warzonerat | 7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3

Analysis

max time kernel
150s
max time network
119s
platform
windows10_x64
resource
win10v20201028
submitted
28-02-2021 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
Size

2.9MB
MD5

b2ed1b38dc16e2d3e46c1748f06871fc
SHA1

deafaba66dfcbdee771b44562a958824899136e0
SHA256

7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3
SHA512

e7d1301ce915de74ea7d8245c7c03ce3cf60840d46d35e5bf9063124f49a06eb08795cde0705d28c120d96c96f1f26b31374e832d02ee962bf0a6eb9675a6bf9

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 42 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 27 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
952	explorer.exe
2040	explorer.exe
3760	explorer.exe
184	spoolsv.exe
3880	spoolsv.exe
2156	spoolsv.exe
804	spoolsv.exe
1516	spoolsv.exe
4032	spoolsv.exe
420	spoolsv.exe
1860	spoolsv.exe
2296	spoolsv.exe
3732	spoolsv.exe
4000	spoolsv.exe
2072	spoolsv.exe
2832	spoolsv.exe
3264	spoolsv.exe
676	spoolsv.exe
3564	spoolsv.exe
3388	spoolsv.exe
3752	spoolsv.exe
1124	spoolsv.exe
3652	spoolsv.exe
1568	spoolsv.exe
4080	spoolsv.exe
3068	spoolsv.exe
3288	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 6 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exeexplorer.exeexplorer.exespoolsv.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe

Suspicious use of SetThreadContext 18 IoCs

Processes:

7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 1152 set thread context of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 set thread context of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 set thread context of 4088	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	diskperf.exe
PID 952 set thread context of 2040	952	explorer.exe	explorer.exe
PID 2040 set thread context of 3760	2040	explorer.exe	explorer.exe
PID 184 set thread context of 3880	184	spoolsv.exe	spoolsv.exe
PID 2156 set thread context of 804	2156	spoolsv.exe	spoolsv.exe
PID 1516 set thread context of 4032	1516	spoolsv.exe	spoolsv.exe
PID 420 set thread context of 1860	420	spoolsv.exe	spoolsv.exe
PID 2296 set thread context of 3732	2296	spoolsv.exe	spoolsv.exe
PID 4000 set thread context of 2072	4000	spoolsv.exe	spoolsv.exe
PID 2832 set thread context of 3264	2832	spoolsv.exe	spoolsv.exe
PID 676 set thread context of 3564	676	spoolsv.exe	spoolsv.exe
PID 3388 set thread context of 3752	3388	spoolsv.exe	spoolsv.exe
PID 1124 set thread context of 3652	1124	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 4080	1568	spoolsv.exe	spoolsv.exe
PID 3880 set thread context of 3288	3880	spoolsv.exe	spoolsv.exe
PID 3880 set thread context of 2728	3880	spoolsv.exe	diskperf.exe

Drops file in Windows directory 16 IoCs

Processes:

spoolsv.exespoolsv.exe7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
952	explorer.exe
952	explorer.exe
184	spoolsv.exe
184	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
3760	explorer.exe
2156	spoolsv.exe
2156	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
1516	spoolsv.exe
1516	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
420	spoolsv.exe
420	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
2296	spoolsv.exe
2296	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
4000	spoolsv.exe
4000	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
2832	spoolsv.exe
2832	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
676	spoolsv.exe
676	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
3388	spoolsv.exe
3388	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
1124	spoolsv.exe
1124	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
1568	spoolsv.exe
1568	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
3068	spoolsv.exe
3068	spoolsv.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

pid	process
1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
952	explorer.exe
952	explorer.exe
3760	explorer.exe
3760	explorer.exe
184	spoolsv.exe
184	spoolsv.exe
3760	explorer.exe
3760	explorer.exe
2156	spoolsv.exe
2156	spoolsv.exe
1516	spoolsv.exe
1516	spoolsv.exe
420	spoolsv.exe
420	spoolsv.exe
2296	spoolsv.exe
2296	spoolsv.exe
4000	spoolsv.exe
4000	spoolsv.exe
2832	spoolsv.exe
2832	spoolsv.exe
676	spoolsv.exe
676	spoolsv.exe
3388	spoolsv.exe
3388	spoolsv.exe
1124	spoolsv.exe
1124	spoolsv.exe
1568	spoolsv.exe
1568	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3288	spoolsv.exe
3288	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exeexplorer.exe

