warzonerat | 69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5

Analysis

max time kernel
150s
max time network
111s
platform
windows10_x64
resource
win10v20201028
submitted
28-02-2021 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
Size

2.9MB
MD5

bae582e3781b693c05fb1a65d7496500
SHA1

1a38ec721cc0b688564e0281282f07551a660fc0
SHA256

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5
SHA512

ec015852a100dda336d2785490ca18619baa692200ca940950500829a802f9205706c7e89b02a2c43294e525ca29065c6d3f19a40d80546f25ca65c152974371

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 39 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat

Executes dropped EXE 30 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

pid	process
652	explorer.exe
1092	explorer.exe
1300	explorer.exe
1724	spoolsv.exe
4344	spoolsv.exe
4388	spoolsv.exe
4380	spoolsv.exe
4492	spoolsv.exe
2252	spoolsv.exe
2584	spoolsv.exe
3092	spoolsv.exe
3712	spoolsv.exe
2568	spoolsv.exe
204	spoolsv.exe
2788	spoolsv.exe
4604	spoolsv.exe
4640	spoolsv.exe
4512	spoolsv.exe
5080	spoolsv.exe
4048	spoolsv.exe
4884	spoolsv.exe
3508	spoolsv.exe
4776	spoolsv.exe
2200	spoolsv.exe
4032	spoolsv.exe
1860	spoolsv.exe
3680	spoolsv.exe
808	spoolsv.exe
1096	spoolsv.exe
2292	explorer.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 10 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe

Suspicious use of SetThreadContext 20 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 4704 set thread context of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 set thread context of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 set thread context of 3256	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 652 set thread context of 1092	652	explorer.exe	explorer.exe
PID 1092 set thread context of 1300	1092	explorer.exe	explorer.exe
PID 1092 set thread context of 1392	1092	explorer.exe	diskperf.exe
PID 1724 set thread context of 4344	1724	spoolsv.exe	spoolsv.exe
PID 4388 set thread context of 4380	4388	spoolsv.exe	spoolsv.exe
PID 4492 set thread context of 2252	4492	spoolsv.exe	spoolsv.exe
PID 2584 set thread context of 3092	2584	spoolsv.exe	spoolsv.exe
PID 3712 set thread context of 2568	3712	spoolsv.exe	spoolsv.exe
PID 204 set thread context of 2788	204	spoolsv.exe	spoolsv.exe
PID 4604 set thread context of 4640	4604	spoolsv.exe	spoolsv.exe
PID 4512 set thread context of 5080	4512	spoolsv.exe	spoolsv.exe
PID 4048 set thread context of 4884	4048	spoolsv.exe	spoolsv.exe
PID 3508 set thread context of 4776	3508	spoolsv.exe	spoolsv.exe
PID 2200 set thread context of 4032	2200	spoolsv.exe	spoolsv.exe
PID 1860 set thread context of 3680	1860	spoolsv.exe	spoolsv.exe
PID 4344 set thread context of 808	4344	spoolsv.exe	spoolsv.exe
PID 4344 set thread context of 1128	4344	spoolsv.exe	diskperf.exe

Drops file in Windows directory 18 IoCs

Processes:

spoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
652	explorer.exe
652	explorer.exe
1724	spoolsv.exe
1724	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
4388	spoolsv.exe
4388	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
4492	spoolsv.exe
4492	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
2584	spoolsv.exe
2584	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
3712	spoolsv.exe
3712	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
204	spoolsv.exe
204	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
4604	spoolsv.exe
4604	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
4512	spoolsv.exe
4512	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
4048	spoolsv.exe
4048	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
3508	spoolsv.exe
3508	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
2200	spoolsv.exe
2200	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
1860	spoolsv.exe
1860	spoolsv.exe
1300	explorer.exe
1300	explorer.exe

Suspicious use of SetWindowsHookEx 40 IoCs

Processes:

pid	process
4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
652	explorer.exe
652	explorer.exe
1300	explorer.exe
1300	explorer.exe
1724	spoolsv.exe
1724	spoolsv.exe
1300	explorer.exe
1300	explorer.exe
4388	spoolsv.exe
4388	spoolsv.exe
4492	spoolsv.exe
4492	spoolsv.exe
2584	spoolsv.exe
2584	spoolsv.exe
3712	spoolsv.exe
3712	spoolsv.exe
204	spoolsv.exe
204	spoolsv.exe
4604	spoolsv.exe
4604	spoolsv.exe
4512	spoolsv.exe
4512	spoolsv.exe
4048	spoolsv.exe
4048	spoolsv.exe
3508	spoolsv.exe
3508	spoolsv.exe
2200	spoolsv.exe
2200	spoolsv.exe
1860	spoolsv.exe
1860	spoolsv.exe
1096	spoolsv.exe
1096	spoolsv.exe
808	spoolsv.exe
808	spoolsv.exe
2292	explorer.exe
2292	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exeexplorer.exe

description	pid	process	target process
PID 4704 wrote to memory of 4108	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 4704 wrote to memory of 4108	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 4704 wrote to memory of 4108	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	cmd.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 4704 wrote to memory of 3720	4704	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 2108	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
PID 3720 wrote to memory of 3256	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 3720 wrote to memory of 3256	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 3720 wrote to memory of 3256	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 3720 wrote to memory of 3256	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 3720 wrote to memory of 3256	3720	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	diskperf.exe
PID 2108 wrote to memory of 652	2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 2108 wrote to memory of 652	2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 2108 wrote to memory of 652	2108	69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe	explorer.exe
PID 652 wrote to memory of 904	652	explorer.exe	cmd.exe
PID 652 wrote to memory of 904	652	explorer.exe	cmd.exe
PID 652 wrote to memory of 904	652	explorer.exe	cmd.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe
PID 652 wrote to memory of 1092	652	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
"C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:4108

C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3720

C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
C:\Users\Admin\AppData\Local\Temp\69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:904

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1092

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2124

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4344

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:808

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4608

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1180

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2024

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4380

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1132

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4464

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2252

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:4408

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
11⤵
PID:4488

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:2720

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:4496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:3024

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3184

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4668

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4356

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2788

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:4628

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4640

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:5080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3592

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4884

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4116

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4776

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3664

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:4900

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3152

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:3272

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3100

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:1392

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:3256

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
bae582e3781b693c05fb1a65d7496500

SHA1
1a38ec721cc0b688564e0281282f07551a660fc0

SHA256
69ee759f52c353add075c24cf5e998b31cd2386f66a9c91f6f876eb636c54ee5

SHA512
ec015852a100dda336d2785490ca18619baa692200ca940950500829a802f9205706c7e89b02a2c43294e525ca29065c6d3f19a40d80546f25ca65c152974371

Download Submit
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe
MD5
e191761167da4c12e1b30dd9b73ca0c5

SHA1
c6124e0e569cadd3a634ea072513ca9e8ed540b7

SHA256
789f7c125cc5b765c3e62fe27a5a3844dcc06a0ddc402f63575aff8a1e06c537

SHA512
b6469c55ff25b816da4fa9e55dce499bdbba33fed2b75cea8572239a170d6acb061161e118fec01d9d5cdf80c1f8c60bc3938ffcad3ef10b10b4fe227ef435d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
3134214978bc8483cb6300224f964868

SHA1
d2eb7d4caf138a907484c1922bdb69e14a0eed16

SHA256
699fd182e0355f703927cb10246ba9f8a2a72bb04c2927778d2622d7ee78f446

SHA512
495e9529c0c4f29ae93c63f39d55cca84a602452b715f254aa146ba9c1fb5ef76ed98c8080ad27a92dedeececbab8e194134f6a518f6d61c56db0af42712b9ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe
MD5
3134214978bc8483cb6300224f964868

SHA1
d2eb7d4caf138a907484c1922bdb69e14a0eed16

SHA256
699fd182e0355f703927cb10246ba9f8a2a72bb04c2927778d2622d7ee78f446

SHA512
495e9529c0c4f29ae93c63f39d55cca84a602452b715f254aa146ba9c1fb5ef76ed98c8080ad27a92dedeececbab8e194134f6a518f6d61c56db0af42712b9ca

Download Submit
C:\Windows\System\explorer.exe
MD5
3134214978bc8483cb6300224f964868

SHA1
d2eb7d4caf138a907484c1922bdb69e14a0eed16

SHA256
699fd182e0355f703927cb10246ba9f8a2a72bb04c2927778d2622d7ee78f446

SHA512
495e9529c0c4f29ae93c63f39d55cca84a602452b715f254aa146ba9c1fb5ef76ed98c8080ad27a92dedeececbab8e194134f6a518f6d61c56db0af42712b9ca

Download Submit
C:\Windows\System\explorer.exe
MD5
2f75d403e808dbaf1f8e8762c61678c1

SHA1
69ad8442c782da2b164da0996348b05e2ab9f009

SHA256
375bc6b58f8ab723fa98d90bf2945c892b040c0040b6b66312a5e1a8c7967664

SHA512
b22e3c04c9c9abfab62353cdee8feb328818028a55f5e6c2ec6ce3307f8a37e6dee959dd9ed1efca8793da982ea16b1a75745c30d8cc2448d568552df582411e

Download Submit
C:\Windows\System\explorer.exe
MD5
45b58fc41cfecdade8a18f30db7f2429

SHA1
fdddd6ced7dfe7ce237c83fe2846985f4c999fb8

SHA256
524b266a5f77554a5fbaa8d3ea822a2eba225e6bc114e9a510ab848534bc9d0b

SHA512
6181884a8f64fca26a29bd62c99c983451620e85e43f37444fe0f591316505173142c86e0715eaec1dccb366a60cf9882b8dfdf9fc76f3022ec54f4058c2b427

Download Submit
C:\Windows\System\explorer.exe
MD5
3134214978bc8483cb6300224f964868

SHA1
d2eb7d4caf138a907484c1922bdb69e14a0eed16

SHA256
699fd182e0355f703927cb10246ba9f8a2a72bb04c2927778d2622d7ee78f446

SHA512
495e9529c0c4f29ae93c63f39d55cca84a602452b715f254aa146ba9c1fb5ef76ed98c8080ad27a92dedeececbab8e194134f6a518f6d61c56db0af42712b9ca

Download Submit
C:\Windows\System\explorer.exe
MD5
3134214978bc8483cb6300224f964868

SHA1
d2eb7d4caf138a907484c1922bdb69e14a0eed16

SHA256
699fd182e0355f703927cb10246ba9f8a2a72bb04c2927778d2622d7ee78f446

SHA512
495e9529c0c4f29ae93c63f39d55cca84a602452b715f254aa146ba9c1fb5ef76ed98c8080ad27a92dedeececbab8e194134f6a518f6d61c56db0af42712b9ca

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
6cead23fa88ecaf0941fab6d581f1e49

SHA1
f53f9febab896dc171068efa6d1a67542041f01d

SHA256
94646b685d42a82e3dbf8a76d53fb260eb57465e11df8e59f32dc035d7de9eb1

SHA512
a79f9fd6d377834d0c4290a6832656490da3112f42842e914e8d39e43dde3d307cc6ad51bd1b1889c98297b73e4474f29a5a7dd6dc9664a5a5507b27721a23cf

Download Submit
C:\Windows\System\spoolsv.exe
MD5
b3a33a64fa19ed784f6c034ed1a3a3bf

SHA1
d89891c9e054f308dd23bd51c42d43da11013dd7

SHA256
f25adc00c0f04e1a6c7fe9ad212587f61707a0944f1107931f01073f2ce52725

SHA512
0590707e484029831e42223b0d64311d0a2b5a95f7ce480e89022b1d21f3be905b3e70e5b691dd509039cf1822340e0a295ef306737bfce401084b365b676b0f

Download Submit
C:\Windows\System\spoolsv.exe
MD5
3d429d620221b79f0e830f1eae68ad12

SHA1
fb5839e38562b7bee6a2e3fbc14e2fb6e7c396d2

SHA256
3e7d3346aeb6e8d21a94c618f8c25179ef375cb1cc362b1723ac33cf1151183b

SHA512
c9ae512db3a094c86a5136c4ae0dd64b97bdb2cd0bc88630044c324cfb9b53ffbb739f814714c119fe3eac2c8cb0c41689deb86f23d8bc93000cfe84913f5cb0

Download Submit
C:\Windows\System\spoolsv.exe
MD5
a22e4e01bf5e6addfd7bac7c99c38282

SHA1
60775ccfd8721b9b316d383d3d00ca0a1b695fec

SHA256
890228757f9f1ab10dbecc1531cc1c71817999cf374840392357a0417b00a973

SHA512
6f4b77e6fcef55336a18353f45852dce71c75f9e546a367e9e9e1e8cb2a0cd30dee47e8be643c0de9ae29a765acae6af439040b8b5bb4125adcf132ae7eb6039

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9798353fce470b40027cd8c986a87670

SHA1
a24004e6f358df279c1bf21e82bf24ab12ecae35

SHA256
868dde8cde73f5fc5a8d46815c215faabf6ac2362a48c2de0989e4096bbf1101

SHA512
30a44417a54df4b5da19a1b7b3c96af371fb9f5647390355b3b1969b4c73b3f6194c9fc9490c4ffc273cd5df65e85b94b1eff029dea15497dfdc9f621425802b

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
C:\Windows\System\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
\??\c:\windows\system\explorer.exe
MD5
3134214978bc8483cb6300224f964868

SHA1
d2eb7d4caf138a907484c1922bdb69e14a0eed16

SHA256
699fd182e0355f703927cb10246ba9f8a2a72bb04c2927778d2622d7ee78f446

SHA512
495e9529c0c4f29ae93c63f39d55cca84a602452b715f254aa146ba9c1fb5ef76ed98c8080ad27a92dedeececbab8e194134f6a518f6d61c56db0af42712b9ca

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
ff87ccbc576ab8d3273397e54a1d8c27

SHA1
bb34f8863ff6f5935245631b9957983d0fb442a5

SHA256
b323096be6d1d89d0b0883b147733f31b1cd0cd3628a8910168cb071e0480959

SHA512
2ff0a3b031df639dc8e80115c4ace3dc3bc9aab2e23999ab7cc5ee4b94239006409ad1c9efce8dbfd789e523f0a773816f767c6e48e07235ad066c22b81d27bc

Download Submit
memory/204-95-0x0000000000000000-mapping.dmp

Download
memory/652-16-0x0000000000000000-mapping.dmp

Download
memory/808-169-0x0000000000403670-mapping.dmp

Download
memory/904-19-0x0000000000000000-mapping.dmp

Download
memory/1092-24-0x00000000004E7001-mapping.dmp

Download
memory/1092-27-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/1096-170-0x0000000000000000-mapping.dmp

Download
memory/1128-178-0x0000000000411000-mapping.dmp

Download
memory/1132-189-0x0000000000403670-mapping.dmp

Download
memory/1180-202-0x00000000004E7001-mapping.dmp

Download
memory/1180-234-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/1300-103-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-198-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-230-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-147-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-71-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-92-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-94-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-72-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-135-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-136-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-156-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-62-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-61-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-81-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-29-0x0000000000403670-mapping.dmp

Download
memory/1300-104-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-125-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-229-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-166-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-168-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-126-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-145-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-51-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-116-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-114-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-52-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-82-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-48-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1300-49-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1300-199-0x0000000003B50000-0x0000000003B51000-memory.dmp

Filesize
4KB

Download
memory/1392-34-0x0000000000411000-mapping.dmp

Download
memory/1724-40-0x0000000000000000-mapping.dmp

Download
memory/1860-158-0x0000000000000000-mapping.dmp

Download
memory/2024-55-0x0000000000000000-mapping.dmp

Download
memory/2108-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-15-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/2108-14-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2108-8-0x0000000000403670-mapping.dmp

Download
memory/2108-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-200-0x0000000000000000-mapping.dmp

Download
memory/2124-43-0x0000000000000000-mapping.dmp

Download
memory/2200-148-0x0000000000000000-mapping.dmp

Download
memory/2252-69-0x00000000004E7001-mapping.dmp

Download
memory/2252-77-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/2292-180-0x0000000000000000-mapping.dmp

Download
memory/2568-98-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/2568-90-0x00000000004E7001-mapping.dmp

Download
memory/2584-74-0x0000000000000000-mapping.dmp

Download
memory/2744-76-0x0000000000000000-mapping.dmp

Download
memory/2788-109-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2788-101-0x00000000004E7001-mapping.dmp

Download
memory/3024-220-0x0000000000403670-mapping.dmp

Download
memory/3088-119-0x0000000000000000-mapping.dmp

Download
memory/3092-79-0x00000000004E7001-mapping.dmp

Download
memory/3092-87-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3100-236-0x0000000000000000-mapping.dmp

Download
memory/3152-176-0x0000000000000000-mapping.dmp

Download
memory/3184-227-0x0000000000411000-mapping.dmp

Download
memory/3256-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3256-11-0x0000000000411000-mapping.dmp

Download
memory/3256-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3272-205-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3272-233-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3272-196-0x00000000004E7001-mapping.dmp

Download
memory/3508-137-0x0000000000000000-mapping.dmp

Download
memory/3592-130-0x0000000000000000-mapping.dmp

Download
memory/3664-150-0x0000000000000000-mapping.dmp

Download
memory/3680-164-0x00000000004E7001-mapping.dmp

Download
memory/3680-184-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/3712-84-0x0000000000000000-mapping.dmp

Download
memory/3720-3-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3720-4-0x00000000004E7001-mapping.dmp

Download
memory/3720-6-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/3720-5-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3984-204-0x0000000000000000-mapping.dmp

Download
memory/4032-154-0x00000000004E7001-mapping.dmp

Download
memory/4032-163-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/4048-127-0x0000000000000000-mapping.dmp

Download
memory/4108-2-0x0000000000000000-mapping.dmp

Download
memory/4116-140-0x0000000000000000-mapping.dmp

Download
memory/4344-46-0x00000000004E7001-mapping.dmp

Download
memory/4344-56-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/4356-97-0x0000000000000000-mapping.dmp

Download
memory/4380-59-0x00000000004E7001-mapping.dmp

Download
memory/4380-67-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4388-53-0x0000000000000000-mapping.dmp

Download
memory/4408-207-0x0000000000403670-mapping.dmp

Download
memory/4440-221-0x00000000004E7001-mapping.dmp

Download
memory/4464-66-0x0000000000000000-mapping.dmp

Download
memory/4476-214-0x0000000000000000-mapping.dmp

Download
memory/4488-217-0x0000000000000000-mapping.dmp

Download
memory/4492-63-0x0000000000000000-mapping.dmp

Download
memory/4512-117-0x0000000000000000-mapping.dmp

Download
memory/4604-105-0x0000000000000000-mapping.dmp

Download
memory/4608-182-0x0000000000000000-mapping.dmp

Download
memory/4628-108-0x0000000000000000-mapping.dmp

Download
memory/4640-112-0x00000000004E7001-mapping.dmp

Download
memory/4640-120-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/4664-232-0x0000000000000000-mapping.dmp

Download
memory/4668-86-0x0000000000000000-mapping.dmp

Download
memory/4776-151-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4776-143-0x00000000004E7001-mapping.dmp

Download
memory/4884-133-0x00000000004E7001-mapping.dmp

Download
memory/4884-141-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/4900-161-0x0000000000000000-mapping.dmp

Download
memory/5080-131-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/5080-123-0x00000000004E7001-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads