Analysis Overview
SHA256
006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5
Threat Level: Known bad
The file 006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5 was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Modifies WinLogon for persistence
UPX dump on OEP (original entry point)
Drops file in Drivers directory
Sets service image path in registry
UPX packed file
Modifies system executable filetype association
Modifies WinLogon
Enumerates connected drives
Installs/modifies Browser Helper Object
Adds Run key to start application
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-03 18:06
Signatures
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 18:06
Reported
2024-05-03 18:08
Platform
win7-20231129-en
Max time kernel
149s
Max time network
118s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
"C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe"
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/1044-0-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2184-1-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 926a9693b5be5e23a8df5e07dd5e9b3a |
| SHA1 | af7b046e1815165437f72d2925024c5fe60908ab |
| SHA256 | ba448655753d250e4bd0ccde0fb9f540224ddcb162c312f3e05b03574248be8a |
| SHA512 | 97188f88c72383ed6321714243612d7feb0a465ddb6fcfd8d90aab0e138ef2f36bba8f1f13fc15f0f83b98c2fb9e5939b71a1150f6986af2b4e2a9d64e0f7016 |
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1044-9-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2184-11-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | aab5da8362356e79ac42e3028cf00363 |
| SHA1 | 5ae0c52f44563e269ca51221e10daca6db48c475 |
| SHA256 | 830b880b410f101f649983c6e7355186f9b0138fc93cdde8cd21fd27dc748a19 |
| SHA512 | 08bbac32457376b0b416b769cb6ed6494674e9aadf8a0b0bcc3820e6846ace3bc063e93a461893f90f9f9d8b77204715f55c3c80051fe4b5ddb978d2a19381e4 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | d73a0177db4333fb1b4fa604b6c2c2cc |
| SHA1 | 3af1b9ee0d3e8df388b53fad58c46fab5d276c17 |
| SHA256 | c38dc00da8cf20005fb2d383ee2e204bbcf3e358a58f9636381a4f28efa25845 |
| SHA512 | 01d3fcdf4a764cbcf27587dc3884cfc862674c8c6fbf16881fa4a57c3517258ec14c7d0ff48a6f07fa7791a32dbf012051e066d1078a6aacdb9b3a13adcb1250 |
memory/2668-17-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2092-21-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2092-15-0x0000000000260000-0x0000000000290000-memory.dmp
memory/2668-26-0x00000000006C0000-0x00000000006F0000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3793ff1cfb1356d410806ce1edace2aa |
| SHA1 | 603bbf51a9a7281ff5abaad4358cd12d7e2577f4 |
| SHA256 | 70b7e92ffe64ba4aa0ed0618c6b156b692d23d8eb0397eb18993b43c5521a6f8 |
| SHA512 | c70ffac5c0b79a8db369fc1956a917f5252c2bf944d749aca74f5fa2d30dc3ac55f94f2f2e2b0d0b73d239f5aeaff7cb96bda570ec9e890e0dd0ab92878d8e9d |
memory/2668-30-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3bd514c5f25925f1405e2148fb23c620 |
| SHA1 | a9845d82397938724b234b1ab2dc2dde9dc5eaa3 |
| SHA256 | 5d666eabbf9a29758aa6c254b89d8116c325c429f067f17373de694d74c09d37 |
| SHA512 | d54d721b690de7f63be23ebd19fb9399409d071988a090376a7cfa64dbfce0a3ebaff2c3c38a301ef508ad8cb655356af5e6105063d5915f285aaf255ebdce47 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2cf310a84fa08bfcac446ad03cca8dd1 |
| SHA1 | 4e771a49716106c4b0fd16cc9410df9da5266b75 |
| SHA256 | da6f69dafc1cc2b02c54b402936224887b87189def13f1132598fd5e1dacc5b0 |
| SHA512 | ee88ff97781c324b0deee46cfff6432eeacf51c7bda9ccb06118d41bc33c11c7778b05f841147fb678a6d6c539149a1356cca1b26ba9f84572318f8503d44491 |
memory/2620-38-0x00000000004B0000-0x00000000004E0000-memory.dmp
memory/2620-42-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2520-39-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9a3b5e4542cfb3163828ce32b4884b02 |
| SHA1 | 0e2dd26e820c3b810761f821f8f13475cb32c815 |
| SHA256 | 362eeb9023dad6631c67034cf75aad914cf597a6471b1134d11e29a4ee36ecf8 |
| SHA512 | 3e756a78d532115b4dbeac0b417f557b6ca117eb2d6de9efdab3a562ebcda179ef30691225eb780450e349e94e88fae3d80af515596ab3d2cd9392848fb46bb0 |
memory/2964-47-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2520-46-0x00000000002E0000-0x0000000000310000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 71ec38af1ffb5e018ca9cc21fcdc0e59 |
| SHA1 | fefa6193c432faf4340d0067975f304facb5eb61 |
| SHA256 | 34a0837972d95e1a0634559bcb6b93a988eeb40cca34a63f2b58ec87b7b12da5 |
| SHA512 | d75323659c25017609dc96241e044a03ce063d96ba34acf99bbde8ae584df3478d57732e22f1fda6cbf1af4761d6d1643815ff12614454ac5d14f5d9cf51fff6 |
memory/2520-52-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 99407fa779dae6c8be78d1ca43b1bf14 |
| SHA1 | dd50cb3b6755356259be890f77f3361c9d4d3772 |
| SHA256 | 86517a8be004c175c492341d7ec4b7757624bdb6fc0cda73a3c49b54f5afd688 |
| SHA512 | d2eb8f38fafcb702daff387257f6eff55e98bb421ae5ee09513652ed9937f39435c2c33ae432fdbbe2b34daba7a4502fd9d081e8843cbaa4f17e28c7abf65e16 |
memory/2964-60-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1cca5e9fe107cf579e452bbe72aba10b |
| SHA1 | 97eecde696b655b66afa92e5321a39f7e41a5715 |
| SHA256 | e88a8af060c3aaf2325ee5a674559a151bac49038f5beb457ddb087256cac3c9 |
| SHA512 | 46226be97b75d39fe273bff7774b74cd859b5903d07c7041319a42c8bf9390181747de0848b1fc3da6e685e5deddee1bdf19409f756214a02f7851b230b84543 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0fb2378162d6477733ee389b395b378e |
| SHA1 | d274531886640fc1f8da103396470c90168c0d44 |
| SHA256 | 45b771694646937ef0de5c3682633a06ed279c8e2b9bf612bafc4571f2814eed |
| SHA512 | 5a5152dd39373799538057a5e22fadb5dce575c5192ac887c8121ef6fd8c1080f9e40ce36876d0d699fb0c82172a55ab82a9e14f60e5f0f1c938c4ceb3510659 |
memory/2528-65-0x0000000000340000-0x0000000000370000-memory.dmp
memory/1940-68-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2528-69-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3afaef4cc072b2a03009d61b2f3614dc |
| SHA1 | 8f4e9b8d6d61a9bdd5f418d753217eea219c8351 |
| SHA256 | 16fdac82809f3a0e1fbeeda31b13777c2cfc2c6b0eed8a3d393e9e7bb8b54410 |
| SHA512 | dfb15a84a0f56fdf90e31e14ff2f7a65d14ab57f5240e32b3963c21aa1f968ce96da93e7ecd2d2028f984e55f0294664dcb89b0d6c9563c8c454d055a838d9f3 |
memory/1940-79-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1940-74-0x0000000000380000-0x00000000003B0000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | eb7e8c052f8c19c8099ac3c5a6272a8a |
| SHA1 | 6dc42572f819709c4ff83c5559ddff3b70cef082 |
| SHA256 | 328f1884056e5414b8bd364a2c2d224f79d67b1ee210116a7b45082deb7e35ab |
| SHA512 | bf27fb53b91a6e46829ac32542cc263d07f82ae1da91f9dd6bf104b7b9bdc9b2632af8c4c1eb748ded94eb480c4aa62cc266c0539deace71590c26cc3fcfd015 |
memory/1912-86-0x0000000001F50000-0x0000000001F80000-memory.dmp
memory/2008-88-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1912-87-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 637e88f323b01e5d3875b0f2ae9a90fa |
| SHA1 | e53d847156fa61335074bd9634d6a9101aa87035 |
| SHA256 | 4eee13e4045c5c2538ee02a11483ea45d738d811d977d6a311d83b2cce87d892 |
| SHA512 | 7ce507c60150ef8a58e891a52af21c4eabe99c70c0671b42e4dc41c30f3ea7f392130fc4d7b58245f743e839fe5acde8c89c2b3e7a37c1c8b8e2cbd813f1e878 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8345daedecacac5d26f1f27bffb77138 |
| SHA1 | 4a600c81ea81e50e3239750b512c8c0611ee181c |
| SHA256 | 26ddaa33bb65def6dbadbf2d62258123c3927a3b147c0aa1ff3dd9441db3bbf4 |
| SHA512 | 5d76c6c5da7081ca1626e19effcc32e2ad7a3d4d07a804b18772ca94024ea9a229eac8d6a9143d65d6a2dcde92b6134846be4c410cd3950d32cf6bf4d269286d |
memory/2972-98-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2008-97-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0cd6bc86ccb74e0c4de80476134e1938 |
| SHA1 | 24173af987b707931886d7856858d9a5457b7349 |
| SHA256 | 015a6509d6afb8cfc9036fd6ec314c590ff8826ff95c155df9d1ae707264d45a |
| SHA512 | ccd5bf2f10ce7110a1083c6aaa3d6e368338abdd496dbab8e7df894838603aee50b4eccc7d4cfa2354649d2630e11222b741cbb23b7e282a431176cc238bd4ee |
memory/1740-109-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2972-108-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2972-107-0x0000000000340000-0x0000000000370000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e53806af0d022a54b287c2b72c2ead54 |
| SHA1 | 71d0d9fbdcca2e85727cfd9ae46f15dabde7e525 |
| SHA256 | 88969bf975c44346c8815e6f31b91e2002ed9719792d5541b2b93e89c4a65729 |
| SHA512 | 80b91d9c1488a41732ced44d9412f632f56b70afa57513b9937e94b95185b986bad276bfae691fed9c214180e8e4f4e44978616cc0de5743f654d1c8304f7eb3 |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 46ba5b553ec27d09d80c09c5bca5ace6 |
| SHA1 | dbd6e88efed9942629d5280b12eadc29ae0e2c2f |
| SHA256 | 119ef033524cb6424336eee100e6b0138a9733b860f5504e3234a987bedcee00 |
| SHA512 | 7e1434c51930a419a81e7875f2c6b6c303cb2a1aae73158327d8e84aaa8091d8a41a7663cd15a4e3bdf562e517d00531553a01e2146d4cdcdf4e06bcfaa00d97 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | abca37e52155227f0f82e54edcc0ab92 |
| SHA1 | 8b2a9edb9ebcccb559f5bf0b869e55a624574b0d |
| SHA256 | b49e892d93b36133bb6a287761975747cd988a66da58af79c10ec454b3ce4586 |
| SHA512 | 8cbd996781e3bf7f8cf9404d9f0712d98b8c5013caf5e3324b3d8e03c94ba6ef2764afa2a666e6967764be32c7c9c608609689af6a50f138e591b7f32b108b8e |
memory/660-115-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1740-117-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1728-122-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 775b04cf920c2aba98ce962cc8a2b948 |
| SHA1 | e770cb5516b5b1408e3887230dda46349cca3cf1 |
| SHA256 | beec87fb1045011f3fefcd2e8ea6c80139d57ec56d33469a5980ca8dfd16cca7 |
| SHA512 | 9ceac88be009c6525013dcfcdbb57bb87f67dfa45839a0c5e06c7a58f59dea28ddafe877da11683dcb2cd310b160f14ebc6ea6f4b71804f7174d518d9d939608 |
memory/660-126-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6841856512b6378b1cc2091593133b29 |
| SHA1 | d8b89e314ed682f9077fe4310d0e19633f463e94 |
| SHA256 | 4e26e88cfe7f0321cb6f40018357649c138969232aa5ba2c592cf8fbca4213c7 |
| SHA512 | d9bb4b79e0949a223aa1ebc8488352c8a67ba59d57aae83d78123bc6d6efcb7cdf0fb9d8204775e88109a37c19bd20cfb2614ec43583aa1098054a1be9dffb25 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | df68a39539c26956862b2240633d016a |
| SHA1 | e834520e5d4c7f9b23380983f2f84fe1860a18c6 |
| SHA256 | ccdb6db1e24444e9d2bdcb78df5494269f260abcb2306c58fb157b30baee22c1 |
| SHA512 | cc7fe27686e9624d37a65bff097bde61e7e0665b7553549de3fcf86644d48d340f3c09502b7c0efeaff488e4d5d75fb365a9932b614c640c2505a6be31327333 |
memory/1960-134-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1728-136-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 15629e6541bc8f6869e3d27be1d59fc5 |
| SHA1 | a7b603fa18bdca547ad7fcd9f2d8e94dd00095fa |
| SHA256 | 53ffb46db550cc9306004799dc947adb7330958cd008e0c6ab9f7b11c35530cb |
| SHA512 | 478f3fbcf1329024f5b06ed43395b0d07fca1fc5fed3ce0e41f59d08b1596881785eb8f163682b7b74ca44fd4af5067ca6611cf67a378c036bd569acfafa13ee |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a9799974d7cdbdf7b4d433165180c9e8 |
| SHA1 | 29a3a26fcd3f681b1010d6a24e8fa41595aceb66 |
| SHA256 | 8714173e425034cbeb8c12c271bd5da7d05d3d8735233eb24b0c4bf94f522040 |
| SHA512 | 0e0b3b03c87b676e5d66a680f4ce8dea421bf1c2828e93fb15398d65806344f50d8b1378de4e071b39c5b5df11d1bf01e1d34f8052a9f102a7d0a7c0c2f59eaa |
memory/2028-142-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1960-144-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 60529e608b6cab1b02f33fd7def497f2 |
| SHA1 | 18b66a049d7604e1e2a1c703f395116eefe388b5 |
| SHA256 | abf56f925e5268c8cdfd29a0b45e91d2e720788e336ecf71223f0581f45078a8 |
| SHA512 | de9f4207e5779402f39502888177d220619c20c95cb88f11b16ab7ffcde1faa7c70bee027281132a77d48e514dc22240d1ca716ecd5265dd68d27e64b08ae569 |
memory/2888-152-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2028-151-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/2028-154-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0b4ca0a73f454fdd390171cd2379293a |
| SHA1 | e9d58136db85d6aafef3f79028fd09a9bf192c19 |
| SHA256 | b2ac8bd459e4687a96ac987bf5e4374d24a92c4068ed934b9ec9c51d342b662c |
| SHA512 | 9a32cad9eabecc25c873b80c38ca31a990c13a108555c858bab7023cd6784af21f6e39a17ce74b8cede8c24d34bfbfe4b9ec2687e31e4abfee812b4c9de671a9 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 517858f826db9101e57bf263addf667e |
| SHA1 | 1a63be5ac77c5185b520d08ef1cd729f8f3231ca |
| SHA256 | b801f70d44d2e00ce9d25b5bd6eade7f682a32f48c4c1e9669c0dec2e54ad750 |
| SHA512 | 66e990982e422a141d874fe5571a117a7188972d6af256192cf9323754a4b5f7e252176de7d2f3d480193dedebd15b3928a047472490c92464ec04cdbcca6949 |
memory/2076-161-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2888-160-0x00000000001B0000-0x00000000001E0000-memory.dmp
memory/2888-163-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b455a4049de21adebf4c433bf092cc26 |
| SHA1 | 80f3378165dbf24de29436d24a2b36d9a091db0b |
| SHA256 | a75e6645c4f7e4bd4a26084774c80209965041c9eb12a00730ecf13544e7a79d |
| SHA512 | 9310165ca849bca34233cdb5f45a0c6d10b8ad8971519428ec63b112b5c8aa0b2950316f51fe97c40c89e01594f7e7f6d18c2eb4672e3fae211652f1bfb8ed9c |
memory/2880-171-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2076-170-0x0000000000260000-0x0000000000290000-memory.dmp
memory/2076-173-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 5529a78c669174dca9ff6b7f6175d928 |
| SHA1 | f1dc7552044bea1843b2820eb70655c72f0fccdf |
| SHA256 | e9d7f83d1d770c234e5210c41e7c0bc011aa2dceb1d09b28b0ad008e6145df01 |
| SHA512 | 5f7cf6998936a2bb648b666c7ee2ca25dcfb5f0705f3e51031db8b2f06796c426a078c844c119782eabf3092e1101896c4e248415f71302dea2ccf9b6652f064 |
memory/2880-177-0x00000000002F0000-0x0000000000320000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b93f502b788d2bdd2170a58aba19e32e |
| SHA1 | 3f54705c4cd777bc264806016ad1bb200a8f0aab |
| SHA256 | 4facdf9c89d73f6187354a7b2866d8bb5106ac072411ac0ff968fdb0a7143127 |
| SHA512 | 48c4df5cd4d28976c55af10beeb218ae06e7041e0278ec18c2e53d2cb2781308d7ed4abaaa683cc75545adf3d0d0126a126740d23f2ff90e3fff936331409345 |
memory/2880-181-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | af0513645a9a905841adfcc0ce4ceeaa |
| SHA1 | 07dd3d9e029defec186fad1fde73302856cfe030 |
| SHA256 | fdc21cc6370d4476df6c34ff0cdbd1afdd61d4b82f616d9e3ef289154cbddb44 |
| SHA512 | ee0261302e5272274cf38c5348e12450c91d29c0cb67bdd211d728a2622363fe289cc4965acd68260d1f09dad5949e5273e2457438d80ba3fde19dae832bfc22 |
memory/1948-188-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3012-190-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e070f66c44975e75f045a77a06322aa4 |
| SHA1 | c364fd1c23a2cae9e5993b45b635d8b7434325a3 |
| SHA256 | 37694db9230c1d84571666185c92f945d9e8d4af9799fba0d690703bc5d98b65 |
| SHA512 | 8c3739460f7902555f4914c00fc2baa11fafa0fac8f419273871fcc3904c43d1b3aee1be15d4d881e61f8d77b17a096626cb77f375143b0109187277f2f70cd5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | ee82b64a5191f4210d6a750b6a54e00d |
| SHA1 | 82111a7968ac8fe62cbebf1334aa97abcc94c25c |
| SHA256 | da732573a7d71b88f406379e22d907c3c9b25edcdfd4022b5491c4eee18d0b3b |
| SHA512 | 696172fbc413a1545e3fb401f077b931334b7c0051db85e035118431344972a81acdb5831fb6584859bd36d535bee7f631c4d022243e1da53c634681210505c4 |
memory/2372-196-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1948-198-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cc208efdf1b1ba8ab5cdd1b48756b275 |
| SHA1 | 773ad152bad5c944ac0db5d900d64009921da260 |
| SHA256 | cac5399819f6d02c7705b86295d8490ded3eca00b96dbbf7292cb75bb12642d4 |
| SHA512 | cf2749b708df2293ddd6edcbbbae6df55658743d689bee2385e00be85f39b33f2e863a6e8173623aa36c82c3cbc3fe0f77c5ed6523ad501643141c81a5730eeb |
memory/2372-206-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | f8b7d81972821ae14a20b7fa90b15fbf |
| SHA1 | a7a049ee27f0140a2903bfe5e1f5a6b49e60e24a |
| SHA256 | 7c538f557355c6885378e5bc02bd25e828f3491f4f16a61e6195b77bcdeb9ea6 |
| SHA512 | f5561dd323d2bc622987a6848105b5a17689dd8b882a25e1813fe29e56f8b4dfa675ec3d17a0f355fd73566c2792314c9cb2f7838a381273d3307f60f6d447fd |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 68d77d59ac880dcc9076953c1b633d14 |
| SHA1 | fe12346956a5bef217d50aa0b56713a82024a107 |
| SHA256 | 5ee36ae5925abcfe177e26e4120f1c862afccfb2c0129b6f7f603aa397bc8416 |
| SHA512 | 2ba261de556840f8872b8edf1b0778c2a6e5317a06f4c18f619f4bfbc9166a739ac85898a93ad0d3999e80540dcf2530402c6732e47d7556c80bdf17f83e83dd |
memory/1044-215-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | e76c643b7cbda92b97cc147809656ef7 |
| SHA1 | ab128376c02e4d2e21f9f7ccb28cf3cca80c187f |
| SHA256 | 879be64206970250d342394971d1ffecf27b944b4068bf3ddb251fe58701701b |
| SHA512 | d070c90954dca7c46688520d4b2dafaee2b8db0c82d5ba802d1e05673594a370a17b1c304782f590c476427aeb4ece3a287a468fc31f81cd114514fd0c79717a |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 353b29fdbfc67c8fe0687fbba9185711 |
| SHA1 | e85bac45e90371d7e2415e6f0ab54c8244e60773 |
| SHA256 | dba172cbbbad0243669b984e9a934f78b26d6492a77b9e66eb857dfe8ebc353b |
| SHA512 | 5243fa76942a9ea4bd02429da57d664747664081fb0a7cb332758d463c24eb9fbc6520383f7789bca9f9630520f57854d8b96b4031a42d616d8e3f1dd9a8eb42 |
memory/2484-223-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2712-225-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fee421d1bb58344307716121cdee9995 |
| SHA1 | 17131a20bbb0eda0300a251f620436af465a3ba6 |
| SHA256 | 97326b534cadea3504f5430e7698ff726997a7460100459abca9a1b5d15388cd |
| SHA512 | d1861ec3ec5066f6a2033302b17b696e434cf4bf73c0a32e4fc5375d768e3e8a97134f5570677263f1b0edef7f47c22077e5aeaf252a96b92db0e42a8ef96c6d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 72ce3b3410d6d10fa5f91707ce45596a |
| SHA1 | 643cf081558ab9d59010ab93cabb37cdec5d790e |
| SHA256 | 579ca26beb4c9f8e3d4ad39e613692219553c7127331819f39bbcb1c70c123a7 |
| SHA512 | 0df41678451b482316394a972be9bb8c02529244b5fa0a450d8979d7beae3a016c4aa5f3892333a5be8cbff630e597b2afeaa25c7c493f36c6296a1f1ff37034 |
memory/2484-231-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2620-237-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3044-244-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1672-245-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3044-242-0x00000000004A0000-0x00000000004D0000-memory.dmp
memory/1672-252-0x00000000002E0000-0x0000000000310000-memory.dmp
memory/1672-254-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2828-253-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2828-261-0x0000000000370000-0x00000000003A0000-memory.dmp
memory/2828-263-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1756-262-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1756-270-0x00000000006E0000-0x0000000000710000-memory.dmp
memory/2836-272-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1756-271-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2836-278-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-284-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2980-286-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1792-285-0x0000000000470000-0x00000000004A0000-memory.dmp
memory/2980-291-0x00000000003B0000-0x00000000003E0000-memory.dmp
memory/2980-293-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2388-301-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1508-300-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-03 18:06
Reported
2024-05-03 18:08
Platform
win10v2004-20240419-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe," | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\ImagePath = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Modifies system executable filetype association
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntuser = "C:\\Windows\\system32\\drivers\\spools.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autoload = "C:\\Users\\Admin\\Local Settings\\Application Data\\cftmon.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UIHost = "logonui.exe" | C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe | N/A |
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
"C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe"
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /f
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
C:\Users\Admin\AppData\Local\Temp\006c09dc42ffbc2e37fa34c4aa5a918453662fe1d4558d2465b2dfaa702cefe5.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bublikiadministrator.com | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
| FI | 193.166.255.171:80 | bublikiadministrator.com | tcp |
Files
memory/5092-0-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 19801aa5946c40976916e2bf860ebd07 |
| SHA1 | 48f945ea733dd75a8ee809ca56cb43b5505d4cd1 |
| SHA256 | cbd49788d5cb1163f559572a80d0a148d14ee50305c89e4043ceacc0f8ec4550 |
| SHA512 | 6eb8e171c51eb2ef075d04ac439e7f3c62c5010f3084eb84f7164bfb59b38472ede4ff38c2cfc7487617296dd07de5c147aab9dd499be561d9a00d87b6cabf0d |
memory/1636-8-0x0000000000400000-0x0000000000430000-memory.dmp
memory/5092-9-0x0000000000400000-0x0000000000430000-memory.dmp
\??\c:\stop
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1baa6e22efb363fa0d72d7d756b4ef51 |
| SHA1 | adc0cba104c6ba93286a452493ae014729bdb4f1 |
| SHA256 | 7bbce62c0987e2bba39c6069a5854709b68eb458f736af8dabcbad0ff5062406 |
| SHA512 | 7743e4fe27ff58095c97949d8e1621bc187f77326ac21fa1c28f3339dfed7a3f1e18bfe985092c3209942b441d2210bcec928cc8d0bc5e43dcc604b3caa30995 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8c9ecc5d22916d3245633edb8a223206 |
| SHA1 | bea4b06becaf10a5977d7b819371ee0188191ab7 |
| SHA256 | 773017a31659bb34bb02587d985c23061b301690519ecad48e675b4a84e112be |
| SHA512 | 11b883c68272f46251797df94a7037c06cafe26d13137042d6117ebfaa2b2cec0402c08ad2fc41c97e74f64310333f5c247a10b48d5d2c10e5504b02a9b22dc9 |
memory/2484-18-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1636-22-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7a9cd2994bd2ecde7f3ee4bee621ca2f |
| SHA1 | 7601b1c7cf6a4f83f87a5b92405f9ba1f15afa4e |
| SHA256 | 85e93ff711b52c102de22cac5ed1201af5c696e3147db114f3e6246e5829844b |
| SHA512 | 0198f9c5eada21875e4b3b716b43ab5dfe63b203027ac7ee13e3130b5c02f90421949e7280d9b79036b106ae97187950bb84278a363739e6c3618b3d864ceb4c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 936a2b9764f982e85eab0d26a28604ed |
| SHA1 | 94422d14375a8a925480cf23586beec698e1f48c |
| SHA256 | 9e314956dc64b21b543f586cc8efef2db09c6eac8d678b278bf3ce767d1ba92a |
| SHA512 | 2547143580b8e835ab06ff3337914054bbc94b010cc53026d729673cc413d6aba2b63d9f93ab00d60966f989724992728bd18611f0292b1c5d22ba5af527d431 |
memory/1560-31-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2484-36-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7f58476a36e73582c44814434b65af9a |
| SHA1 | 99e63f3bcde1bda20cea902b2a0f0bad2c207da7 |
| SHA256 | 67b8351bfc7fc0beaa468a92677242538fa8d5c772e90df515685252d3e3d092 |
| SHA512 | 5606eb14fec7574a64b1b5cf987e1c2317c5c6c71efdc9a606a4fa44532686f11c76cef735274ce0d52356768feff20dc609a978702e30fe5d59be9661e6d6ba |
memory/3652-46-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 00bb6910fea763b3249b7488507e5817 |
| SHA1 | 359f4969ff84b479a1dd72438a61c5d55cc19579 |
| SHA256 | 9a52a80eb71ec2d2abd3984aa3c040c7ab56abb63ab42910edbbd2ac4f91634a |
| SHA512 | bab00838c8e40594d885965a78d76999b7807c72c01f8fef1ba54c723405c060023aaf19c1ac4bae441a5fa71b330473d04f3ee9df377c8bae342a43a255a0d1 |
memory/1560-49-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | fed3bb7d05ac63fb349c8bb42d962725 |
| SHA1 | 5edf5c4acf7ff42d566d47160ca511b1442bb06f |
| SHA256 | ac02a049c50a3b4211502bc861e7cf97e6d999833c708a839d04cc3d6de6c42d |
| SHA512 | 2d2ff4de63a19c00fa9652fbd79895cf790148cccdf6251df53462fa0ba45b7941ecaf2bf2a4a3211496f878962f183d56ab778df7ae52016099ce4891684baf |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 199fea0e94632c5dcdf5fa96574017bc |
| SHA1 | 8c854ddc85610233fbf0bfa121b740a542a85221 |
| SHA256 | d3e63d83303178aaec48f20ab52a431376791d401107b7dda6eccacb323b9045 |
| SHA512 | 7f6daceef272b4d72497b6cfd5881b00882697ef6915615e35f855b9dd325213683693b04463aa11181d9bf01c3b185990e9a1123f2724018b5a60b1e7da7524 |
memory/3652-61-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | cb24c2d513b42528cf48842aade55830 |
| SHA1 | 547ba86e83b8638c4aa7f4bc7eeeabf136e10957 |
| SHA256 | 49456d71e8be5e1533b99e2ab6f162fc95ba2130abf9bbb59e4716a50b92404e |
| SHA512 | 0004aa3b5ed4cf16183edca069ba325c4de566a6c11346adfa1b60df4c1d6a2b08e40df2fd4192a936d45b52346548ef08a2ae3153ff78bafa6ece08827f1a21 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | c3bf0c9891400bfe2d95e4de57497ee4 |
| SHA1 | 5f135a7ae02aa906dbf701ae396feb2f3f58af1a |
| SHA256 | a1487bfb2e577cad60fce8da94e3c2ba886a9871062390ec74e0ec567430a6d9 |
| SHA512 | 19d93a5a628be91f3a40f864eaa6216e65aeeab0e9669561d5d28c35c230f8dc3d2fabd9ebc6ef48943badb0506eb243ce7d681b2028bdbfad4be97feca14131 |
memory/2380-73-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c1cdae9f8bc20e1bf20c477b21d887ae |
| SHA1 | b3beb0309a80935687207cfb39d4c140489ec6ef |
| SHA256 | 047500cabe9cbd13601ced61d0fc614eb0b2ce16d6a658c7411373c9e5a9f23a |
| SHA512 | e7b48524ac5db92318ba7e2623e354814379ae8d5ab4c5c9492624c2236c29b15d4ad3ccfb8d278a89eb2dfd25e304c29c44ee52ca05581b06b92ac0fdfa4c6c |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 9237ee41179571c343eff87a7f878913 |
| SHA1 | 4d6e3f5911f1f6bdd5c586f780c9639dd4c3b21c |
| SHA256 | 87e5a75806fd1a782e606025dcd2c17d52ad1561ae372dfa4fd99af55719e0e7 |
| SHA512 | 07595f2ce187d9eea2f961b6962c2b98feea23b9c6c23ff3908f1075cbbcac5314836bf88faa01e9cd5abfa582882d60f46f105e3dc171afef8cc542c5d98671 |
memory/3624-84-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1456-87-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 65c4f864f3f501aa235449f72de35e82 |
| SHA1 | 7ff58b132d5d2c5ec78ccd9d285d3badfed4f6c4 |
| SHA256 | 99a5e3266f850c196b51b2a339b94fa39e84886823767d7d4868314a3e5fe98d |
| SHA512 | 287c95db6db9d8785c8a8d7aa2a8f39f8476aec3a9e6c55126e015fdae90bb936beda7ab6f8b9d9f3b54917ed39013773cb8a5b146b3c9657eb10a7316afc0af |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | f8a23e358c784cdf93fc61ad68e05b23 |
| SHA1 | eac12cd00c2d180f80f2114ca318d5481ffcb5e2 |
| SHA256 | 287b84ee805b1e4877696a5eedec76d7883347d7b8a57c7b45d239a7d0bb7074 |
| SHA512 | f679dec5eb42121606d499f28cb018f93ed8b39c2032a3b53616a1d4504dcd790cfaf925faf7db33a6d25dd7a84c2e48a6b5527278214aca6dee9d11abb5ccfc |
memory/3624-101-0x0000000000400000-0x0000000000430000-memory.dmp
memory/628-98-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 3e51fc71d42e1dc88ef0195df30cd1c2 |
| SHA1 | a964927e27d076d8118e551a04b0a06335b5c508 |
| SHA256 | edce2639ae16e1d5f26d4739939df31c64f40f419b59d6be9faa8195ed72b339 |
| SHA512 | 17dd836e7c36821681320f10bc84ce81913bad429d7953a6c07ae3207007e1e8757d3f65171fd334efa276337d46141a5ec427bed4799e6863968fe309192bc2 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 8cdc1d68425f3f9419838ba472a204bb |
| SHA1 | 4806bd2ac9bcad470a963fbdcd9a38bc9fae77cd |
| SHA256 | 632903a8339d2be5ea5a7fd5d1baede0bb25b2727ff0333c9809011b6c7ca6f5 |
| SHA512 | 151715de4ea1ab80ce4416f2b8340682790ad6e8f7c4d5cfaef341437d01518eed659e05916854d691657471dd2c3e4faa07ea3759775710670bcdfe74e16b33 |
memory/628-114-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2464-112-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 9faa32e94aad96fce4fe66b38d476a2c |
| SHA1 | 514fcc8b3168702a925267456dee9541aa7dcb5c |
| SHA256 | 080d247a151e38ab9c842a47d2392cc114a05e5a3b2372e954b0231062b2f269 |
| SHA512 | 3b30ba5751b75046fc834fa9a392c1189eaf42e8f40b921d91a8e5930a7a037a252a807f21fec707b3d4a60de7dc3551372f822d44285ea0d98ea7396425354b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 5ba1cead6f6adfdfed41e4ad550279a5 |
| SHA1 | 52579b6013edc53111778c022a24873c777a38a6 |
| SHA256 | eac98e67ad9b8181cc8f3113d8fd8c892c85b1e7ce8c4aa2f686d906d1e2598c |
| SHA512 | 6027cb0c0553ea2a880919b2a48e5f59d4e25184da57e2c0290e5397411042492c7b78d7cb8010f2504fec4a356b50cca3d67df1d9687a91ab1dec2a3a1ebf3e |
memory/2464-127-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1120-125-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1ddfed006f5e7b846cd1345cb399a631 |
| SHA1 | a4e7907d12cbc46e18dc84a6d60ca5533323a65b |
| SHA256 | 33e44f703aeaf52d6c45179de8d2f3d7be9ed986817794885986300e0e3947a1 |
| SHA512 | 0b90a143ba651406c2b87a473cbf26e8d54c2fe03bd484352311aa476672ce5bb90c338812c755b8275f810c67d19d6e73c43405e9c8f776814ee27e49663ef5 |
memory/4484-136-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1120-138-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1916-140-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4484-142-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 19844d1e711fb90948770d965e680120 |
| SHA1 | 564cc9411b75e28ac7caf9e3daca24b71b58f9ad |
| SHA256 | 91f2a580a434bcad3f4fbecb7d7101fd93b5132c0cad86bad14d3b88bd576604 |
| SHA512 | bb75dcf0f8512159ccc5d826c73e05bcc8cce00722f3b64e1b29d7d884b76156208750bacb2c76da23dcecd578925cea23caaf1c78fa643ab343c327a6122d99 |
memory/4204-154-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1916-156-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | b8739366133a60380b8a31859883eb62 |
| SHA1 | f659f4a8fcf2ae7b6cc356abfe8b064c8d98ba07 |
| SHA256 | 664453bb77fc854e8ecb3a8203e22e77ec9a9a7cb5e2097f149148998475ed45 |
| SHA512 | a442ff8a57af546ea959eb240b80443b23de905fbf4060112198f8153daebcbb9eae90ce481b0359de603bff0635817dd9d3c3501fa563512c2431f893210c90 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | e2a5701b04036e2c4f9a0bba1603bf82 |
| SHA1 | f961bf8b0c3e5735ed9799629d6c94a7cc5e055b |
| SHA256 | 94e66be8492aeab8a1f01a75ab6915ed9973067c5c64ed76d3994f544e261d55 |
| SHA512 | 9b885da25eff41e54d8f2e482688dd09afdcb2de38c1ebed78865062ec1347fd092373c6cea02ff503e608d0751422e81452bdba091b5ed1be855bf7a36d875a |
memory/4204-169-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 7444423726c5bad2e75a3b19d78481ed |
| SHA1 | 9ca23b1e6dcf7ad63f92f0acd79c947835a28960 |
| SHA256 | 7d89b35d1092c681dbecc64c9b62d58c513a2311228cfe72239b0520e17b1a68 |
| SHA512 | 1f51e62ee4316384d96dbf4d53e3ee264555abbe2880605bc8a55998ca73857f2b6f5de9a7190758c0bf50d3097cbc23f285bcdaf095f52ac87e7431d0340632 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4f2ce6ae888f7ddb368c16bea6cfb47a |
| SHA1 | fa08c7a7dd0a6664f9ec50156d3481715e034c4c |
| SHA256 | 2491ea837dd9959eb7225df625a7a6044f3031cffcc4c8413fbd45768a6e7150 |
| SHA512 | ae108b8626ee304668636946c008e5922f19396f460d4a11daed579c112d0c9742484e2139d1c7de88648c75907e9b4fa793ebafbe1830f3b293b59c9cfbe6bc |
memory/740-180-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3936-182-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 69e84330511f3b102e2f7593da6fd167 |
| SHA1 | edc3d2f25f39a38f7ef62286fdc418b0e24a54d7 |
| SHA256 | 79569e89b82db9c3cfd3115f6ed75c7ca4d8a0c9a13249df81d4e20fc50d2cd7 |
| SHA512 | 5af48c25b085d6a13b46fad8b1850117228bf295ea2b2d9e00dce1ce885d7e414747d4fde1651feeb16f8d3b2b09cd571b2071cabec1df48edca5e75cb548dce |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 2a1443ada6cc30ea75ea336e8477095b |
| SHA1 | e7f1ad6c7bdd66dafdf0843b7429e3d7dbf78d16 |
| SHA256 | 1f8dd665548245e94e7977a17da42f2bb6aafe543a5237cff62748f71ce041db |
| SHA512 | 642fbc66ef6a8fdcaa573bfd65ce1df67b1a241c7afca5d3d9156a87c2fa75f86be4585a929611c21e121ee7264cc89a663b188e170af7768c7cedad2ee1639e |
memory/1636-193-0x0000000000400000-0x0000000000430000-memory.dmp
memory/740-195-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 8f77d1c26326cdefea778bc091e8c5af |
| SHA1 | c4d735056eb9f34d39deb79e3b12eaac076b2248 |
| SHA256 | 1c92de66b5115b548a4e0e094dcc7abee794827694c7508dad67092340d246da |
| SHA512 | 1309a3b93963f1624fbb2ab3aca582f5a4f9029159cd94da0fc23eb1ffd73871abec00a7dd60d2a9d9977193700ea31727d51f7714c1764edea8debed6f9cf7f |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 4b4d63db88ffacc3c340dcd820b96ad2 |
| SHA1 | e48449e36fca8da23f18a2ab71a91290c56e9821 |
| SHA256 | 7be084898c26a48e1fda9c20c4a45d5af19c428477a2cddaaa52c29ab9a6b6ef |
| SHA512 | 84b7e2a01c53d58820166d07488c4301494cf4a2dc5fb53e208f2a55d0b00edf8326ad407e5df9038ddc44b098277671e893043a4ef0b613c8f0a70f2a7f42b4 |
memory/4136-206-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1636-208-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 90a2a975be04d75d7b6a7cea1968dfcb |
| SHA1 | b6412bb5a5daea624b9625287849cc28f35d59bd |
| SHA256 | 30e033289805cfeecc9e0e7152f893d5ce67a30f0b0e63f9015f1b184c2e8768 |
| SHA512 | 77ed30528431f7e9dda687b54d52c342a159b82a03ab0ca3658c887860abf666e50dd6286d985b6def0fda161cb862de0e64fe4f5905f819388f53676d0ac57b |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | cba83eee3f37489f1213deee1169ad15 |
| SHA1 | f8dcfa0b91fa87fd1170541bb212d0568437949b |
| SHA256 | 9e8c02a6b31bcca19e3cdd8db655406c2a5baf9e5d3eb57b0d3ec012c88e3a99 |
| SHA512 | f76503dd14479615584c1a95e7655256915b6f590f340570674fe3a396d61b2645842c3e2d4577c3dd5dbc928da950688c4eb8273cbc2348f80147a1bfe39aa9 |
memory/876-219-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4136-221-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 1c04d1d729c6dc8cf7384bb145caaa10 |
| SHA1 | 1c6dca85b4eefe9347ed6549f27b4ad070238251 |
| SHA256 | a89167ce166070ece1dee4bf0779aec7b2ee204f402f03d29bfdd10aa1ef02f3 |
| SHA512 | 4f1edb3a6d27fb997ce0c70439f106a4e3c9775fa9c55a5d1a5977520effbc578d549a682d7944754562c1f3424bac4192b84bbd1a805a12d6472f038fd23fe9 |
memory/2752-232-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 3fbeb10cc03307763464bd1956eb3e19 |
| SHA1 | df294969967685b4b5093c04598b52ce3044bc0e |
| SHA256 | b718a7e8baefb386a94a8bc716ab8d0059b13b37ad3148bbe31f07ffa2812893 |
| SHA512 | 8961265ef7d6c0cc56d143a9585b40c236a45e76325bac8a43e9aa32b116dea2f5932199a21d864b5be84a556447fca6ba638e48acdcf969da615c0a302061fa |
memory/876-234-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 0ba861083e073b779424a2bc25a8ba67 |
| SHA1 | 19244d1b29f2f535adf4313e35a212d469c75b5d |
| SHA256 | d89155f2e1aa4e8f69d7334eb522b83de4be33364fe4b0fc1ffba997d3143df4 |
| SHA512 | aacb0a6ca4a5d02a06146914d1d5fa264ebaa4be2366329e150c1e33b7241e49277aea18b0f1145d814035812e62aef2108466ebb7fcf2e478d8e679f7527969 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | a538b9468580205b31440c1ca17c62b8 |
| SHA1 | 4b5c1837e27b47fbdfc8a67a0c124c3fbe6d7f80 |
| SHA256 | 7c49a9819c42d6000906daa44442ef3d31ba8403fc989119e4efcfbf2dfd57ce |
| SHA512 | f3a83457564f6d38affbcc9194fc99864a0a6632f8ef4d9f8b1146a635da71f141898bb6dd2b89fc28393c7a5278ec8d1e11a1c52c64865a2195cc6668c1e536 |
memory/2820-246-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2752-248-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 852ab79d69be013823ab53fde914b5a4 |
| SHA1 | 44d33efb715f031b3e788b177ebb0289a19c4f41 |
| SHA256 | 110d5695684081722d1036571e6529941a06b8bc337cdacd4d9e4c2c723755f4 |
| SHA512 | 12831b79c6ee5fb3907411d73c84c045fd214d5636ccbae9c3b45f245b165ae4bd5de05a703923da58fb4baa75e15a624f268d1e64fbd2357f32c2cc98121343 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 57ffe7c23cf17849f65b48020a47d685 |
| SHA1 | 81aef31fbfb5ec2bf7095497fd919ec57e29287f |
| SHA256 | c5c59c9d554db06e58d60d309d9c98cae7b4018d6075267ea11e19b3e169e576 |
| SHA512 | 4f19fe97a462abf7cee7f3adf33b44f8b2ba4591a8b858fc23525405254b5bad82e5452eb88a881526f8bb371bf79e05760f7873616337f8a9822c3ed08aa211 |
memory/2820-262-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1196-261-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | 6b7e8f82dfc0463fba5d3ffcf0040d84 |
| SHA1 | 22fd40cca320d6e1e3f39d1fa5a3ee4909887280 |
| SHA256 | 8759a84b1d2b88f2e28d6ed81811812d5e3c2d5b56d50ffe399318dfbc265caf |
| SHA512 | 3fb6df910afc345d50833ab37c1674199684364409178a2a53f68937e8aadb7e450f30a422f6e47dd79f216fdee46e8b1dc02e69416eb7ce18c53ddef7933c4d |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 0410520970ff703e146ecd1efe3ea046 |
| SHA1 | 05741f6a3ebe97d3c74ebc6fed8c78b9e051bef5 |
| SHA256 | 26d5dfed943226dfce652fee4fbc4d80a44438b31a8b39f94558fd252787254b |
| SHA512 | 3b99efd39746b0d1dc5399d2fd08f201c9c8e09bd9c752fb927921522a906743ac79069eabe5d54ef489ef82c0b9d22d94b545546d19fba384fd8da7a0df1b4e |
memory/220-273-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1196-275-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | c2fe596d206a2c76d209188836b93cda |
| SHA1 | 23697c45fd9e14f278bc22029e50ac9a72a21f4f |
| SHA256 | f658eebfd071d8a1fbef1f3bcecb7e98158c06720e0f91142ec49c0bdd1f79a8 |
| SHA512 | ef735ae764bde6267ff970a67d7841e979271c3d2516f33c4213b0fa663fe5251b0ff2c6bfb0dd67602a4a073b2eb53c0c4daa1e49d595e7248c2d93000204b5 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | 98a0c65a99b718b6bc15027000497c23 |
| SHA1 | dd8af2ab255c5f8ed61ad78dc837996666a71a94 |
| SHA256 | 90b01172a93272267e8cf7ed419002a0bcc9d09e4fef9207de61e19ec9131091 |
| SHA512 | 4e30d32933a59c3ade6417e2378ce51a2907b748e9ddbb9a2ff4c5e18ec42733785ae4dc40e8a33b1762acf130cbcf7b685e5305c42eb37d11a8ac882b63d65c |
memory/1864-287-0x0000000000400000-0x0000000000430000-memory.dmp
memory/220-289-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Admin\Local Settings\Application Data\cftmon.exe
| MD5 | ba904b57e8754f21fc4a67d0df48c68b |
| SHA1 | 613bf44497d53624444f02b7c743ec6d2372abe4 |
| SHA256 | 0af224b562bcb8fbf6a2fa8e76344dee8e43e66d5fed6c10d722b4510d4c39da |
| SHA512 | 7c25defe14c09fa6567bca4818e0219442d410118aef75f19a2d704131b2fe842c25711905cb05ecef70cff69cad0b1a4ca5d5992dd647627b931253ac0d4fd8 |
C:\Windows\SysWOW64\drivers\spools.exe
| MD5 | b95afb8e074818f5956a703ccc7b3d9b |
| SHA1 | 3e27fbd60e53ad3f65eccad7501e7bfe461344e1 |
| SHA256 | 2dc225c54da5fbd745e7b4edb430670691448929129adcaadec6d77c4950952c |
| SHA512 | b714c7534ba3c38c3fcfabba71f19794e394e02f0a1de5bb114cca1ee14d8703763b75019ef73656c6b58e0a2d5e19d457c97c73ff9f8cc009336be86b47a8f2 |
memory/3992-300-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1864-301-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4732-310-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3992-311-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3188-320-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4732-321-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1956-330-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3188-331-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3264-340-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1956-341-0x0000000000400000-0x0000000000430000-memory.dmp