description	pid	process	target process
PID 1152 wrote to memory of 1856	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	cmd.exe
PID 1152 wrote to memory of 1856	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	cmd.exe
PID 1152 wrote to memory of 1856	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	cmd.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 1152 wrote to memory of 2840	1152	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 744	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
PID 2840 wrote to memory of 4088	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	diskperf.exe
PID 2840 wrote to memory of 4088	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	diskperf.exe
PID 2840 wrote to memory of 4088	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	diskperf.exe
PID 2840 wrote to memory of 4088	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	diskperf.exe
PID 2840 wrote to memory of 4088	2840	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	diskperf.exe
PID 744 wrote to memory of 952	744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	explorer.exe
PID 744 wrote to memory of 952	744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	explorer.exe
PID 744 wrote to memory of 952	744	7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe	explorer.exe
PID 952 wrote to memory of 1768	952	explorer.exe	cmd.exe
PID 952 wrote to memory of 1768	952	explorer.exe	cmd.exe
PID 952 wrote to memory of 1768	952	explorer.exe	cmd.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe
PID 952 wrote to memory of 2040	952	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
"C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
2⤵
- Drops startup file
PID:1856

C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2840

C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
C:\Users\Admin\AppData\Local\Temp\7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
5⤵
- Drops startup file
PID:1768

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:2040

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3828

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3288

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3464

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:1296

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:2728

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2200

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:804

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2484

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:1784

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:3496

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:2712

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
10⤵
PID:3772

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
11⤵
PID:548

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3636

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2844

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:1860

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
9⤵
PID:1148

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
9⤵
PID:3684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:684

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3732

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
- Drops startup file
PID:2088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:2072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:676

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1292

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3752

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:2036

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:3652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
- Executes dropped EXE
PID:4080

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:3964

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:4072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:204

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
8⤵
PID:1772

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
8⤵
PID:2232

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
7⤵
PID:1864

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:996

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
3⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
1⤵
PID:2788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
1⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
1⤵
PID:3480

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
1⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
1⤵
PID:1724

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
b2ed1b38dc16e2d3e46c1748f06871fc

SHA1
deafaba66dfcbdee771b44562a958824899136e0

SHA256
7eaa2c0c3cd26e9495e9de67413f860820a713141429e921861d239d80475df3

SHA512
e7d1301ce915de74ea7d8245c7c03ce3cf60840d46d35e5bf9063124f49a06eb08795cde0705d28c120d96c96f1f26b31374e832d02ee962bf0a6eb9675a6bf9

Download Submit
C:\Users\Admin\AppData\Local\Chrome\SyncHost.exe
MD5
f5953938cc4d8b194a0ee9ad40b4feca

SHA1
8826029737d2f410111d672dd7529ce6b02d5188

SHA256
062089dcca384b777dee932d7e68eb3d8943da7431b1d43bcb44e529aa5091ea

SHA512
187f04f46a9e31270fa177ba4e81035f5eb8ed0d0c4ebabb6ee5a534d22f9c6be25e526195098cc172e6bc5bddb18ee2b721dff140981cb065d756524dfcadb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
C:\Windows\System\explorer.exe
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
C:\Windows\System\explorer.exe
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
C:\Windows\System\explorer.exe
MD5
3de34b8268d9150c7cf78d182a301d16

SHA1
3bccf4aff207721ccff5fc09836e828ab17606dc

SHA256
4c3c1113a0dc109245b14c9f50f143d0ae82a14472b92288204e5f3f3a662df4

SHA512
c42abdeaa839e863c88e683b75beaa50de49cda749c789f4da922be5f9a5360e1fb7677841ee5d22c0fd6a35b2141d5178c82530b9ab47f555093b0f8f8e1ec5

Download Submit
C:\Windows\System\explorer.exe
MD5
92293496a974b61d89c2c55bd5b800ff

SHA1
7b398e7fc925b6258b8b6d7c8aa4100ec289a0ed

SHA256
98f22a42f5e55740b9ffac0291275ee8ca33ee4c8b2759f1039a58f2191ce002

SHA512
f9308cb28a0821e82c7e768e7b0c0af659456efd945da6c11d7599cec99bc832c3d320794296dc48c017092ef7d85231651b410d73fd2e9a4727b6fad650c4e7

Download Submit
C:\Windows\System\explorer.exe
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
C:\Windows\System\explorer.exe
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
6acaabb26bcac3031fd2e25995bd91ab

SHA1
7b4282a2ef3071558c0ced27aa19b58a174b92fb

SHA256
783617cb623e9b5a9116c3cfc4d491b461f25bf9c7d4c4dd4c9c017021f6abe7

SHA512
7461f2fd3b7531b30497a22cba9875ae1e1ee46d829a7fe62d001ec0f381498933458733745f729d67e5e811297c47101c5273634880c3ecb6f1d7d7fe67c5e6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d76b9d43f3d883abbd31c1a3aa114091

SHA1
1f955d960967c64ca04ad711abdaabb90eef114e

SHA256
b3adf9236d423fc9a45ca715f6a37f183be216d9c1ff5661a00f849bbde7778d

SHA512
3590be184d8ea0055c1a30c5eccc9a8961d12d5e79ea3fc42e8f3e2bb4ac5645fa54a57e6cdb256bd31eff6c9fc38a698d92364ffba9ed6d1344fa49096928be

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
c2e11e2e66ff6b8e02a8c2afe66c0f5b

SHA1
f32d5c826f2e2c2e67b2f2f2b7b40ddf391d03fb

SHA256
542b3bd5eef5e8c0b23853da887c70653bcef3e6ecbea00911830318eebe301b

SHA512
b619ae06546857d6f3baa05478c66c73bd47e553d785c9924f88b39a482f53f2a881fcfd20ce33f4f45a2064f974cb061e58ce9fc7520885a6b2eb7b753af0c6

Download Submit
C:\Windows\System\spoolsv.exe
MD5
91da34e0bce2423510bfa54645e49e5c

SHA1
7fdc6d457f6516a68e0ca0319d9e29346471597e

SHA256
f2b06a3c8ce05248be8d85289d60225eb52c8536b93c2256f0b2f5c12e22c0d4

SHA512
40c0b70a10034faea5e005be645fd80cbc9dfbaaa4090e66e94c0a3f0da517a325cc355f6b47b851b89b82d4f1066c937d70d10c66a0e88153508e46d8bfaa7c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
\??\c:\windows\system\explorer.exe
MD5
41cba6b95cb8d9c59fd54da8192e9275

SHA1
ca5d43dc6d3d230b3e38b0e1e3cf08adafe46e4c

SHA256
9a6ef750344cd369e52e39d754a439e97894f159502da4216195e0a1ebcaff2c

SHA512
aa745fc55c353761ebec4f1fca35b89bfb03ca41dfa028552cc07a0b27f93d4e7a3321dd28b58e98de29d1f97f8d11aba60a7caef3b3a794fd359423bf460366

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
9c9ae5388c2ff6f281b81a371c5ab267

SHA1
9b07cd9b89974ef659ccb372b52e3760fe9e99ea

SHA256
2d246b6143ebfbd7608d7d1e916c908708ac722b668db97ee0e1292ce0c7439d

SHA512
6ed12c81e4916259f0d4cd395849caed53bcbdf6e049ce02fc392113f82b6579c3dfcc04d880ce7c72fad2586fbc580b72097fa88121cc36910f32640d5d26d7

Download Submit
memory/184-37-0x0000000000000000-mapping.dmp

Download
memory/204-177-0x0000000000000000-mapping.dmp

Download
memory/420-70-0x0000000000000000-mapping.dmp

Download
memory/676-112-0x0000000000000000-mapping.dmp

Download
memory/684-83-0x0000000000000000-mapping.dmp

Download
memory/744-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/744-14-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/744-15-0x0000000003B90000-0x0000000003B91000-memory.dmp

Filesize
4KB

Download
memory/744-8-0x0000000000403670-mapping.dmp

Download
memory/800-145-0x0000000000000000-mapping.dmp

Download
memory/804-55-0x00000000004E7001-mapping.dmp

Download
memory/804-63-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/952-16-0x0000000000000000-mapping.dmp

Download
memory/1124-132-0x0000000000000000-mapping.dmp

Download
memory/1148-219-0x0000000000403670-mapping.dmp

Download
memory/1292-125-0x0000000000000000-mapping.dmp

Download
memory/1296-189-0x00000000004E7001-mapping.dmp

Download
memory/1296-213-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/1468-197-0x00000000004E7001-mapping.dmp

Download
memory/1468-212-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/1516-60-0x0000000000000000-mapping.dmp

Download
memory/1568-143-0x0000000000000000-mapping.dmp

Download
memory/1724-209-0x0000000000000000-mapping.dmp

Download
memory/1768-19-0x0000000000000000-mapping.dmp

Download
memory/1772-211-0x0000000000000000-mapping.dmp

Download
memory/1856-2-0x0000000000000000-mapping.dmp

Download
memory/1860-76-0x00000000004E7001-mapping.dmp

Download
memory/1860-84-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/1864-235-0x0000000000000000-mapping.dmp

Download
memory/2036-135-0x0000000000000000-mapping.dmp

Download
memory/2040-24-0x00000000004E7001-mapping.dmp

Download
memory/2040-27-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2072-98-0x00000000004E7001-mapping.dmp

Download
memory/2072-106-0x0000000007020000-0x0000000007021000-memory.dmp

Filesize
4KB

Download
memory/2088-94-0x0000000000000000-mapping.dmp

Download
memory/2156-49-0x0000000000000000-mapping.dmp

Download
memory/2200-51-0x0000000000000000-mapping.dmp

Download
memory/2232-226-0x00000000004E7001-mapping.dmp

Download
memory/2288-170-0x0000000000000000-mapping.dmp

Download
memory/2296-80-0x0000000000000000-mapping.dmp

Download
memory/2484-181-0x0000000000403670-mapping.dmp

Download
memory/2712-193-0x0000000000403670-mapping.dmp

Download
memory/2728-162-0x0000000000411000-mapping.dmp

Download
memory/2788-115-0x0000000000000000-mapping.dmp

Download
memory/2832-102-0x0000000000000000-mapping.dmp

Download
memory/2840-5-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2840-4-0x00000000004E7001-mapping.dmp

Download
memory/2840-6-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/2840-3-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2844-73-0x0000000000000000-mapping.dmp

Download
memory/3068-153-0x0000000000000000-mapping.dmp

Download
memory/3264-116-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/3264-108-0x00000000004E7001-mapping.dmp

Download
memory/3288-157-0x0000000000403670-mapping.dmp

Download
memory/3328-104-0x0000000000000000-mapping.dmp

Download
memory/3388-123-0x0000000000000000-mapping.dmp

Download
memory/3464-164-0x0000000000000000-mapping.dmp

Download
memory/3480-180-0x0000000000000000-mapping.dmp

Download
memory/3496-62-0x0000000000000000-mapping.dmp

Download
memory/3564-118-0x00000000004E7001-mapping.dmp

Download
memory/3564-126-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3636-202-0x0000000000411000-mapping.dmp

Download
memory/3652-146-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/3652-138-0x00000000004E7001-mapping.dmp

Download
memory/3684-223-0x0000000000411000-mapping.dmp

Download
memory/3732-95-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/3732-87-0x00000000004E7001-mapping.dmp

Download
memory/3752-136-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3752-128-0x00000000004E7001-mapping.dmp

Download
memory/3760-111-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-142-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-46-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-47-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-45-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-79-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-150-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-48-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-234-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-89-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-175-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-176-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-233-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-29-0x0000000000403670-mapping.dmp

Download
memory/3760-90-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-78-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-141-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-68-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-69-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-101-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-100-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-131-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-130-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-59-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-121-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-205-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-57-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-110-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3760-206-0x0000000003AE0000-0x0000000003AE1000-memory.dmp

Filesize
4KB

Download
memory/3760-120-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/3772-204-0x0000000000000000-mapping.dmp

Download
memory/3804-208-0x0000000000000000-mapping.dmp

Download
memory/3828-40-0x0000000000000000-mapping.dmp

Download
memory/3880-43-0x00000000004E7001-mapping.dmp

Download
memory/3880-53-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/3964-155-0x0000000000000000-mapping.dmp

Download
memory/4000-91-0x0000000000000000-mapping.dmp

Download
memory/4032-74-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/4032-66-0x00000000004E7001-mapping.dmp

Download
memory/4072-174-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/4072-190-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/4072-171-0x00000000004E7001-mapping.dmp

Download
memory/4080-148-0x00000000004E7001-mapping.dmp

Download
memory/4080-166-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/4088-10-0x0000000000411000-mapping.dmp

Download
memory/4088-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4088-9-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads