warzonerat | 3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
Size

2.9MB
MD5

afa3b653790bb2f249e8449d6bb56800
SHA1

0e7747d97a832bd5819f63a8d60145ef6a3dc221
SHA256

3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d
SHA512

fadd77d03c63e673237a8c5ecea5fefea063df1e14bcc90533d0c741c199a43f1334ac8483c36c42a77c6fca6a4a3de0379cc3c0ebbca44eb1a0f373ad1c0c5e

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 39 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 20 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exe

pid	process
1568	explorer.exe
820	explorer.exe
1136	explorer.exe
1900	spoolsv.exe
1752	spoolsv.exe
1948	spoolsv.exe
1304	spoolsv.exe
1648	spoolsv.exe
428	spoolsv.exe
1568	spoolsv.exe
1932	spoolsv.exe
1068	spoolsv.exe
1680	spoolsv.exe
1404	spoolsv.exe
1528	spoolsv.exe
1896	spoolsv.exe
1800	spoolsv.exe
924	explorer.exe
1256	spoolsv.exe
324	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 7 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Loads dropped DLL 29 IoCs

Processes:

3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1136	explorer.exe
1136	explorer.exe
1900	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1948	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1648	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1568	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1068	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1404	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1896	spoolsv.exe
1752	spoolsv.exe
1800	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
324	spoolsv.exe
428	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exe3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe

Suspicious use of SetThreadContext 17 IoCs

Processes:

3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 328 set thread context of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 set thread context of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 set thread context of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 1568 set thread context of 820	1568	explorer.exe	explorer.exe
PID 820 set thread context of 1136	820	explorer.exe	explorer.exe
PID 820 set thread context of 1868	820	explorer.exe	diskperf.exe
PID 1900 set thread context of 1752	1900	spoolsv.exe	spoolsv.exe
PID 1948 set thread context of 1304	1948	spoolsv.exe	spoolsv.exe
PID 1648 set thread context of 428	1648	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 1932	1568	spoolsv.exe	spoolsv.exe
PID 1068 set thread context of 1680	1068	spoolsv.exe	spoolsv.exe
PID 1404 set thread context of 1528	1404	spoolsv.exe	spoolsv.exe
PID 1896 set thread context of 1256	1896	spoolsv.exe	spoolsv.exe
PID 1752 set thread context of 1800	1752	spoolsv.exe	spoolsv.exe
PID 1752 set thread context of 1452	1752	spoolsv.exe	diskperf.exe
PID 924 set thread context of 1004	924	explorer.exe	explorer.exe
PID 324 set thread context of 272	324	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 13 IoCs

Processes:

spoolsv.exe3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

pid	process
328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1568	explorer.exe
1900	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1948	spoolsv.exe
1136	explorer.exe
1648	spoolsv.exe
1136	explorer.exe
1568	spoolsv.exe
1136	explorer.exe
1068	spoolsv.exe
1136	explorer.exe
1404	spoolsv.exe
1136	explorer.exe
1896	spoolsv.exe
924	explorer.exe
1136	explorer.exe
324	spoolsv.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

pid	process
328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
1568	explorer.exe
1568	explorer.exe
1136	explorer.exe
1136	explorer.exe
1900	spoolsv.exe
1900	spoolsv.exe
1136	explorer.exe
1136	explorer.exe
1948	spoolsv.exe
1948	spoolsv.exe
1648	spoolsv.exe
1648	spoolsv.exe
1568	spoolsv.exe
1568	spoolsv.exe
1068	spoolsv.exe
1068	spoolsv.exe
1404	spoolsv.exe
1404	spoolsv.exe
1896	spoolsv.exe
1896	spoolsv.exe
1800	spoolsv.exe
1800	spoolsv.exe
924	explorer.exe
924	explorer.exe
324	spoolsv.exe
324	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exeexplorer.exe

description	pid	process	target process
PID 328 wrote to memory of 1736	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	cmd.exe
PID 328 wrote to memory of 1736	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	cmd.exe
PID 328 wrote to memory of 1736	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	cmd.exe
PID 328 wrote to memory of 1736	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	cmd.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 328 wrote to memory of 2012	328	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1124	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
PID 2012 wrote to memory of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 2012 wrote to memory of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 2012 wrote to memory of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 2012 wrote to memory of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 2012 wrote to memory of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 2012 wrote to memory of 1084	2012	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	diskperf.exe
PID 1124 wrote to memory of 1568	1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	explorer.exe
PID 1124 wrote to memory of 1568	1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	explorer.exe
PID 1124 wrote to memory of 1568	1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	explorer.exe
PID 1124 wrote to memory of 1568	1124	3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe	explorer.exe
PID 1568 wrote to memory of 844	1568	explorer.exe	cmd.exe
PID 1568 wrote to memory of 844	1568	explorer.exe	cmd.exe
PID 1568 wrote to memory of 844	1568	explorer.exe	cmd.exe
PID 1568 wrote to memory of 844	1568	explorer.exe	cmd.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe
PID 1568 wrote to memory of 820	1568	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
"C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1736

C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
C:\Users\Admin\AppData\Local\Temp\3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:844

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:820

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1136

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:316

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1800

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1500

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1004

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1452

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:944

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1572

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1764

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1696

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1404

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1256

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1432

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:272

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1868

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:1084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
1⤵
PID:1904

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
afa3b653790bb2f249e8449d6bb56800

SHA1
0e7747d97a832bd5819f63a8d60145ef6a3dc221

SHA256
3f2ffb688380b230451dabe67fbbbf421577db26012887e3f5b6c74ed852da1d

SHA512
fadd77d03c63e673237a8c5ecea5fefea063df1e14bcc90533d0c741c199a43f1334ac8483c36c42a77c6fca6a4a3de0379cc3c0ebbca44eb1a0f373ad1c0c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe
MD5
9798353fce470b40027cd8c986a87670

SHA1
a24004e6f358df279c1bf21e82bf24ab12ecae35

SHA256
868dde8cde73f5fc5a8d46815c215faabf6ac2362a48c2de0989e4096bbf1101

SHA512
30a44417a54df4b5da19a1b7b3c96af371fb9f5647390355b3b1969b4c73b3f6194c9fc9490c4ffc273cd5df65e85b94b1eff029dea15497dfdc9f621425802b

Download Submit
C:\Windows\system\explorer.exe
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
C:\Windows\system\explorer.exe
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
C:\Windows\system\explorer.exe
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
C:\Windows\system\spoolsv.exe
MD5
e2fcdb80195d9be40609deabac0512cd

SHA1
550a30ecc5a94af61a14fb57f8c471120b33f81d

SHA256
214e8b4108de311d250ffdd7f7fc62eb4f8435bf7e2517733d048100e5d51639

SHA512
29c870a3a3d42654e240193cc27e689df8a9404a9f6c17d51f3c838de5362414c7bb2b10925a1dcde0df1c6652ecf96b8c78cf0c6961f004f27c0c7daf20118a

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
5a02dc1eacbc860bd0e95ea21f487e52

SHA1
785716387d2617b454e0d6a76f33c241efa77994

SHA256
9732cf82aa5e09333515c2431745fa68ea4a76ec504981ca16710e7aba789dcd

SHA512
9d181a664543b6955de9156ad5f9103f62dc35cae7f5b36ff1d7e0e538c10828cebd00dd062392a50bb194d262be629d3d1ae5a87d38d1ffa8283dac9b612df8

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d201834174993b08b9d7b67fa8a6069b

SHA1
b60d4644fdb97e6e5d4336df8092344563ab6f7a

SHA256
e23c96fc601d63258beb78181dc3d92849861024f0156c18455caad10c88221e

SHA512
2b2d68411e188dfb27a7c85bcf4cce28e4e3546c8086d6955d6468afc334c7e83fc300bed9ca61f5aa45c269adec1a9e49799ec9facc2f99bb7b6fd37f06584d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
0d6c31fd41b163427ca8ac944ae87735

SHA1
5965ea3cb6b08a4e849574c4d4b0cebca34e2b94

SHA256
1e3e6e90e7aa27f8d5727893565b5aad50c72333a73acf072e4cba364292f0f6

SHA512
1f310afa620128c34bcd6c67881a25edcc266845c9fb3bec9b359fed8a6cfefaec81a7cb7607070aa3c574d72ee937393a65b3b851568b699ab255a54ccfa90c

Download Submit
C:\Windows\system\spoolsv.exe
MD5
d68bce7bec2765d457fb9fbeebd887fe

SHA1
c9da8334280acb22dc848c2268e99befdf874cbf

SHA256
ab69bd0f49ee98337acccfc6f7dd3f7fb37fd5aa4afca9f7f5dc585446abf7d9

SHA512
2760c659f8d66c743584e896a943955d713a85dc6ec04b41420f99fd2c4f7db7bf02ff7f1f17f4d8cb620fa236426fda16fde7e6be4aba7e79b9fc9adf3eb4d5

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
6f359a27bf5f877ad7362e6111c152e7

SHA1
84125f3d99f1bfd4089a53a07a240470b2a26a67

SHA256
e966c3fd94c82c063ab1198e24b5c17b475af2527e1bbe7963162aea6e8bf39b

SHA512
c2b1177eae8d183f661e4603d4a375c2d9742eb7156aea0f82be0fd7ae108b6188603f03c6950770ada27cc2b9a37718a145c58385e0827dca220805855e423a

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
e82efa69d28aa399e3f8518bc6ae5d01

SHA1
f41ab28de1e4d74f10b2f6a7b0f12aa8d6e10db1

SHA256
b49479c2be0f1a46499b0cd90a31efac5bc1c932fad7f41037f671df6b5443c4

SHA512
c9fb74239d1f863b010df77b14e1859cb98609f6dfbdd95bdebbee4374f21d4faa6fb0301aeb9599d989c7e0006029ae03ab0f768150771589f840d7b512df5f

Download Submit
C:\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\??\c:\windows\system\explorer.exe
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\explorer.exe
MD5
c34f03c512acdf8a519581d2d0c9d446

SHA1
1aa9802e6fdff92625f7d3c2a11b98ebbfa6a417

SHA256
fc77551e6abdb64648737cb9cae4de2aee233ae97e7aeca884fcfc42c5c2c805

SHA512
54f37c73481606e6c45e3cccd8a8dab39d7b9758fd4012fed7f8c3611576ddd3ed5f4599e9587a67f01d29f8dedee2484f412ee73efc94fdff17b1a758dbdfcf

Download Submit
\Windows\system\explorer.exe
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
\Windows\system\explorer.exe
MD5
6b37d00609df82a039ef78a87faa6ee5

SHA1
30c784622f4d07d3316e45ebb81090c2b9a8d49e

SHA256
083f28eb22e6869761e7edecc958f55aa413115096706f854f3e09eb4529ce8d

SHA512
05cb81116b9fc99ee7d288b5de01c95f44831ca38286928c6789b3344a58c69a36adb430ad90e065a1259a521f6138a0b4857eb9106ca6f0815256ae14f3b730

Download Submit
\Windows\system\spoolsv.exe
MD5
95ecd9e3635952682a62d820cc3725e2

SHA1
0b56687cc2041b3ea1f142e064ee614c2c06637a

SHA256
cd46daf87bb793fffa90fefa4527c7915fb4f8ab2aaf795c2da2e9e8e67875a3

SHA512
941c84b57a37091ab04211441d27b0a5b216ec876b7df770ec8a8f7f21a9ffadd848ba7c9a6619903d6d732547aeb7a0b4c521b541d41c9a5d258ae86ba9a1b0

Download Submit
\Windows\system\spoolsv.exe
MD5
a5107073cd3575dd3ae6402107bc26af

SHA1
ecd298a86201224cdf288ea48d4de993bbce5c83

SHA256
c01d9ca3d968d1eba59e3c45180dbc654e07310919e4c293ea6ea9888861a102

SHA512
14e0f69e987ab7c8195d2842beb4b11cd82e1f4c26a64033371f61015d911f9a1384cff751c2d937cf2704f4061a90fa5a0d9da0980088767a4819db2d34d6b0

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
5047d3b6f9b3c9a3f04d226e1fdfae16

SHA1
fc193b79f0872e29d8106509f5a028ba5a6d6113

SHA256
90d2a2111f689f65770073dffac179e0049e93bd221ecfb3ea780df17c416454

SHA512
35287933d07589932c88da2b4aa7b72839e46df71972c619111fef8b5246d3a7f0a14c9da4a1fd2be30413305987f825f5dbc944237d1935358f0c51122a56a2

Download Submit
\Windows\system\spoolsv.exe
MD5
675171c57ef1ce5ced90ca116ae0a32a

SHA1
c93b4aafbfb796d4bf38378487e45ae007fe8c75

SHA256
b9d162720607b056c9a6418dbed6f66d8dc385dad12e844dc17423404a4644ed

SHA512
6dae7ca1b5cc9932ac5bd39c3763bfe6de24d78670bd0f1d67781e07229fa4a5f0a2c9c8a352916602ac6117074e0c208d280b9b6da2eee7fb908c1d51cde1f2

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
9c81ff9fcffaf2c1fa3da1d7d271dc42

SHA1
bc8597ac57c927eba07a40650ecba4a6e6739e1d

SHA256
ed26aeeda6a96953fa72f2da80aebe5c868007084d01b5088e922718ba4d1e83

SHA512
9814b5e257e282da72eefaadbf30c8a748904201bd8d4c3f0f720be3d8f768f11a8d75b97fb9f0d8bde3c90c119e0f23b6159456a526a1bf2cfee3ea3f089a19

Download Submit
\Windows\system\spoolsv.exe
MD5
5632405693ef7a9a96ed7c20764295de

SHA1
304ba5078b8b934676f23644880c780737c8a3a6

SHA256
12795ee8201a5ced50267d51400f94b809a4b48bd4b761b13ab905b33de7fcf5

SHA512
664aa7feab2d8b7504555732b655a16dada1f0fbc5fd6488a1e1af8e19a8a746fbfc78d716584c890bca5fff77182f0f6f555973e5acab689f3b605d9d8ed7dc

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
6010fb68cfb85487c5d9a02c8cef1a78

SHA1
1f56dc0ef06dbcbec0da7450a60b242ea49be548

SHA256
00f4db4a49a349d793fbb1a75e468e8bd1906f5c3f033364380d50048b846142

SHA512
4c38883941015b81ac4d1d377d3a1c8bca15de741b9d3f9e87928843e1bc4a964a87b19d632ff6db9ad36ea6a01934efce692ce830b7155185c4516c2ffa0b49

Download Submit
\Windows\system\spoolsv.exe
MD5
0d6c31fd41b163427ca8ac944ae87735

SHA1
5965ea3cb6b08a4e849574c4d4b0cebca34e2b94

SHA256
1e3e6e90e7aa27f8d5727893565b5aad50c72333a73acf072e4cba364292f0f6

SHA512
1f310afa620128c34bcd6c67881a25edcc266845c9fb3bec9b359fed8a6cfefaec81a7cb7607070aa3c574d72ee937393a65b3b851568b699ab255a54ccfa90c

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
82a98e62c950d33060140e6be5b283ea

SHA1
6054a02dc5bfc2f40b2e2c4f99e94791146352d7

SHA256
81bacc305e737dcd49b2853d36b6130c6632268e4221ee8117c7eaf9fab03f04

SHA512
236fabe307ced3834cb158f83e693a361bdffcfb451264b54c9bf0a5528199915cba504152684f5f7cd6446e29025fef7364c6df95a8c333729954e830116cdd

Download Submit
\Windows\system\spoolsv.exe
MD5
7b0fd216b73afed9348dfd69ac59f285

SHA1
59d75c3bbf5b2563cb50082329b396d7c356089a

SHA256
313f030b1d667fa5e2090f71bac9f158e92c19b043c48c3dbd92984f75b61c0d

SHA512
2001fdbe6c9cf1033638fa149c9276f558cac48922719f18b539288321d2f2cc4ecb0f67ba39b9d44470717c8ccf2ccb1cff5115568765bc637fb5e346e5b784

Download Submit
\Windows\system\spoolsv.exe
MD5
ad136c08f1d2efae0d24c5f87b541ebc

SHA1
7d32d9b091089221bad864f436df3d403b48cc74

SHA256
08fab5e7100a8b015bf069e7d7f9c4c476b4e376b23cdeb20609028e47e110a7

SHA512
1f44f075bdd0267066de1c1a2a61868716ebebb7eecb8340208f146323f80de4b6c9edb08525ff7d4d2cd57c344742335b9ef2e47375d35bf9899cdd979cdc35

Download Submit
\Windows\system\spoolsv.exe
MD5
f35bcbff3381e040371a19a7170a2315

SHA1
ecf669ba8d8f3216c62a18b94d824192aa5c5a67

SHA256
16d7ba0497fc775f3558e313d22d7a5fb693385a55644098ae8a644836aa284d

SHA512
65303caf17f67df45b479f1a88957f7e19a473a9de52f9da316e0939ebec729d134c68dd01f934c829fa9635f4b2ae501fff60a73a17e97ead86c9a0bc085f4a

Download Submit
\Windows\system\spoolsv.exe
MD5
880b7cf0fa997286237d61ebccf1fd5c

SHA1
7b3fbf1b4b78a126ac11f62cb4930456176447c5

SHA256
d3f2938ca7cb5fcb32bd931f86c179a3edf71cdacac26073fbe922e0863fc941

SHA512
1424260a6790805bbfa1190199adaa0ed8ac215e457fd269f61da6e198166d79f87d8642b447d06ade1bd5a81911551fd4da3f7375ea3fe5d3118e6685632a7b

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
\Windows\system\spoolsv.exe
MD5
4431ccb1d085d1dc35f3c3bf4c40c925

SHA1
c131472e1aff7fd5ee00e4f9e6bacb09f4e5f863

SHA256
bab0dec24a731b844d35b1c0078bced696e059b654090bc50376e5348ff04aeb

SHA512
d7a7ae9637f9ea3561b9d3c1c623db9cbb2394b062489c03ae90d2c32dd48804d85378bdacd92c592c65503e4930d28bd253a02175dc5da7f1add08606914b85

Download Submit
\Windows\system\spoolsv.exe
MD5
d0fb1ebe7804a70370fca8115d5e7574

SHA1
8001b06bfe3208813f5ea269ea1159dd218def15

SHA256
6f941fb7df2a92d383da0431ce3f4be2c31b7e2c55c1a16d760c434c5692943f

SHA512
a01bf16ad8da988e83e501100d1119f304b47d48e662aa859f78d06631925713df7043768c5ec7f801d4c4655907448cfd744e0c330993f15bacea6f320894ff

Download Submit
\Windows\system\spoolsv.exe
MD5
dc62d4566b10f453f74ebb461b1adc72

SHA1
443c74c3dc3b7ba7716af6ec462fd7049fa5928b

SHA256
12c4be680c35ddc4de75d9d05ec55b4e59433c626e49544426a31f99f1668b71

SHA512
3073e6b8997969a02070d55285a1d5d4b03b02a49f3300299f3b3beba6e2b3523a3e0e904d8e1de3da907625f4994061043670a8037e3dc94e65a31bf240e00d

Download Submit
memory/316-59-0x0000000000000000-mapping.dmp

Download
memory/324-191-0x0000000000000000-mapping.dmp

Download
memory/328-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/428-98-0x00000000004E7001-mapping.dmp

Download
memory/684-110-0x0000000000000000-mapping.dmp

Download
memory/744-158-0x0000000000000000-mapping.dmp

Download
memory/820-32-0x00000000004E7001-mapping.dmp

Download
memory/820-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/844-29-0x0000000000000000-mapping.dmp

Download
memory/924-174-0x0000000000000000-mapping.dmp

Download
memory/944-77-0x0000000000000000-mapping.dmp

Download
memory/1068-124-0x0000000000000000-mapping.dmp

Download
memory/1084-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1084-13-0x0000000000411000-mapping.dmp

Download
memory/1084-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1124-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-23-0x0000000002E10000-0x0000000002E21000-memory.dmp

Filesize
68KB

Download
memory/1124-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-34-0x0000000000330000-0x0000000000334000-memory.dmp

Filesize
16KB

Download
memory/1124-36-0x0000000002910000-0x0000000002914000-memory.dmp

Filesize
16KB

Download
memory/1124-10-0x0000000000403670-mapping.dmp

Download
memory/1124-19-0x0000000003220000-0x0000000003231000-memory.dmp

Filesize
68KB

Download
memory/1124-18-0x0000000002E10000-0x0000000002E21000-memory.dmp

Filesize
68KB

Download
memory/1136-67-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-118-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-68-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-151-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-185-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-84-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-134-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-65-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-187-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-69-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-40-0x0000000000403670-mapping.dmp

Download
memory/1136-117-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-135-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-85-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-100-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1136-103-0x0000000003110000-0x0000000003121000-memory.dmp

Filesize
68KB

Download
memory/1136-149-0x0000000002D00000-0x0000000002D11000-memory.dmp

Filesize
68KB

Download
memory/1256-183-0x00000000004E7001-mapping.dmp

Download
memory/1304-82-0x00000000004E7001-mapping.dmp

Download
memory/1404-139-0x0000000000000000-mapping.dmp

Download
memory/1432-194-0x0000000000000000-mapping.dmp

Download
memory/1452-172-0x0000000000411000-mapping.dmp

Download
memory/1500-178-0x0000000000000000-mapping.dmp

Download
memory/1528-148-0x00000000004E7001-mapping.dmp

Download
memory/1528-179-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1568-25-0x0000000000000000-mapping.dmp

Download
memory/1568-107-0x0000000000000000-mapping.dmp

Download
memory/1572-93-0x0000000000000000-mapping.dmp

Download
memory/1648-89-0x0000000000000000-mapping.dmp

Download
memory/1680-147-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1680-132-0x00000000004E7001-mapping.dmp

Download
memory/1696-127-0x0000000000000000-mapping.dmp

Download
memory/1736-3-0x0000000000000000-mapping.dmp

Download
memory/1752-63-0x00000000004E7001-mapping.dmp

Download
memory/1800-165-0x0000000000403670-mapping.dmp

Download
memory/1868-46-0x0000000000411000-mapping.dmp

Download
memory/1896-155-0x0000000000000000-mapping.dmp

Download
memory/1900-55-0x0000000000000000-mapping.dmp

Download
memory/1904-142-0x0000000000000000-mapping.dmp

Download
memory/1932-131-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1932-115-0x00000000004E7001-mapping.dmp

Download
memory/1948-73-0x0000000000000000-mapping.dmp

Download
memory/2012-7-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2012-8-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2012-5-0x00000000004E7001-mapping.dmp

Download
memory/2012-4-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads