warzonerat | 69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5

Analysis

max time kernel
145s
max time network
12s
platform
windows7_x64
resource
win7v20201028
submitted
28-02-2021 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
Size

2.9MB
MD5

bae582e3781b693c05fb1a65d7496500
SHA1

1a38ec721cc0b688564e0281282f07551a660fc0
SHA256

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5
SHA512

ec015852a100dda336d2785490ca18619baa692200ca940950500829a802f9205706c7e89b02a2c43294e525ca29065c6d3f19a40d80546f25ca65c152974371

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 54 IoCs

rat

Processes:

resource	yara_rule
\Windows\system\explorer.exe	warzonerat
\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat

Executes dropped EXE 25 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1016	explorer.exe
1624	explorer.exe
916	explorer.exe
532	spoolsv.exe
1828	spoolsv.exe
1932	spoolsv.exe
948	spoolsv.exe
1392	spoolsv.exe
1472	spoolsv.exe
1584	spoolsv.exe
1560	spoolsv.exe
596	spoolsv.exe
1240	spoolsv.exe
824	spoolsv.exe
1600	spoolsv.exe
1628	spoolsv.exe
1312	spoolsv.exe
1716	spoolsv.exe
1040	spoolsv.exe
1464	spoolsv.exe
1532	spoolsv.exe
428	spoolsv.exe
380	spoolsv.exe
1288	spoolsv.exe
1920	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 11 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Loads dropped DLL 36 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
916	explorer.exe
916	explorer.exe
532	spoolsv.exe
916	explorer.exe
916	explorer.exe
1932	spoolsv.exe
916	explorer.exe
916	explorer.exe
1392	spoolsv.exe
916	explorer.exe
916	explorer.exe
1584	spoolsv.exe
916	explorer.exe
916	explorer.exe
596	spoolsv.exe
916	explorer.exe
916	explorer.exe
824	spoolsv.exe
916	explorer.exe
916	explorer.exe
1628	spoolsv.exe
916	explorer.exe
916	explorer.exe
1716	spoolsv.exe
916	explorer.exe
916	explorer.exe
1464	spoolsv.exe
916	explorer.exe
916	explorer.exe
428	spoolsv.exe
916	explorer.exe
916	explorer.exe
1288	spoolsv.exe
1828	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

spoolsv.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 19 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1020 set thread context of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 set thread context of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 set thread context of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 1016 set thread context of 1624	1016	explorer.exe	explorer.exe
PID 1624 set thread context of 916	1624	explorer.exe	explorer.exe
PID 1624 set thread context of 1520	1624	explorer.exe	diskperf.exe
PID 532 set thread context of 1828	532	spoolsv.exe	spoolsv.exe
PID 1932 set thread context of 948	1932	spoolsv.exe	spoolsv.exe
PID 1392 set thread context of 1472	1392	spoolsv.exe	spoolsv.exe
PID 1584 set thread context of 1560	1584	spoolsv.exe	spoolsv.exe
PID 596 set thread context of 1240	596	spoolsv.exe	spoolsv.exe
PID 824 set thread context of 1600	824	spoolsv.exe	spoolsv.exe
PID 1628 set thread context of 1312	1628	spoolsv.exe	spoolsv.exe
PID 1716 set thread context of 1040	1716	spoolsv.exe	spoolsv.exe
PID 1464 set thread context of 1532	1464	spoolsv.exe	spoolsv.exe
PID 428 set thread context of 380	428	spoolsv.exe	spoolsv.exe
PID 1288 set thread context of 1804	1288	spoolsv.exe	spoolsv.exe
PID 1828 set thread context of 1920	1828	spoolsv.exe	spoolsv.exe
PID 1828 set thread context of 1704	1828	spoolsv.exe	diskperf.exe

Drops file in Windows directory 15 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
1016	explorer.exe
532	spoolsv.exe
916	explorer.exe
916	explorer.exe
1932	spoolsv.exe
916	explorer.exe
1392	spoolsv.exe
916	explorer.exe
1584	spoolsv.exe
916	explorer.exe
596	spoolsv.exe
916	explorer.exe
824	spoolsv.exe
916	explorer.exe
1628	spoolsv.exe
916	explorer.exe
1716	spoolsv.exe
916	explorer.exe
1464	spoolsv.exe
916	explorer.exe
428	spoolsv.exe
916	explorer.exe
1288	spoolsv.exe

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

pid	process
1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
1016	explorer.exe
1016	explorer.exe
916	explorer.exe
916	explorer.exe
532	spoolsv.exe
532	spoolsv.exe
916	explorer.exe
916	explorer.exe
1932	spoolsv.exe
1932	spoolsv.exe
1392	spoolsv.exe
1392	spoolsv.exe
1584	spoolsv.exe
1584	spoolsv.exe
596	spoolsv.exe
596	spoolsv.exe
824	spoolsv.exe
824	spoolsv.exe
1628	spoolsv.exe
1628	spoolsv.exe
1716	spoolsv.exe
1716	spoolsv.exe
1464	spoolsv.exe
1464	spoolsv.exe
428	spoolsv.exe
428	spoolsv.exe
1288	spoolsv.exe
1288	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exe

description	pid	process	target process
PID 1020 wrote to memory of 1832	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 1020 wrote to memory of 1832	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 1020 wrote to memory of 1832	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 1020 wrote to memory of 1832	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1020 wrote to memory of 1992	1020	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 756	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 1992 wrote to memory of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 1992 wrote to memory of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 1992 wrote to memory of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 1992 wrote to memory of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 1992 wrote to memory of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 1992 wrote to memory of 1052	1992	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 756 wrote to memory of 1016	756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 756 wrote to memory of 1016	756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 756 wrote to memory of 1016	756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 756 wrote to memory of 1016	756	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 1016 wrote to memory of 852	1016	explorer.exe	cmd.exe
PID 1016 wrote to memory of 852	1016	explorer.exe	cmd.exe
PID 1016 wrote to memory of 852	1016	explorer.exe	cmd.exe
PID 1016 wrote to memory of 852	1016	explorer.exe	cmd.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe
PID 1016 wrote to memory of 1624	1016	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
"C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1832

C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
3⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:852

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1624

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:916

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
PID:1920

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:1028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:1364

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:276

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1028

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:948

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1808

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:820

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1472

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1468

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1560

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1600

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1312

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:1476

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1040

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:544

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:1804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1020

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1520

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:1052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
bae582e3781b693c05fb1a65d7496500

SHA1
1a38ec721cc0b688564e0281282f07551a660fc0

SHA256
69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5

SHA512
ec015852a100dda336d2785490ca18619baa692200ca940950500829a802f9205706c7e89b02a2c43294e525ca29065c6d3f19a40d80546f25ca65c152974371

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\system\explorer.exe
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
C:\Windows\system\explorer.exe
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
C:\Windows\system\explorer.exe
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
C:\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\??\c:\windows\system\explorer.exe
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\explorer.exe
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
\Windows\system\explorer.exe
MD5
2e418a10980d8cc4f6ad03474b50e520

SHA1
175c311204f6c9fcc2a8cd2020e0303d86c43f36

SHA256
4c4efdce1e8a905d70e1438dae9523c7ebd9189eea22c77ba212899efd0d62ee

SHA512
20f92527d576dce65616153bb335fb4642a5f333f51efe5d11054a7c7c6676926aabe05f9be46790ced63454371821c6a90b407d7ebccec7fcdb5830d5d6b721

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
\Windows\system\spoolsv.exe
MD5
359335840ec9b9ead589d41631623408

SHA1
2081138f4245e1e0d8cdf3c6d3d44dcf327d19d9

SHA256
d165816f5d9ec12a6aeb0af8b303ae2f928e36e6c10287a1da2afa77e08c1359

SHA512
0e2e860ba0202b4a743eae72421a9b1229ca676e540b93337e3bbfe5f709458a3e451eb8733d2ce457e0e8e7b0b2222c3100047d766efc59bba236c96fd5793d

Download Submit
memory/380-202-0x00000000004E7001-mapping.dmp

Download
memory/428-198-0x0000000000000000-mapping.dmp

Download
memory/532-55-0x0000000000000000-mapping.dmp

Download
memory/544-188-0x0000000000000000-mapping.dmp

Download
memory/596-125-0x0000000000000000-mapping.dmp

Download
memory/756-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-23-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/756-34-0x00000000023E0000-0x00000000023E4000-memory.dmp

Filesize
16KB

Download
memory/756-35-0x00000000026C0000-0x00000000026C4000-memory.dmp

Filesize
16KB

Download
memory/756-19-0x00000000030D0000-0x00000000030E1000-memory.dmp

Filesize
68KB

Download
memory/756-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/756-18-0x0000000002CC0000-0x0000000002CD1000-memory.dmp

Filesize
68KB

Download
memory/756-10-0x0000000000403670-mapping.dmp

Download
memory/820-94-0x0000000000000000-mapping.dmp

Download
memory/824-140-0x0000000000000000-mapping.dmp

Download
memory/852-29-0x0000000000000000-mapping.dmp

Download
memory/916-69-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-149-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-70-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-119-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-104-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-67-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-179-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-65-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-194-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-181-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-218-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-134-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-84-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-136-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-85-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-196-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-203-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-164-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/916-40-0x0000000000403670-mapping.dmp

Download
memory/916-221-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-166-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-204-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-120-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-151-0x0000000003280000-0x0000000003291000-memory.dmp

Filesize
68KB

Download
memory/916-102-0x0000000002E70000-0x0000000002E81000-memory.dmp

Filesize
68KB

Download
memory/920-209-0x0000000000000000-mapping.dmp

Download
memory/948-96-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/948-82-0x00000000004E7001-mapping.dmp

Download
memory/1016-25-0x0000000000000000-mapping.dmp

Download
memory/1020-2-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1020-223-0x0000000000000000-mapping.dmp

Download
memory/1028-234-0x0000000000000000-mapping.dmp

Download
memory/1028-77-0x0000000000000000-mapping.dmp

Download
memory/1040-177-0x00000000004E7001-mapping.dmp

Download
memory/1052-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1052-13-0x0000000000411000-mapping.dmp

Download
memory/1052-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1240-132-0x00000000004E7001-mapping.dmp

Download
memory/1288-206-0x0000000000000000-mapping.dmp

Download
memory/1312-162-0x00000000004E7001-mapping.dmp

Download
memory/1364-236-0x0000000000000000-mapping.dmp

Download
memory/1392-89-0x0000000000000000-mapping.dmp

Download
memory/1440-143-0x0000000000000000-mapping.dmp

Download
memory/1464-185-0x0000000000000000-mapping.dmp

Download
memory/1468-111-0x0000000000000000-mapping.dmp

Download
memory/1472-112-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1472-99-0x00000000004E7001-mapping.dmp

Download
memory/1476-173-0x0000000000000000-mapping.dmp

Download
memory/1500-228-0x0000000000411000-mapping.dmp

Download
memory/1520-45-0x0000000000411000-mapping.dmp

Download
memory/1532-192-0x00000000004E7001-mapping.dmp

Download
memory/1560-116-0x00000000004E7001-mapping.dmp

Download
memory/1584-108-0x0000000000000000-mapping.dmp

Download
memory/1600-147-0x00000000004E7001-mapping.dmp

Download
memory/1604-59-0x0000000000000000-mapping.dmp

Download
memory/1624-32-0x00000000004E7001-mapping.dmp

Download
memory/1624-38-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1628-155-0x0000000000000000-mapping.dmp

Download
memory/1704-214-0x0000000000411000-mapping.dmp

Download
memory/1716-170-0x0000000000000000-mapping.dmp

Download
memory/1788-128-0x0000000000000000-mapping.dmp

Download
memory/1804-226-0x00000000004E7001-mapping.dmp

Download
memory/1808-220-0x0000000000403670-mapping.dmp

Download
memory/1828-79-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1828-63-0x00000000004E7001-mapping.dmp

Download
memory/1832-3-0x0000000000000000-mapping.dmp

Download
memory/1836-158-0x0000000000000000-mapping.dmp

Download
memory/1920-212-0x0000000000403670-mapping.dmp

Download
memory/1932-74-0x0000000000000000-mapping.dmp

Download
memory/1960-200-0x0000000000000000-mapping.dmp

Download
memory/1992-8-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1992-7-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1992-4-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1992-5-0x00000000004E7001-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads