911f1f6bdd5c586f780c9639dd4c3b21c
SHA256 87e5a75806fd1a782e606025dcd2c17d52ad1561ae372dfa4fd99af55719e0e7
SHA512 07595f2ce187d9eea2f961b6962c2b98feea23b9c6c23ff3908f1075cbbcac5314836bf88faa01e9cd5abfa582882d60f46f105e3dc171afef8cc542c5d98671

memory/3624-84-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1456-87-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 65c4f864f3f501aa235449f72de35e82
SHA1 7ff58b132d5d2c5ec78ccd9d285d3badfed4f6c4
SHA256 99a5e3266f850c196b51b2a339b94fa39e84886823767d7d4868314a3e5fe98d
SHA512 287c95db6db9d8785c8a8d7aa2a8f39f8476aec3a9e6c55126e015fdae90bb936beda7ab6f8b9d9f3b54917ed39013773cb8a5b146b3c9657eb10a7316afc0af

C:\Windows\SysWOW64\drivers\spools.exe

MD5 f8a23e358c784cdf93fc61ad68e05b23
SHA1 eac12cd00c2d180f80f2114ca318d5481ffcb5e2
SHA256 287b84ee805b1e4877696a5eedec76d7883347d7b8a57c7b45d239a7d0bb7074
SHA512 f679dec5eb42121606d499f28cb018f93ed8b39c2032a3b53616a1d4504dcd790cfaf925faf7db33a6d25dd7a84c2e48a6b5527278214aca6dee9d11abb5ccfc

memory/3624-101-0x0000000000400000-0x0000000000430000-memory.dmp

memory/628-98-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 3e51fc71d42e1dc88ef0195df30cd1c2
SHA1 a964927e27d076d8118e551a04b0a06335b5c508
SHA256 edce2639ae16e1d5f26d4739939df31c64f40f419b59d6be9faa8195ed72b339
SHA512 17dd836e7c36821681320f10bc84ce81913bad429d7953a6c07ae3207007e1e8757d3f65171fd334efa276337d46141a5ec427bed4799e6863968fe309192bc2

C:\Windows\SysWOW64\drivers\spools.exe

MD5 8cdc1d68425f3f9419838ba472a204bb
SHA1 4806bd2ac9bcad470a963fbdcd9a38bc9fae77cd
SHA256 632903a8339d2be5ea5a7fd5d1baede0bb25b2727ff0333c9809011b6c7ca6f5
SHA512 151715de4ea1ab80ce4416f2b8340682790ad6e8f7c4d5cfaef341437d01518eed659e05916854d691657471dd2c3e4faa07ea3759775710670bcdfe74e16b33

memory/628-114-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2464-112-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 9faa32e94aad96fce4fe66b38d476a2c
SHA1 514fcc8b3168702a925267456dee9541aa7dcb5c
SHA256 080d247a151e38ab9c842a47d2392cc114a05e5a3b2372e954b0231062b2f269
SHA512 3b30ba5751b75046fc834fa9a392c1189eaf42e8f40b921d91a8e5930a7a037a252a807f21fec707b3d4a60de7dc3551372f822d44285ea0d98ea7396425354b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 5ba1cead6f6adfdfed41e4ad550279a5
SHA1 52579b6013edc53111778c022a24873c777a38a6
SHA256 eac98e67ad9b8181cc8f3113d8fd8c892c85b1e7ce8c4aa2f686d906d1e2598c
SHA512 6027cb0c0553ea2a880919b2a48e5f59d4e25184da57e2c0290e5397411042492c7b78d7cb8010f2504fec4a356b50cca3d67df1d9687a91ab1dec2a3a1ebf3e

memory/2464-127-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1120-125-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1ddfed006f5e7b846cd1345cb399a631
SHA1 a4e7907d12cbc46e18dc84a6d60ca5533323a65b
SHA256 33e44f703aeaf52d6c45179de8d2f3d7be9ed986817794885986300e0e3947a1
SHA512 0b90a143ba651406c2b87a473cbf26e8d54c2fe03bd484352311aa476672ce5bb90c338812c755b8275f810c67d19d6e73c43405e9c8f776814ee27e49663ef5

memory/4484-136-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1120-138-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1916-140-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4484-142-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 19844d1e711fb90948770d965e680120
SHA1 564cc9411b75e28ac7caf9e3daca24b71b58f9ad
SHA256 91f2a580a434bcad3f4fbecb7d7101fd93b5132c0cad86bad14d3b88bd576604
SHA512 bb75dcf0f8512159ccc5d826c73e05bcc8cce00722f3b64e1b29d7d884b76156208750bacb2c76da23dcecd578925cea23caaf1c78fa643ab343c327a6122d99

memory/4204-154-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1916-156-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 b8739366133a60380b8a31859883eb62
SHA1 f659f4a8fcf2ae7b6cc356abfe8b064c8d98ba07
SHA256 664453bb77fc854e8ecb3a8203e22e77ec9a9a7cb5e2097f149148998475ed45
SHA512 a442ff8a57af546ea959eb240b80443b23de905fbf4060112198f8153daebcbb9eae90ce481b0359de603bff0635817dd9d3c3501fa563512c2431f893210c90

C:\Windows\SysWOW64\drivers\spools.exe

MD5 e2a5701b04036e2c4f9a0bba1603bf82
SHA1 f961bf8b0c3e5735ed9799629d6c94a7cc5e055b
SHA256 94e66be8492aeab8a1f01a75ab6915ed9973067c5c64ed76d3994f544e261d55
SHA512 9b885da25eff41e54d8f2e482688dd09afdcb2de38c1ebed78865062ec1347fd092373c6cea02ff503e608d0751422e81452bdba091b5ed1be855bf7a36d875a

memory/4204-169-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 7444423726c5bad2e75a3b19d78481ed
SHA1 9ca23b1e6dcf7ad63f92f0acd79c947835a28960
SHA256 7d89b35d1092c681dbecc64c9b62d58c513a2311228cfe72239b0520e17b1a68
SHA512 1f51e62ee4316384d96dbf4d53e3ee264555abbe2880605bc8a55998ca73857f2b6f5de9a7190758c0bf50d3097cbc23f285bcdaf095f52ac87e7431d0340632

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4f2ce6ae888f7ddb368c16bea6cfb47a
SHA1 fa08c7a7dd0a6664f9ec50156d3481715e034c4c
SHA256 2491ea837dd9959eb7225df625a7a6044f3031cffcc4c8413fbd45768a6e7150
SHA512 ae108b8626ee304668636946c008e5922f19396f460d4a11daed579c112d0c9742484e2139d1c7de88648c75907e9b4fa793ebafbe1830f3b293b59c9cfbe6bc

memory/740-180-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3936-182-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 69e84330511f3b102e2f7593da6fd167
SHA1 edc3d2f25f39a38f7ef62286fdc418b0e24a54d7
SHA256 79569e89b82db9c3cfd3115f6ed75c7ca4d8a0c9a13249df81d4e20fc50d2cd7
SHA512 5af48c25b085d6a13b46fad8b1850117228bf295ea2b2d9e00dce1ce885d7e414747d4fde1651feeb16f8d3b2b09cd571b2071cabec1df48edca5e75cb548dce

C:\Windows\SysWOW64\drivers\spools.exe

MD5 2a1443ada6cc30ea75ea336e8477095b
SHA1 e7f1ad6c7bdd66dafdf0843b7429e3d7dbf78d16
SHA256 1f8dd665548245e94e7977a17da42f2bb6aafe543a5237cff62748f71ce041db
SHA512 642fbc66ef6a8fdcaa573bfd65ce1df67b1a241c7afca5d3d9156a87c2fa75f86be4585a929611c21e121ee7264cc89a663b188e170af7768c7cedad2ee1639e

memory/1636-193-0x0000000000400000-0x0000000000430000-memory.dmp

memory/740-195-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 8f77d1c26326cdefea778bc091e8c5af
SHA1 c4d735056eb9f34d39deb79e3b12eaac076b2248
SHA256 1c92de66b5115b548a4e0e094dcc7abee794827694c7508dad67092340d246da
SHA512 1309a3b93963f1624fbb2ab3aca582f5a4f9029159cd94da0fc23eb1ffd73871abec00a7dd60d2a9d9977193700ea31727d51f7714c1764edea8debed6f9cf7f

C:\Windows\SysWOW64\drivers\spools.exe

MD5 4b4d63db88ffacc3c340dcd820b96ad2
SHA1 e48449e36fca8da23f18a2ab71a91290c56e9821
SHA256 7be084898c26a48e1fda9c20c4a45d5af19c428477a2cddaaa52c29ab9a6b6ef
SHA512 84b7e2a01c53d58820166d07488c4301494cf4a2dc5fb53e208f2a55d0b00edf8326ad407e5df9038ddc44b098277671e893043a4ef0b613c8f0a70f2a7f42b4

memory/4136-206-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1636-208-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 90a2a975be04d75d7b6a7cea1968dfcb
SHA1 b6412bb5a5daea624b9625287849cc28f35d59bd
SHA256 30e033289805cfeecc9e0e7152f893d5ce67a30f0b0e63f9015f1b184c2e8768
SHA512 77ed30528431f7e9dda687b54d52c342a159b82a03ab0ca3658c887860abf666e50dd6286d985b6def0fda161cb862de0e64fe4f5905f819388f53676d0ac57b

C:\Windows\SysWOW64\drivers\spools.exe

MD5 cba83eee3f37489f1213deee1169ad15
SHA1 f8dcfa0b91fa87fd1170541bb212d0568437949b
SHA256 9e8c02a6b31bcca19e3cdd8db655406c2a5baf9e5d3eb57b0d3ec012c88e3a99
SHA512 f76503dd14479615584c1a95e7655256915b6f590f340570674fe3a396d61b2645842c3e2d4577c3dd5dbc928da950688c4eb8273cbc2348f80147a1bfe39aa9

memory/876-219-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4136-221-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 1c04d1d729c6dc8cf7384bb145caaa10
SHA1 1c6dca85b4eefe9347ed6549f27b4ad070238251
SHA256 a89167ce166070ece1dee4bf0779aec7b2ee204f402f03d29bfdd10aa1ef02f3
SHA512 4f1edb3a6d27fb997ce0c70439f106a4e3c9775fa9c55a5d1a5977520effbc578d549a682d7944754562c1f3424bac4192b84bbd1a805a12d6472f038fd23fe9

memory/2752-232-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\SysWOW64\drivers\spools.exe

MD5 3fbeb10cc03307763464bd1956eb3e19
SHA1 df294969967685b4b5093c04598b52ce3044bc0e
SHA256 b718a7e8baefb386a94a8bc716ab8d0059b13b37ad3148bbe31f07ffa2812893
SHA512 8961265ef7d6c0cc56d143a9585b40c236a45e76325bac8a43e9aa32b116dea2f5932199a21d864b5be84a556447fca6ba638e48acdcf969da615c0a302061fa

memory/876-234-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 0ba861083e073b779424a2bc25a8ba67
SHA1 19244d1b29f2f535adf4313e35a212d469c75b5d
SHA256 d89155f2e1aa4e8f69d7334eb522b83de4be33364fe4b0fc1ffba997d3143df4
SHA512 aacb0a6ca4a5d02a06146914d1d5fa264ebaa4be2366329e150c1e33b7241e49277aea18b0f1145d814035812e62aef2108466ebb7fcf2e478d8e679f7527969

C:\Windows\SysWOW64\drivers\spools.exe

MD5 a538b9468580205b31440c1ca17c62b8
SHA1 4b5c1837e27b47fbdfc8a67a0c124c3fbe6d7f80
SHA256 7c49a9819c42d6000906daa44442ef3d31ba8403fc989119e4efcfbf2dfd57ce
SHA512 f3a83457564f6d38affbcc9194fc99864a0a6632f8ef4d9f8b1146a635da71f141898bb6dd2b89fc28393c7a5278ec8d1e11a1c52c64865a2195cc6668c1e536

memory/2820-246-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2752-248-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 852ab79d69be013823ab53fde914b5a4
SHA1 44d33efb715f031b3e788b177ebb0289a19c4f41
SHA256 110d5695684081722d1036571e6529941a06b8bc337cdacd4d9e4c2c723755f4
SHA512 12831b79c6ee5fb3907411d73c84c045fd214d5636ccbae9c3b45f245b165ae4bd5de05a703923da58fb4baa75e15a624f268d1e64fbd2357f32c2cc98121343

C:\Windows\SysWOW64\drivers\spools.exe

MD5 57ffe7c23cf17849f65b48020a47d685
SHA1 81aef31fbfb5ec2bf7095497fd919ec57e29287f
SHA256 c5c59c9d554db06e58d60d309d9c98cae7b4018d6075267ea11e19b3e169e576
SHA512 4f19fe97a462abf7cee7f3adf33b44f8b2ba4591a8b858fc23525405254b5bad82e5452eb88a881526f8bb371bf79e05760f7873616337f8a9822c3ed08aa211

memory/2820-262-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-261-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 6b7e8f82dfc0463fba5d3ffcf0040d84
SHA1 22fd40cca320d6e1e3f39d1fa5a3ee4909887280
SHA256 8759a84b1d2b88f2e28d6ed81811812d5e3c2d5b56d50ffe399318dfbc265caf
SHA512 3fb6df910afc345d50833ab37c1674199684364409178a2a53f68937e8aadb7e450f30a422f6e47dd79f216fdee46e8b1dc02e69416eb7ce18c53ddef7933c4d

C:\Windows\SysWOW64\drivers\spools.exe

MD5 0410520970ff703e146ecd1efe3ea046
SHA1 05741f6a3ebe97d3c74ebc6fed8c78b9e051bef5
SHA256 26d5dfed943226dfce652fee4fbc4d80a44438b31a8b39f94558fd252787254b
SHA512 3b99efd39746b0d1dc5399d2fd08f201c9c8e09bd9c752fb927921522a906743ac79069eabe5d54ef489ef82c0b9d22d94b545546d19fba384fd8da7a0df1b4e

memory/220-273-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-275-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 c2fe596d206a2c76d209188836b93cda
SHA1 23697c45fd9e14f278bc22029e50ac9a72a21f4f
SHA256 f658eebfd071d8a1fbef1f3bcecb7e98158c06720e0f91142ec49c0bdd1f79a8
SHA512 ef735ae764bde6267ff970a67d7841e979271c3d2516f33c4213b0fa663fe5251b0ff2c6bfb0dd67602a4a073b2eb53c0c4daa1e49d595e7248c2d93000204b5

C:\Windows\SysWOW64\drivers\spools.exe

MD5 98a0c65a99b718b6bc15027000497c23
SHA1 dd8af2ab255c5f8ed61ad78dc837996666a71a94
SHA256 90b01172a93272267e8cf7ed419002a0bcc9d09e4fef9207de61e19ec9131091
SHA512 4e30d32933a59c3ade6417e2378ce51a2907b748e9ddbb9a2ff4c5e18ec42733785ae4dc40e8a33b1762acf130cbcf7b685e5305c42eb37d11a8ac882b63d65c

memory/1864-287-0x0000000000400000-0x0000000000430000-memory.dmp

memory/220-289-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\cftmon.exe

MD5 ba904b57e8754f21fc4a67d0df48c68b
SHA1 613bf44497d53624444f02b7c743ec6d2372abe4
SHA256 0af224b562bcb8fbf6a2fa8e76344dee8e43e66d5fed6c10d722b4510d4c39da
SHA512 7c25defe14c09fa6567bca4818e0219442d410118aef75f19a2d704131b2fe842c25711905cb05ecef70cff69cad0b1a4ca5d5992dd647627b931253ac0d4fd8

C:\Windows\SysWOW64\drivers\spools.exe

MD5 b95afb8e074818f5956a703ccc7b3d9b
SHA1 3e27fbd60e53ad3f65eccad7501e7bfe461344e1
SHA256 2dc225c54da5fbd745e7b4edb430670691448929129adcaadec6d77c4950952c
SHA512 b714c7534ba3c38c3fcfabba71f19794e394e02f0a1de5bb114cca1ee14d8703763b75019ef73656c6b58e0a2d5e19d457c97c73ff9f8cc009336be86b47a8f2

memory/3992-300-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1864-301-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4732-310-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3992-311-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3188-320-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4732-321-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1956-330-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3188-331-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3264-340-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1956-341-0x0000000000400000-0x0000000000430000-memory.dmp