warzonerat | 1c8e832240d54e5072e00bd6fb57df4f741a9e9527f4a0c148c434c147796fc3

Analysis

max time kernel
142s
max time network
28s
platform
windows7_x64
resource
win7v20201028
submitted
14-12-2020 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5f14779fb1c47108ab2e8288cd56235.exe
Size

1.2MB
MD5

e5f14779fb1c47108ab2e8288cd56235
SHA1

943b96da1a9fb209ae01f25e12f4da98ef86b263
SHA256

1c8e832240d54e5072e00bd6fb57df4f741a9e9527f4a0c148c434c147796fc3
SHA512

b77f4f23887389944a66f71ac56e309e4186ed2bd0665babc1b5b5acf76a2b7b88154482b3b6cde374a63e877a3a84d91760da9039f2026aea13c63b6019f469

Score

10^/10

warzonerat xmrig aspackv2 evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 56 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\svchost.exe	warzonerat
C:\Windows\system\svchost.exe	warzonerat
\Windows\system\svchost.exe	warzonerat

ASPack v2.12-2.42 56 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Windows\system\explorer.exe	aspack_v212_v242
\Windows\system\explorer.exe	aspack_v212_v242
C:\Windows\system\explorer.exe	aspack_v212_v242
\??\c:\windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\Disk.sys	aspack_v212_v242
C:\Windows\system\explorer.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\??\c:\windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\svchost.exe	aspack_v212_v242
C:\Windows\system\svchost.exe	aspack_v212_v242
\Windows\system\svchost.exe	aspack_v212_v242

Executes dropped EXE 9 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid process

568 explorer.exe
1708 explorer.exe
956 spoolsv.exe
928 spoolsv.exe
348 spoolsv.exe
1332 spoolsv.exe
2020 spoolsv.exe
1132 spoolsv.exe
372 svchost.exe
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

pid	process
568	explorer.exe
1708	explorer.exe
956	spoolsv.exe
928	spoolsv.exe
348	spoolsv.exe
1332	spoolsv.exe
2020	spoolsv.exe
1132	spoolsv.exe
372	svchost.exe

Loads dropped DLL 43 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exespoolsv.exespoolsv.exe

pid	process
1060	e5f14779fb1c47108ab2e8288cd56235.exe
1060	e5f14779fb1c47108ab2e8288cd56235.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1708	explorer.exe
1708	explorer.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1708	explorer.exe
1708	explorer.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
1708	explorer.exe
1708	explorer.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
956	spoolsv.exe
1132	spoolsv.exe
1132	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exee5f14779fb1c47108ab2e8288cd56235.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e5f14779fb1c47108ab2e8288cd56235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1008 set thread context of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 set thread context of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 568 set thread context of 1708	568	explorer.exe	explorer.exe
PID 568 set thread context of 1504	568	explorer.exe	diskperf.exe
PID 956 set thread context of 1132	956	spoolsv.exe	spoolsv.exe
PID 956 set thread context of 620	956	spoolsv.exe	diskperf.exe

Drops file in Windows directory 4 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	e5f14779fb1c47108ab2e8288cd56235.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1656	928	WerFault.exe	spoolsv.exe
1800	348	WerFault.exe	spoolsv.exe
892	1332	WerFault.exe	spoolsv.exe
1696	2020	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1060	e5f14779fb1c47108ab2e8288cd56235.exe
1708	explorer.exe
1708	explorer.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1656	WerFault.exe
1708	explorer.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1800	WerFault.exe
1708	explorer.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
1708	explorer.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1696	WerFault.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1656	WerFault.exe
Token: SeDebugPrivilege	1800	WerFault.exe
Token: SeDebugPrivilege	892	WerFault.exe
Token: SeDebugPrivilege	1696	WerFault.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exespoolsv.exe

pid	process
1060	e5f14779fb1c47108ab2e8288cd56235.exe
1060	e5f14779fb1c47108ab2e8288cd56235.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1708	explorer.exe
1132	spoolsv.exe
1132	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exee5f14779fb1c47108ab2e8288cd56235.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1060	1008	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1008 wrote to memory of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1008 wrote to memory of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1008 wrote to memory of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1008 wrote to memory of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1008 wrote to memory of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1008 wrote to memory of 1276	1008	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1060 wrote to memory of 568	1060	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 1060 wrote to memory of 568	1060	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 1060 wrote to memory of 568	1060	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 1060 wrote to memory of 568	1060	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1708	568	explorer.exe	explorer.exe
PID 568 wrote to memory of 1504	568	explorer.exe	diskperf.exe
PID 568 wrote to memory of 1504	568	explorer.exe	diskperf.exe
PID 568 wrote to memory of 1504	568	explorer.exe	diskperf.exe
PID 568 wrote to memory of 1504	568	explorer.exe	diskperf.exe
PID 568 wrote to memory of 1504	568	explorer.exe	diskperf.exe
PID 568 wrote to memory of 1504	568	explorer.exe	diskperf.exe
PID 1708 wrote to memory of 956	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 956	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 956	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 956	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 928	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 928	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 928	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 928	1708	explorer.exe	spoolsv.exe
PID 928 wrote to memory of 1656	928	spoolsv.exe	WerFault.exe
PID 928 wrote to memory of 1656	928	spoolsv.exe	WerFault.exe
PID 928 wrote to memory of 1656	928	spoolsv.exe	WerFault.exe
PID 928 wrote to memory of 1656	928	spoolsv.exe	WerFault.exe
PID 1708 wrote to memory of 348	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 348	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 348	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 348	1708	explorer.exe	spoolsv.exe
PID 348 wrote to memory of 1800	348	spoolsv.exe	WerFault.exe
PID 348 wrote to memory of 1800	348	spoolsv.exe	WerFault.exe
PID 348 wrote to memory of 1800	348	spoolsv.exe	WerFault.exe
PID 348 wrote to memory of 1800	348	spoolsv.exe	WerFault.exe
PID 1708 wrote to memory of 1332	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 1332	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 1332	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 1332	1708	explorer.exe	spoolsv.exe
PID 1332 wrote to memory of 892	1332	spoolsv.exe	WerFault.exe
PID 1332 wrote to memory of 892	1332	spoolsv.exe	WerFault.exe
PID 1332 wrote to memory of 892	1332	spoolsv.exe	WerFault.exe
PID 1332 wrote to memory of 892	1332	spoolsv.exe	WerFault.exe
PID 1708 wrote to memory of 2020	1708	explorer.exe	spoolsv.exe
PID 1708 wrote to memory of 2020	1708	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe
"C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe
"C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:568

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:956

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1132

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:620

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 36
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 348 -s 36
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 36
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 36
6⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:1504

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1276

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
e5f14779fb1c47108ab2e8288cd56235

SHA1
943b96da1a9fb209ae01f25e12f4da98ef86b263

SHA256
1c8e832240d54e5072e00bd6fb57df4f741a9e9527f4a0c148c434c147796fc3

SHA512
b77f4f23887389944a66f71ac56e309e4186ed2bd0665babc1b5b5acf76a2b7b88154482b3b6cde374a63e877a3a84d91760da9039f2026aea13c63b6019f469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
0e543aef1db9d5bd9ffaacdc73c24de1

SHA1
4ee6fadc9512ec56a2e4e502f290e0f1ce70c352

SHA256
1a898e47bf77eeb92b1f195bb1c08a0f43984f6a7c4768481938ba9d74e33209

SHA512
92f34dcc7358997b9fc0d9721641dbf463f8c310fd5070252f25f932e9bc5a580e9e9f1561c1d42deb5a2d4ca62b7e231a1dc0cd289aa68166f77b53b3a8a248

Download Submit
C:\Windows\system\explorer.exe
MD5
0e543aef1db9d5bd9ffaacdc73c24de1

SHA1
4ee6fadc9512ec56a2e4e502f290e0f1ce70c352

SHA256
1a898e47bf77eeb92b1f195bb1c08a0f43984f6a7c4768481938ba9d74e33209

SHA512
92f34dcc7358997b9fc0d9721641dbf463f8c310fd5070252f25f932e9bc5a580e9e9f1561c1d42deb5a2d4ca62b7e231a1dc0cd289aa68166f77b53b3a8a248

Download Submit
C:\Windows\system\explorer.exe
MD5
0e543aef1db9d5bd9ffaacdc73c24de1

SHA1
4ee6fadc9512ec56a2e4e502f290e0f1ce70c352

SHA256
1a898e47bf77eeb92b1f195bb1c08a0f43984f6a7c4768481938ba9d74e33209

SHA512
92f34dcc7358997b9fc0d9721641dbf463f8c310fd5070252f25f932e9bc5a580e9e9f1561c1d42deb5a2d4ca62b7e231a1dc0cd289aa68166f77b53b3a8a248

Download Submit
C:\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
C:\Windows\system\svchost.exe
MD5
55e089783a37dd71b3d5b57e7c343ca7

SHA1
8294621d4e5b3e69efee3b67deb185529940a53c

SHA256
48f1c2e35332a8adf8ff7095f7a7c686aaba3c5dfb8911a87b34d0d5fd0e4d3a

SHA512
56ee1667ef6bf2855ece49a4ac64e3fb645574840497f8be2a9967c74d42bf75fcc7ee0b0b8a1950dff07cd8c133d49f67084f601978ec8c5f0714b55c4e92e8

Download Submit
\??\c:\windows\system\explorer.exe
MD5
0e543aef1db9d5bd9ffaacdc73c24de1

SHA1
4ee6fadc9512ec56a2e4e502f290e0f1ce70c352

SHA256
1a898e47bf77eeb92b1f195bb1c08a0f43984f6a7c4768481938ba9d74e33209

SHA512
92f34dcc7358997b9fc0d9721641dbf463f8c310fd5070252f25f932e9bc5a580e9e9f1561c1d42deb5a2d4ca62b7e231a1dc0cd289aa68166f77b53b3a8a248

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\explorer.exe
MD5
0e543aef1db9d5bd9ffaacdc73c24de1

SHA1
4ee6fadc9512ec56a2e4e502f290e0f1ce70c352

SHA256
1a898e47bf77eeb92b1f195bb1c08a0f43984f6a7c4768481938ba9d74e33209

SHA512
92f34dcc7358997b9fc0d9721641dbf463f8c310fd5070252f25f932e9bc5a580e9e9f1561c1d42deb5a2d4ca62b7e231a1dc0cd289aa68166f77b53b3a8a248

Download Submit
\Windows\system\explorer.exe
MD5
0e543aef1db9d5bd9ffaacdc73c24de1

SHA1
4ee6fadc9512ec56a2e4e502f290e0f1ce70c352

SHA256
1a898e47bf77eeb92b1f195bb1c08a0f43984f6a7c4768481938ba9d74e33209

SHA512
92f34dcc7358997b9fc0d9721641dbf463f8c310fd5070252f25f932e9bc5a580e9e9f1561c1d42deb5a2d4ca62b7e231a1dc0cd289aa68166f77b53b3a8a248

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\spoolsv.exe
MD5
a07255a211c43b37d7f0de7942e76601

SHA1
c1a547188b04457572b6fd69be4212022b1f7741

SHA256
2165554e07ec2d1e419c87ab2c81747ecd398b60bbe836d7ecbe1f8d8ab4dce0

SHA512
e9d4d7e4a79d310b1fc26c14c69c3e0e3e8a44f0510ae216283614edea2ace99676105d2681553c06dfb2c12ed6b8c59d7b876b7eecd65c992a3bc18a7c8f71d

Download Submit
\Windows\system\svchost.exe
MD5
55e089783a37dd71b3d5b57e7c343ca7

SHA1
8294621d4e5b3e69efee3b67deb185529940a53c

SHA256
48f1c2e35332a8adf8ff7095f7a7c686aaba3c5dfb8911a87b34d0d5fd0e4d3a

SHA512
56ee1667ef6bf2855ece49a4ac64e3fb645574840497f8be2a9967c74d42bf75fcc7ee0b0b8a1950dff07cd8c133d49f67084f601978ec8c5f0714b55c4e92e8

Download Submit
\Windows\system\svchost.exe
MD5
55e089783a37dd71b3d5b57e7c343ca7

SHA1
8294621d4e5b3e69efee3b67deb185529940a53c

SHA256
48f1c2e35332a8adf8ff7095f7a7c686aaba3c5dfb8911a87b34d0d5fd0e4d3a

SHA512
56ee1667ef6bf2855ece49a4ac64e3fb645574840497f8be2a9967c74d42bf75fcc7ee0b0b8a1950dff07cd8c133d49f67084f601978ec8c5f0714b55c4e92e8

Download Submit
memory/348-66-0x0000000000000000-mapping.dmp

Download
memory/348-76-0x0000000000000000-mapping.dmp

Download
memory/372-136-0x0000000000000000-mapping.dmp

Download
memory/372-175-0x0000000000000000-mapping.dmp

Download
memory/372-232-0x0000000000000000-mapping.dmp

Download
memory/372-229-0x0000000000000000-mapping.dmp

Download
memory/372-226-0x0000000000000000-mapping.dmp

Download
memory/372-223-0x0000000000000000-mapping.dmp

Download
memory/372-220-0x0000000000000000-mapping.dmp

Download
memory/372-160-0x0000000000000000-mapping.dmp

Download
memory/372-154-0x0000000000000000-mapping.dmp

Download
memory/372-190-0x0000000000000000-mapping.dmp

Download
memory/372-142-0x0000000000000000-mapping.dmp

Download
memory/372-163-0x0000000000000000-mapping.dmp

Download
memory/372-166-0x0000000000000000-mapping.dmp

Download
memory/372-187-0x0000000000000000-mapping.dmp

Download
memory/372-217-0x0000000000000000-mapping.dmp

Download
memory/372-214-0x0000000000000000-mapping.dmp

Download
memory/372-151-0x0000000000000000-mapping.dmp

Download
memory/372-184-0x0000000000000000-mapping.dmp

Download
memory/372-211-0x0000000000000000-mapping.dmp

Download
memory/372-208-0x0000000000000000-mapping.dmp

Download
memory/372-205-0x0000000000000000-mapping.dmp

Download
memory/372-202-0x0000000000000000-mapping.dmp

Download
memory/372-193-0x0000000000000000-mapping.dmp

Download
memory/372-199-0x0000000000000000-mapping.dmp

Download
memory/372-196-0x0000000000000000-mapping.dmp

Download
memory/372-169-0x0000000000000000-mapping.dmp

Download
memory/372-172-0x0000000000000000-mapping.dmp

Download
memory/372-148-0x0000000000000000-mapping.dmp

Download
memory/372-181-0x0000000000000000-mapping.dmp

Download
memory/372-178-0x0000000000000000-mapping.dmp

Download
memory/372-145-0x0000000000000000-mapping.dmp

Download
memory/372-157-0x0000000000000000-mapping.dmp

Download
memory/568-17-0x0000000000000000-mapping.dmp

Download
memory/620-130-0x0000000000411000-mapping.dmp

Download
memory/892-100-0x0000000002510000-0x0000000002521000-memory.dmp

Filesize
68KB

Download
memory/892-87-0x0000000000000000-mapping.dmp

Download
memory/928-46-0x0000000000000000-mapping.dmp

Download
memory/928-57-0x0000000000000000-mapping.dmp

Download
memory/956-36-0x0000000000000000-mapping.dmp

Download
memory/1060-14-0x0000000002CB0000-0x0000000002CC1000-memory.dmp

Filesize
68KB

Download
memory/1060-11-0x0000000002CB0000-0x0000000002CC1000-memory.dmp

Filesize
68KB

Download
memory/1060-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1060-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1060-3-0x0000000000403670-mapping.dmp

Download
memory/1060-20-0x00000000027B0000-0x00000000027B4000-memory.dmp

Filesize
16KB

Download
memory/1060-19-0x00000000024D0000-0x00000000024D4000-memory.dmp

Filesize
16KB

Download
memory/1060-12-0x00000000030C0000-0x00000000030D1000-memory.dmp

Filesize
68KB

Download
memory/1132-125-0x0000000000403670-mapping.dmp

Download
memory/1132-141-0x0000000002740000-0x0000000002744000-memory.dmp

Filesize
16KB

Download
memory/1132-140-0x0000000000370000-0x0000000000374000-memory.dmp

Filesize
16KB

Download
memory/1276-7-0x0000000000411000-mapping.dmp

Download
memory/1276-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1276-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1332-85-0x0000000000000000-mapping.dmp

Download
memory/1332-99-0x0000000000000000-mapping.dmp

Download
memory/1504-29-0x0000000000411000-mapping.dmp

Download
memory/1656-49-0x00000000021B0000-0x00000000021C1000-memory.dmp

Filesize
68KB

Download
memory/1656-58-0x0000000002460000-0x0000000002471000-memory.dmp

Filesize
68KB

Download
memory/1656-48-0x0000000000000000-mapping.dmp

Download
memory/1696-121-0x0000000002480000-0x0000000002491000-memory.dmp

Filesize
68KB

Download
memory/1696-110-0x0000000000000000-mapping.dmp

Download
memory/1696-111-0x0000000000900000-0x0000000000911000-memory.dmp

Filesize
68KB

Download
memory/1708-164-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-195-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-158-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-159-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-155-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-161-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-162-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-152-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-234-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-153-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-165-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-168-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-150-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-167-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-170-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-171-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-149-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-173-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-174-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-147-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-176-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-177-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-146-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-179-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-180-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-144-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-182-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-183-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-143-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-185-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-139-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-186-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-188-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-189-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-138-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-191-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-192-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-233-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-194-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-156-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-23-0x0000000000403670-mapping.dmp

Download
memory/1708-197-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-198-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-231-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-200-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-201-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-39-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-203-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-204-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-102-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-206-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-207-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-103-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-209-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-210-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-38-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-212-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-213-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-41-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-215-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-216-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-40-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-218-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-219-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-61-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-221-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-222-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-60-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-224-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-225-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-79-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-80-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-228-0x0000000003200000-0x0000000003211000-memory.dmp

Filesize
68KB

Download
memory/1708-227-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1708-230-0x0000000002DF0000-0x0000000002E01000-memory.dmp

Filesize
68KB

Download
memory/1800-68-0x0000000000000000-mapping.dmp

Download
memory/1800-77-0x00000000026B0000-0x00000000026C1000-memory.dmp

Filesize
68KB

Download
memory/2020-108-0x0000000000000000-mapping.dmp

Download
memory/2020-120-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads