warzonerat | e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071

Analysis

max time kernel
148s
max time network
154s
platform
windows10_x64
resource
win10v20201028
submitted
28-02-2021 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
Size

2.9MB
MD5

b861134b7d7740afe1fd8c260a156660
SHA1

52f46a0170de2b9cfc9e22c2022cc8c8d70cbfb8
SHA256

e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071
SHA512

57136622c0905129a919feca202a26b5ce5f7a7cde856fde25be65cd9fc31dbf3d1bd17d91f92ff4340a55085c9259027587d26fb201bd905416efb8b4953ec9

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 30 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 28 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1940	explorer.exe
1152	explorer.exe
1452	explorer.exe
3152	spoolsv.exe
3852	spoolsv.exe
3472	spoolsv.exe
3880	spoolsv.exe
488	spoolsv.exe
1140	spoolsv.exe
3112	spoolsv.exe
2976	spoolsv.exe
1216	spoolsv.exe
1280	spoolsv.exe
3864	spoolsv.exe
3056	spoolsv.exe
1060	spoolsv.exe
2260	spoolsv.exe
3992	spoolsv.exe
2640	spoolsv.exe
3884	spoolsv.exe
3700	spoolsv.exe
1908	spoolsv.exe
3256	spoolsv.exe
2344	spoolsv.exe
3652	spoolsv.exe
1072	spoolsv.exe
3608	spoolsv.exe
3748	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 4 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exespoolsv.exee91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 22 IoCs

Processes:

e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exee91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 3300 set thread context of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 set thread context of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 set thread context of 3052	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	diskperf.exe
PID 1940 set thread context of 1152	1940	explorer.exe	explorer.exe
PID 1152 set thread context of 1452	1152	explorer.exe	explorer.exe
PID 1152 set thread context of 3192	1152	explorer.exe	diskperf.exe
PID 3152 set thread context of 3852	3152	spoolsv.exe	spoolsv.exe
PID 3472 set thread context of 3880	3472	spoolsv.exe	spoolsv.exe
PID 488 set thread context of 1140	488	spoolsv.exe	spoolsv.exe
PID 3112 set thread context of 2976	3112	spoolsv.exe	spoolsv.exe
PID 1216 set thread context of 1280	1216	spoolsv.exe	spoolsv.exe
PID 3864 set thread context of 3056	3864	spoolsv.exe	spoolsv.exe
PID 1060 set thread context of 2260	1060	spoolsv.exe	spoolsv.exe
PID 3992 set thread context of 2640	3992	spoolsv.exe	spoolsv.exe
PID 3884 set thread context of 3700	3884	spoolsv.exe	spoolsv.exe
PID 1908 set thread context of 3256	1908	spoolsv.exe	spoolsv.exe
PID 2344 set thread context of 3652	2344	spoolsv.exe	spoolsv.exe
PID 1072 set thread context of 736	1072	spoolsv.exe	spoolsv.exe
PID 3880 set thread context of 3608	3880	spoolsv.exe	spoolsv.exe
PID 3852 set thread context of 3748	3852	spoolsv.exe	spoolsv.exe
PID 3880 set thread context of 1056	3880	spoolsv.exe	diskperf.exe
PID 3852 set thread context of 1644	3852	spoolsv.exe	diskperf.exe

Drops file in Windows directory 16 IoCs

Processes:

explorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exee91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exee91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
1940	explorer.exe
1940	explorer.exe
3152	spoolsv.exe
3152	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
1452	explorer.exe
1452	explorer.exe
3472	spoolsv.exe
3472	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
488	spoolsv.exe
488	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
3112	spoolsv.exe
3112	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
1216	spoolsv.exe
1216	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
3864	spoolsv.exe
3864	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
1060	spoolsv.exe
1060	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
3992	spoolsv.exe
3992	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
3884	spoolsv.exe
3884	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
1908	spoolsv.exe
1908	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
2344	spoolsv.exe
2344	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
1072	spoolsv.exe
1072	spoolsv.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

pid	process
3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
1940	explorer.exe
1940	explorer.exe
1452	explorer.exe
1452	explorer.exe
3152	spoolsv.exe
3152	spoolsv.exe
1452	explorer.exe
1452	explorer.exe
3472	spoolsv.exe
3472	spoolsv.exe
488	spoolsv.exe
488	spoolsv.exe
3112	spoolsv.exe
3112	spoolsv.exe
1216	spoolsv.exe
1216	spoolsv.exe
3864	spoolsv.exe
3864	spoolsv.exe
1060	spoolsv.exe
1060	spoolsv.exe
3992	spoolsv.exe
3992	spoolsv.exe
3884	spoolsv.exe
3884	spoolsv.exe
1908	spoolsv.exe
1908	spoolsv.exe
2344	spoolsv.exe
2344	spoolsv.exe
1072	spoolsv.exe
1072	spoolsv.exe
3608	spoolsv.exe
3748	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exee91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exee91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exeexplorer.exe

description	pid	process	target process
PID 3300 wrote to memory of 4032	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	cmd.exe
PID 3300 wrote to memory of 4032	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	cmd.exe
PID 3300 wrote to memory of 4032	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	cmd.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3300 wrote to memory of 3240	3300	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3876	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
PID 3240 wrote to memory of 3052	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	diskperf.exe
PID 3240 wrote to memory of 3052	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	diskperf.exe
PID 3240 wrote to memory of 3052	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	diskperf.exe
PID 3240 wrote to memory of 3052	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	diskperf.exe
PID 3240 wrote to memory of 3052	3240	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	diskperf.exe
PID 3876 wrote to memory of 1940	3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	explorer.exe
PID 3876 wrote to memory of 1940	3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	explorer.exe
PID 3876 wrote to memory of 1940	3876	e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe	explorer.exe
PID 1940 wrote to memory of 2668	1940	explorer.exe	cmd.exe
PID 1940 wrote to memory of 2668	1940	explorer.exe	cmd.exe
PID 1940 wrote to memory of 2668	1940	explorer.exe	cmd.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe
PID 1940 wrote to memory of 1152	1940	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
"C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:4032

C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
C:\Users\Admin\AppData\Local\Temp\e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:2668

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1152

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3852

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1644

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3608

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:3416

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:3948

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1140

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2976

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1280

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3624

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3056

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3700

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3224

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:708

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3048

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:736

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2800

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:3192

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:3052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
6e0ecce9c49aa417d5da7f75f8d950fd

SHA1
d0eaf1c205c03a3cba35b5ba9a1df4490f4bc0c9

SHA256
a726e193dfaaf89c198f5493326514fdcfbe46ee40de928d4959a03a928fdb8d

SHA512
fea39ce292bdb51b76377181b6c041ce3138ea6b645ba0d12d8ea703b542ff096547ac469a7f36ddc8656b96f3eeb5b6a0e5ba49e0c99726ab4c0d235d56fed0

Download Submit
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b861134b7d7740afe1fd8c260a156660

SHA1
52f46a0170de2b9cfc9e22c2022cc8c8d70cbfb8

SHA256
e91357a97e614e2d7dc5a07046057741bc0e6c5ec791a80373e3730542728071

SHA512
57136622c0905129a919feca202a26b5ce5f7a7cde856fde25be65cd9fc31dbf3d1bd17d91f92ff4340a55085c9259027587d26fb201bd905416efb8b4953ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
6697e45391b73a6dfbec572e178373ca

SHA1
b366670ade39c00773e898ab73101a609fcd5c01

SHA256
d9cd1555819c4a905af755f33d13581cef7b3947f13caf5132c22df9747cbd01

SHA512
da0874ec620d0774d6da47af67e3e6466d61d08e4f27e4645235a41b54032ff0465239ce20e432548c72b421f406cf5e0e01af4416bda15975b130bd952d679c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\System\explorer.exe
MD5
7c17cadb268c4a9e3f9677bb7edbdecc

SHA1
115a00d4c0b91939b5affeb42621b4071bd91995

SHA256
aba6699fa543cfaddc30a248e5646e3ddba9d94c368a3eac83dacf7dc1cc5aaa

SHA512
1ca0bcd059298ccece0effd531b6a780ecb60f7e89d052c7e2f017889e33a55bb96c6250b7cb307dd0dc6eba488c2e590214075e44881c9739ef820c41a438b4

Download Submit
C:\Windows\System\explorer.exe
MD5
6697e45391b73a6dfbec572e178373ca

SHA1
b366670ade39c00773e898ab73101a609fcd5c01

SHA256
d9cd1555819c4a905af755f33d13581cef7b3947f13caf5132c22df9747cbd01

SHA512
da0874ec620d0774d6da47af67e3e6466d61d08e4f27e4645235a41b54032ff0465239ce20e432548c72b421f406cf5e0e01af4416bda15975b130bd952d679c

Download Submit
C:\Windows\System\explorer.exe
MD5
6697e45391b73a6dfbec572e178373ca

SHA1
b366670ade39c00773e898ab73101a609fcd5c01

SHA256
d9cd1555819c4a905af755f33d13581cef7b3947f13caf5132c22df9747cbd01

SHA512
da0874ec620d0774d6da47af67e3e6466d61d08e4f27e4645235a41b54032ff0465239ce20e432548c72b421f406cf5e0e01af4416bda15975b130bd952d679c

Download Submit
C:\Windows\System\explorer.exe
MD5
6697e45391b73a6dfbec572e178373ca

SHA1
b366670ade39c00773e898ab73101a609fcd5c01

SHA256
d9cd1555819c4a905af755f33d13581cef7b3947f13caf5132c22df9747cbd01

SHA512
da0874ec620d0774d6da47af67e3e6466d61d08e4f27e4645235a41b54032ff0465239ce20e432548c72b421f406cf5e0e01af4416bda15975b130bd952d679c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3376d64ccdb95b750c187b2bc870dfe1

SHA1
82a26c6503d423f80b00e16ea52bd3a09b9a84f4

SHA256
aefc1b944c31ba5d62bec2232fd71f26a1392bdcafa17dba38cdb1ee3ebc13c2

SHA512
0eeb62fbbbd45cc3d491bde994aa96f5bf76d53568b868aee6ab021682c27b2408844e8455d92e7612e7d6e5cb0bc75aeb5adad96da8e3cf2808b332e5401b44

Download Submit
C:\Windows\System\spoolsv.exe
MD5
adf359bbad2ce14a59c7659fa5d1e2c6

SHA1
d86069b4d019b024546e173bbfc748b71e4204f8

SHA256
59cc2bb0801a083ea0f538449f8926bbdc1b02f98cf68153bd0a7eff162bb799

SHA512
0a2d006ca0b306966c8aeabf76984e10d5d78dddb3b54d3de271e752a9f75ce168e477a885198d2a6be3fc8b1098e18d89220000252d3c619dc6a5b4e0bc0be1

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ed9681662cc69524f1b4c48dd6a2b896

SHA1
e08abdc7d045ef98dda12ceb230efec4e5b6a1ec

SHA256
4894d35b624604f7f8c828b06514ce183a1625726af2f818e3ba30e6080a4c45

SHA512
a7f25dfd6e8a5630cba665a90ca98e0de58e7d5b28795ba4b65fad3473a58637153c78b1f8c549dca43f23f3ffabef61b0c32b13f88f67cc09c98942a6841465

Download Submit
C:\Windows\System\spoolsv.exe
MD5
0abf6ed381444d34527dd6a058ecd54e

SHA1
ea7e38caf89f3b7db593e9d937451d97cc1e7545

SHA256
ac24f10f0b0ff04419d1b6ea5fc43c2c2943c205e3ac4bb570de079259c13758

SHA512
e3316da419afe2c50fb82868c5c86c39d467ff55523615d3284ff927cdebd0656f85784ec054ffa081342b601560e2f99de9611deb91fa4a41e9d62d9154da58

Download Submit
C:\Windows\System\spoolsv.exe
MD5
f0ddcc2fb63048757f90b13623d4ad1c

SHA1
8eb720b3dbb548b4c5ec2e9982e9a989ef210f18

SHA256
b5a2520388a8743c681191a2e81f99bb3cad8e842bf395127f1ee9110d4cf9a4

SHA512
5354c43ab48849b6479f95eabac515ef6498f5447afe4bc6c94417a29beac91baeadacd5b3316da9a5b5aff617d56aaf21c7f2833fa1f21a282622bf082ac4b5

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
C:\Windows\System\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
\??\c:\windows\system\explorer.exe
MD5
6697e45391b73a6dfbec572e178373ca

SHA1
b366670ade39c00773e898ab73101a609fcd5c01

SHA256
d9cd1555819c4a905af755f33d13581cef7b3947f13caf5132c22df9747cbd01

SHA512
da0874ec620d0774d6da47af67e3e6466d61d08e4f27e4645235a41b54032ff0465239ce20e432548c72b421f406cf5e0e01af4416bda15975b130bd952d679c

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
97b2a64fa68f82cb96977774fde61873

SHA1
502365546a1e75ba059093e04cd206c859bf1c81

SHA256
2092dfa8ac7e2bd4d97eb9a929ff170cc53fa4e40a758058087fec186e80b924

SHA512
0d3732eaecf94b8a0d96741edb2d66967174057736e4ee8a6758ab147cd963a4c375a9ad4039fc598ad67e36182513aa5d2ad85157ef92d0ff14a943730d2b25

Download Submit
memory/344-86-0x0000000000000000-mapping.dmp

Download
memory/488-62-0x0000000000000000-mapping.dmp

Download
memory/708-146-0x0000000000000000-mapping.dmp

Download
memory/736-183-0x00000000004E7001-mapping.dmp

Download
memory/1056-172-0x0000000000411000-mapping.dmp

Download
memory/1060-104-0x0000000000000000-mapping.dmp

Download
memory/1072-154-0x0000000000000000-mapping.dmp

Download
memory/1140-68-0x00000000004E7001-mapping.dmp

Download
memory/1140-76-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/1152-27-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/1152-24-0x00000000004E7001-mapping.dmp

Download
memory/1216-84-0x0000000000000000-mapping.dmp

Download
memory/1280-89-0x00000000004E7001-mapping.dmp

Download
memory/1280-98-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/1312-55-0x0000000000000000-mapping.dmp

Download
memory/1452-91-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-112-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-143-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-71-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-141-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-70-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-81-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-82-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-29-0x0000000000403670-mapping.dmp

Download
memory/1452-132-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-61-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-131-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-60-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-187-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-186-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-92-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-151-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-121-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-152-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-122-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-51-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-111-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-101-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-102-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-50-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1452-49-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/1452-48-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1644-175-0x0000000000411000-mapping.dmp

Download
memory/1908-134-0x0000000000000000-mapping.dmp

Download
memory/1940-17-0x0000000000000000-mapping.dmp

Download
memory/2168-116-0x0000000000000000-mapping.dmp

Download
memory/2260-109-0x00000000004E7001-mapping.dmp

Download
memory/2260-118-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2344-144-0x0000000000000000-mapping.dmp

Download
memory/2640-128-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/2640-119-0x00000000004E7001-mapping.dmp

Download
memory/2668-21-0x0000000000000000-mapping.dmp

Download
memory/2800-190-0x0000000000000000-mapping.dmp

Download
memory/2976-79-0x00000000004E7001-mapping.dmp

Download
memory/2976-87-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3048-156-0x0000000000000000-mapping.dmp

Download
memory/3052-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3052-10-0x0000000000411000-mapping.dmp

Download
memory/3052-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3056-99-0x00000000004E7001-mapping.dmp

Download
memory/3056-107-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3112-73-0x0000000000000000-mapping.dmp

Download
memory/3152-40-0x0000000000000000-mapping.dmp

Download
memory/3192-34-0x0000000000411000-mapping.dmp

Download
memory/3224-136-0x0000000000000000-mapping.dmp

Download
memory/3240-3-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3240-4-0x00000000004E7001-mapping.dmp

Download
memory/3240-5-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3240-6-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3256-148-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3256-139-0x00000000004E7001-mapping.dmp

Download
memory/3344-75-0x0000000000000000-mapping.dmp

Download
memory/3416-180-0x0000000000000000-mapping.dmp

Download
memory/3464-125-0x0000000000000000-mapping.dmp

Download
memory/3472-52-0x0000000000000000-mapping.dmp

Download
memory/3568-43-0x0000000000000000-mapping.dmp

Download
memory/3608-161-0x0000000000403670-mapping.dmp

Download
memory/3624-96-0x0000000000000000-mapping.dmp

Download
memory/3652-149-0x00000000004E7001-mapping.dmp

Download
memory/3652-158-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3688-176-0x0000000000000000-mapping.dmp

Download
memory/3700-138-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/3700-129-0x00000000004E7001-mapping.dmp

Download
memory/3736-65-0x0000000000000000-mapping.dmp

Download
memory/3748-162-0x0000000000403670-mapping.dmp

Download
memory/3852-57-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3852-46-0x00000000004E7001-mapping.dmp

Download
memory/3864-93-0x0000000000000000-mapping.dmp

Download
memory/3876-15-0x0000000003B70000-0x0000000003B71000-memory.dmp

Filesize
4KB

Download
memory/3876-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3876-8-0x0000000000403670-mapping.dmp

Download
memory/3876-14-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/3876-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-58-0x00000000004E7001-mapping.dmp

Download
memory/3880-66-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3884-123-0x0000000000000000-mapping.dmp

Download
memory/3992-113-0x0000000000000000-mapping.dmp

Download
memory/4024-106-0x0000000000000000-mapping.dmp

Download
memory/4032-2-0x0000000000000000-mapping.dmp

Download
memory/4036-188-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads