Analysis Overview
SHA256
cb2ab7c671df235643f807f9d81d28eb8cab4cceacc05175fe6719e6cebf0d77
Threat Level: Known bad
The file 72574ebc8ac037a668c637ccfc74e538 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzonerat family
Modifies WinLogon for persistence
Warzone RAT payload
Modifies visiblity of hidden/system files in Explorer
Warzone RAT payload
Modifies Installed Components in the registry
UPX packed file
Loads dropped DLL
Drops startup file
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 13:16
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 13:16
Reported
2024-01-24 13:19
Platform
win7-20231129-en
Max time kernel
94s
Max time network
121s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 1632 | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe |
| PID 1632 set thread context of 2172 | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe |
| PID 1632 set thread context of 1916 | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1568 set thread context of 1452 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1452 set thread context of 2156 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1452 set thread context of 1092 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
"C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
Network
Files
memory/1724-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1632-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1632-3-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-5-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-7-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-11-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-13-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-15-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-17-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-19-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-21-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-23-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-24-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-25-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-27-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1632-31-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-34-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1724-37-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1632-36-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1632-38-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1632-39-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-40-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1632-41-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-42-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-43-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-44-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-45-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-47-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1632-48-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-49-0x0000000007160000-0x0000000007161000-memory.dmp
memory/1632-46-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-50-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1632-52-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1916-70-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1632-69-0x0000000008AA0000-0x0000000008AE6000-memory.dmp
memory/2172-81-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2172-63-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1632-84-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1632-86-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1916-85-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2172-59-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 482e677561d0c69101f48d1998b3349a |
| SHA1 | 8c6c6bdec2535422a8b96f0664dca1339894d548 |
| SHA256 | 631fc6f75b42bc0eb86b6a084415510c77fbc275b4026cca63b0055a3fde47a7 |
| SHA512 | 2b33a64ccc1738a9ffd71c264d169e93cb5604dcadeb577a84bfd2d6b087f3a62dbb04e10bd4297eff7816236e132363c2998fa8d04b55cae80ae886cfef4cad |
memory/2172-57-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2172-55-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\explorer.exe
| MD5 | 66e775d70cf231509762acf1d8972339 |
| SHA1 | dd6691aa3fe928ffa180ee89e1aad2694bef6e46 |
| SHA256 | 691704d570dfbaf4c6c00e7d05b4b9bfd54c14357923c87c985c83da2e8b73ff |
| SHA512 | d6cbada6626a600803cb715d7df55ec8c6f574bb94882f73d732cf5ad715904adb92dae6f159535cb19c3760aad757c006154a549b1b9fbf984c0ee65efbb2c1 |
memory/2172-98-0x0000000002740000-0x0000000002786000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
\??\c:\windows\system\explorer.exe
| MD5 | dc748c9afecc1044626e335b0d51d193 |
| SHA1 | 23220499c363281c4d4aa3df26e37c4731092ffb |
| SHA256 | f40a9b9c16beb78f20855a254184bcb68aa286d271ad63b5e66f52fd31c9930b |
| SHA512 | 5ecb8741ff8d1b673bd7bd5797a35a56acfcd54b0bce855d47bd1afac632cfecdc4a89420a251c47f865bb46dfeef765012f3cec86a8ff0b0cf17dd3dc9fb8a0 |
memory/1568-99-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2172-97-0x0000000002740000-0x0000000002786000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 3827080c6777613afc1b85332496dc4c |
| SHA1 | 4d12f7961c24265fae9a25ed09f5056e6d5b704c |
| SHA256 | 01620e03f2eb22c03dff4e2e531b6f18f8bb0a1af7fd8f346f75f00aee8c8f9e |
| SHA512 | 954f335cae9fdc22e2b1d35e431dfa1f2a155c5c4abe209ae90949463ba054f4ac975371aadcfa16e8ff55fc3a7fa677fbfd96c44f381ff94a91cf4eb0f54ad0 |
\Windows\system\explorer.exe
| MD5 | 21abbcf8f0f7ef3e5a3016fb45185821 |
| SHA1 | c5c7849ca88e25656b35a044fd3c9a15b567b563 |
| SHA256 | fd2b815077f83669e2a85453da2d91ec0e4c694fefc9991ec1dfc494a23158af |
| SHA512 | 7f1efc470ce89429f72987987cbf9f6a1c0032a063774d7d5f840ec0268895785092d85707b41b19b7b3054eeb437dd9492e9a2e62ddeceed33f50f5fa573d4c |
C:\Windows\system\explorer.exe
| MD5 | 9c4eb0b5c15a2d2eb462f735b78d0705 |
| SHA1 | 9933cc43a3bc21c4f055cd72e395624f0f5cbbcd |
| SHA256 | 385e60e0f48074bd6b8ff4b130d70ce10e238b1468711ff57653b995370f2993 |
| SHA512 | c46952d1af77500640a9c60c308554288674964a792e49c020633ece000edcbd920de0939f7c16ffb615b5bf6ff7b31263f5e75f7dc0035eef10615c42356cb8 |
memory/1452-129-0x0000000000400000-0x0000000001990000-memory.dmp
memory/2172-135-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1452-145-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1452-148-0x0000000000260000-0x0000000000261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | bbf265f3a2e3ef4dc2fba9b7a3b55c66 |
| SHA1 | f0d0ecb54f7fdaa8014fbdc83f5996116669ac86 |
| SHA256 | 6a57d10db0c561f8725d003ff1e3f1a6c5f62ab11cf92f33e6ca919d1fe2553e |
| SHA512 | f022f10e41293b8f15bbeaad84716a7065badf4f080bf8089ef7d9ea6947f0247eb2feadc123eb81f54007c7c36ef253ca4212f11c6ab941fe35ae0682985412 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | deb496be149ae8f1265e1ca3f4900f0d |
| SHA1 | f84bb47c9810deeb5c2ac5bc932edb73a8088ffb |
| SHA256 | 60f08097740012cea06c7242d4230b4078546ac0b8d9b0e4d0ef6e477fba5dde |
| SHA512 | 317069a174c18a568b8cb168e1e6791931c048b0f9e71e3a97ceeea06dc1fa18a3121ddd107edc0f403352f1191ab0e762ad1e03914c330311dab654dcf202e7 |
memory/2156-175-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1092-182-0x0000000000400000-0x0000000000412000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | 36d6d99539fae4ad95e2658ba1a0cf6e |
| SHA1 | 093559d6b40b999cdf2b86c6e02e02deb999a0ce |
| SHA256 | 75a393ca26b15d7a3c9c66f196f3a2b5015eb97648a025104bb1daab7eb9afea |
| SHA512 | d4f3e8ffd190f1410e20957ee35d5137a04fc28000dc2c6fbcf264f57c068384a5bdbad2b613d81aee8cc5e8d810b2aa31e8537d02151b68ab041e13f4a6db54 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
memory/2300-196-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2156-195-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2156-193-0x0000000002950000-0x0000000002996000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | c414dfad4a14e46203766dadef049784 |
| SHA1 | b2d552b1ee6657396bd1a4bbaa9e91b0fd9bcc4c |
| SHA256 | 953a94fae26f9407a00513e94c1ccecd8e510d2c34685658841739ea51f53cb9 |
| SHA512 | c80dd1ad2677ea2f8817d27fa17e40a8ac9188ecbf85ce4bcc52c5264b132df3d2982489897a34f7c0b697e7e268ae926b1e2dacbf6d3192da8800d3ae10f747 |
\Windows\system\spoolsv.exe
| MD5 | f14a5ec9243f4e1e5b73fe137d89d185 |
| SHA1 | 55eec5741d954b2df6feb9d796ec9ca1bc5b7ffc |
| SHA256 | 8d586ffe8ac3676d7d99db9e315a9272433bfdf561a1c9c72919f24e5ff7817b |
| SHA512 | 7b538f48c229ea7eac88c04216334e1a0dacde9d6802aa0ae98eb39da6433092e697cffd63cf638b2d6278db8681bd857100e0796c38b9720b019a91b13ba8c6 |
\Windows\system\spoolsv.exe
| MD5 | 98d4e3691f5da06b85746b193f6f52fb |
| SHA1 | f16a00810437c3519cfd34439a986c7e02707b1a |
| SHA256 | 77795c483e07c2f562885f4e9dd2b924cee7efb0f43c93622a597a5e252ada76 |
| SHA512 | 92acc4abf1d84edc324332c92dc7619f231e56c873f39e3be7c4771a88294923bc89c970cbc6958e4cb529f1caaf594932d74eb0638ad241248b47a6de141e12 |
memory/1452-185-0x0000000000400000-0x0000000001990000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | db64b5e69f73eccfbc45efdbf756d3a7 |
| SHA1 | b2f3900ce81cfbe0bf3c2bfb3c09185f8a82e6a1 |
| SHA256 | 09350e786f927004c01dee99353a801d9dc3f64be4f596a9c03cc59ce3b38e3b |
| SHA512 | 6fa493e5c4074493efb551c5b55d58d4aa74120d3daf17a34867c08f3d456e070ca92cd8960baeeed05fd94b03f1966c31b84b5b9bb545d6925a30edec7f7248 |
memory/2300-203-0x00000000003B0000-0x00000000003F6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 3820dbda23f63b95debbc418086121ee |
| SHA1 | f829c8e28ff34ea589488fa28d1ddd6287315d30 |
| SHA256 | 39cb2234c7475b7e071655a9a5bf2c00aa530a2117c8de9e9fc09b3940b0320c |
| SHA512 | c4d7e423becb75609b2dedd1320a141c1d521f2746275e1c1e1c82e0c347fb999bcda9b7e5f44302b630d00c6114f93541ba17bdc1835d41dc6d570aedc568c9 |
memory/292-238-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 170a480b4b345fbdbb68b57adcc65f26 |
| SHA1 | e94a1c79a17659b0421f7fe0e974c61ee023305f |
| SHA256 | 76706c529849010561683db2f73d2091f7a38f861ebeb87d579d8531b6774c3f |
| SHA512 | 4f898d5b21849ec830bf86cf11546b92b7e283a07fb684f2225796fffedbe02ce3d0107a5599cb37341de80845a72ce12b8784d47068901ade6527d4fd2845bd |
memory/2156-246-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2980-248-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 137d9d46575552ab6a64449bd464e723 |
| SHA1 | cff7cd20eb07dfe10beb9b5f52d61429c5365d03 |
| SHA256 | a4a031bc314e117681080d416b5fe954a664d15045fb4a6b20c65a6756f79c25 |
| SHA512 | 0f20ee2706d6ad1bec6e480f1cdd343ec5dc478b9dca7248040895e67d48e4c80f3361015f0cff3d704141c6fda0370462a444c774ec160e7ae0783c89949d6d |
\Windows\system\spoolsv.exe
| MD5 | bbebf21ea0592ef8392e9f81f1a99392 |
| SHA1 | 3c36633070282b464887d6c6b3d46807ac3ef0a6 |
| SHA256 | 5ef0fd49e3443bc8599f89769d27cb863fbe04787d95c0ba1329c62f11c9dd5d |
| SHA512 | ac6732dc048ebbed16b07c725cf39aab98929d56d26475ed7f6f7e20498658d6e589c6f4b49a01b9c8cd48cf00a4d7bfcf2a8e645f925ce95a925ef7286fa4d8 |
memory/292-259-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | c30b96a591c451dde06d9fb72ce4f1f8 |
| SHA1 | aba73f70d1483895d54ccf387c58ad8d2f8ce38f |
| SHA256 | 5cfa0ee1ece811776ffe8ee93c364bd2bdbce61ed19ba3fa0b87ad849eeaaedf |
| SHA512 | a1f8b42683d5ab007ef5eb59c3db0393979d2ec36f254eb5fe9864aafc9dbadf21d3038e9f4a3f11f4f4ff31cd71436da3e56e91ad36e19f494ba947f10f8d5c |
C:\Windows\system\spoolsv.exe
| MD5 | 973834869494c7c89c99f9984b24cc12 |
| SHA1 | bfc8a102b36010af5bb33676e51de84c7350967d |
| SHA256 | 61abc0ee9a88060d240e7e96e1b5fc71492224289641c2b3953e3bd630ce6fe0 |
| SHA512 | 2a52d2544fb2653c91ee705dc456cc26f2e9f7c8a44f8302658afc1e0e55f4e85b4a40e47c868c6f8b5b8b28b578b867e5c97f6ad5047d2fbd9f7dac6ef2aa18 |
memory/2604-295-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 66c1dd33f05d442fba43e7a933c187c6 |
| SHA1 | 4a9dfadf6d34fcf660cf06c2b977a1d8b430bb1c |
| SHA256 | 355991712122466b2df8afffc15d58d592800f301d3a4ae6afe3f3e6186274b8 |
| SHA512 | fbfb2b9a4ab8af1a220a784b05b22e895d4b71e7cfbb108f07ed6353a892fa6b5419576b34454e60ae56decdd1cb840081a49373f381d7394ec5c3e9fb85a6a3 |
\Windows\system\spoolsv.exe
| MD5 | 4efe0b9d8cacafbbead56f15fdf3fa52 |
| SHA1 | ac5af1d8d9f5963f3ee85cd4ddfdd676ba099e6c |
| SHA256 | 7ec7b6bafa8a88052e7eabee4b19e2412206ff33a40dff974836775d4f7b1a8e |
| SHA512 | 58f892124bc4e89ae9c5f307348e0347fb5b46cb8b8728dbe1c37f2b7f66da896e740329f16340577665a44b2542721d0c7f274480b3581d7e9f628f1ae26bc3 |
\Windows\system\spoolsv.exe
| MD5 | b91190416112a39c23d0833c34a71e1f |
| SHA1 | 5f23ff3d4853b9a2f43c1b17653fe860d01bd7a1 |
| SHA256 | 6220c43b86c433363334f80bab9663f8e264fcf3a0bc4f2a503ec4c2ee9c10c1 |
| SHA512 | 6719db37788cb7f44e86c272189f7744d26d025e6bfc83979259c76257c19e68acd8508932dcceb7b020b64a54315d4910d3c1793c598b1bfab827e3bba5309f |
memory/2536-309-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2156-308-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 160b20a14b24d014a6dca9a274495735 |
| SHA1 | 7c03df9d0909c15f3806a8e8dc3a32d095b818df |
| SHA256 | 407263e8e9e54a42c9041740fdae2a8cb82692aab2daf59d44d5d8d51535789f |
| SHA512 | eec5f79769c55af322597a4d0bad4914fd4d19f2a7622d29f4aa81cde9c862e69dfa9145f270fc8c85ce7ce5b9f23109cf594ccad8a5936b324a9804383d840e |
C:\Windows\system\spoolsv.exe
| MD5 | 094587b2c7e6f9d1ea84ac5f87e46f23 |
| SHA1 | 377cfb10030fd9be9cbb20dbf4ff46dfa6f63fac |
| SHA256 | 37b1928979baa7221934a00349b34e47b1bd171f0971a20a7d361dfbfdad3c7a |
| SHA512 | 261d7b27f30a7c25abf1bd5853e936fae2ce77d46833957d9df19f76089af020c5dfdd9a31895cca07cf1e4797db1be1172268b8131510d0a7ec6b4be6ac5e4a |
memory/2156-342-0x0000000002950000-0x0000000002996000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 5409186198e750e6829f723380c92f22 |
| SHA1 | 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c |
| SHA256 | ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440 |
| SHA512 | 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d |
memory/2156-350-0x0000000002950000-0x0000000002996000-memory.dmp
memory/1908-352-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2768-348-0x0000000000400000-0x0000000001990000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 08d6e4cbe9b21074c645bc78b5af54bc |
| SHA1 | a2a8d960b2ab8804f1936c938091ed3f4b98f5e4 |
| SHA256 | e6428b3001b1986c735c9d13d154be4d3acd6470349ceb78eea78ffd6091a0d5 |
| SHA512 | a7a4ed00f77ba296e60fd2e42c70d731930ed61ca4d98dff6ee78b82b73ec40944bf1453c465bfa78bc6619afb318560941fe012563ca30074b23abd2aaddbb1 |
\Windows\system\spoolsv.exe
| MD5 | 90b32da84bbd74de384dfdc3b7f34cf8 |
| SHA1 | ee854df4fd8dca4abd4efa6acb3d50daf20e7717 |
| SHA256 | 3ad17dad343eb675413f145684576841088b904552ae0d8ab711f9c49e0d6367 |
| SHA512 | 033554c51430634a970c3cf801cf02d03e291070fa145c08714fb8a514ffeb82b659bda84dcfd2001bb77021ab911226a1ec5caf8740478f62aecdcfaedacdea |
memory/2156-344-0x0000000002950000-0x0000000002996000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 459850a52f9fea65cab89469d072efa9 |
| SHA1 | a329a2a88a0ef3a6437a1ab40a41fe438c7eefb7 |
| SHA256 | 3e0d39e37a6084c9185b5edde0fff6f927c3d2b305e302f61d9733f47149de2d |
| SHA512 | ae38ec1a892a4219fffd52a918e28ceffaa9449480c189619990e2d79889ca2ddff9f27d54fb6694b9e6fdf31cc3fe188000944343f28651e6fa221764111c2b |
memory/2156-370-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2156-372-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2768-365-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2156-402-0x0000000002950000-0x0000000002996000-memory.dmp
memory/868-404-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2548-406-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | d0a54557bd17e46f3c02c666ae030e8a |
| SHA1 | 7d57eb679f04e6b42f8b339a1acc01a812df895b |
| SHA256 | 99cc5265e56e6dc746c420f8928bd145f5cf73ba6dade66ac0209bb96a8ab9c2 |
| SHA512 | ace899b3bc2b6bc06e5a9960f7bcd973aa2ed0fc18a7c9fcd621c207692d5b082c89c62b4bc8652bd8161c98bc60638350ad2aa5b95eb26cf2a761e10424d704 |
\Windows\system\spoolsv.exe
| MD5 | a2eb4733c91a5d5917fc965f19c25747 |
| SHA1 | a0de6ae4b27a375da69b66732234ab2e7f740a9f |
| SHA256 | 933cbef35190b87f3c9d241ba51e3e2da59a4a4e597c0a14dcb45960c19479d0 |
| SHA512 | 154a4c7bb6196224202b80f0039620f566f24ebf02cf622629524e31f0cf2a84d9239942f5e647ca66459098b23389d4d594abe271c5a874ea6420c676070d11 |
\Windows\system\spoolsv.exe
| MD5 | 87fc7519a571a0f572f742423332452a |
| SHA1 | 551587074276d4988f7b7375200672d387a2eb3b |
| SHA256 | fe1218b934da15f2910043d52b6c4601beb99604bddcfe87db1f64f31af788cd |
| SHA512 | d4c6ffddce96817dadec2ab994874fa26aafe7ab16cf10c4e3357258992b123e3586590486e9698bc151d0f60c7f38e37d415f08179f50137c2da9672e0f85de |
C:\Windows\system\spoolsv.exe
| MD5 | 9a7fcc5692001ff4a66331d6f1e42b03 |
| SHA1 | d30b7b200be0543d53865c28ab70863ac8d4c03f |
| SHA256 | e8366fe9653afbbf17194575e3c9dac3f918679bd437d527575ac19a7fc0b167 |
| SHA512 | 952ec9d29b7172a35eaafa29b1f8a7dcc642e0ca260e9ad6c90a61699d2d13522b985284c7b680b8f00ace67be4698a0823359ee0ea13acf9d7f74321a3d9953 |
memory/868-417-0x00000000002B0000-0x00000000002B1000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | bf7dbf134719d01106ee40c100379df2 |
| SHA1 | 613a0811aa3140c7e6f9786f475791990f3a5845 |
| SHA256 | 318b8401ed5a4a92e31bef1a61228ef4035fa0532131fb044d97a8934403e948 |
| SHA512 | 0e5e58ffc7d7a963c7301fd55b4ac81f11398170a5b22e0f40e57eadd692e2e65b7944b5f65c306f0162080bc6dea5fd171ca4a2edea08af1e49edcd383e8f84 |
C:\Windows\system\spoolsv.exe
| MD5 | fdfb3f9947e63d388605ab26e16148ca |
| SHA1 | 8130d4d890fb62a6d04f2fa00a04fc40b19b4cf3 |
| SHA256 | 8e145adfff5f7d390be7c4e040fa4e9a5cc485f186a9e8dfc16d55d7bfe82d18 |
| SHA512 | 825296326eef1d7d3fce5789d42974418dab3a306703fac39e510869f4efcc8b409cd0a6989b8a6ba1c56b617c60b5ea406d78cd3bb5540eda5e439cacc2bfab |
memory/2156-461-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2920-463-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Windows\system\spoolsv.exe
| MD5 | eca6c1c9f4bab9477caafe0ba61206e8 |
| SHA1 | f8b40d407c1ac78919748296bad31e2d1fc879dc |
| SHA256 | 1fa39a9f9c673da4b8dc3626fd1dc2a210e4e80bee0e7c1086e206448634ebaf |
| SHA512 | 87962469bf9a7aed7d58ab381decf62af4440623fe1704d9fa6c7847ac3ebb80b215f4e5cf3b0cda4356f9a2a0aa7962d2eda35d43fd1bbb8298f483557b47d6 |
\Windows\system\spoolsv.exe
| MD5 | 4152cf36b3a7990f93328eec9c3fc8c3 |
| SHA1 | 92ca3ac6a57ee6e4e3bd386b3f19d3f678ef578c |
| SHA256 | 78816b69bf70c183379ef8de1581cc17c32ef567807a8830411a2870b78c6f1e |
| SHA512 | a5deb045700beb79119f6ed582f7e985b649b2e2401ae6409e2cb4d360656ebce95a99ae53924db39039127b11e7279cea9f5702415dafe6cbac25b8b5e69eae |
memory/2132-475-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 663b24c1d7693fe129e2798a0e79f66a |
| SHA1 | ecf4d646500da73753c59abfcd7741d9427ab54e |
| SHA256 | 7a812c4d9290c4bc3d30bba463b59b26c75c9d04f9fae5674065a0db7b66021c |
| SHA512 | 0289aa3d11d8ebc29861531d94b1f3af0a8222f95de68dc8572c8b0adc1f97cc3a7b0f6b78444f436903e16660750b6943a6a86a3af2d05be17d0133e5e82f67 |
C:\Windows\system\spoolsv.exe
| MD5 | 632c9383a4e73a8d65c91cb4230c03ca |
| SHA1 | e9a56b06759e7ec5d3cbbf2bf5c9b7ef34255435 |
| SHA256 | 587ecbf8214211ff3b9c8507a26ade28a994fbcc785b3e1c0be60751323400fb |
| SHA512 | 3302581c15b7e13ab12a90b7122f0ec9b88f6dc1cec334b23c8a09172310f3a9c039dd8bd47ade97853d0f923f0942d67b6afee46d99d022c52f79427f5d54f0 |
memory/2156-509-0x0000000002950000-0x0000000002996000-memory.dmp
memory/1076-511-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 280a6018fc2334fa8929781326ec667c |
| SHA1 | e98400ab13c8bfad4c92a92e405fb3bb870ac1ca |
| SHA256 | f84c56b6d03f3273b33d1ce576810dda6cc0f32402b8f7dfdddf98cba989927d |
| SHA512 | eebdb86e7463b834ca543d43b40b7b286c3f0b4e2ea7aa834455fa54dbae311c32bfad0e7f652931ec15ae863b23637bde97b69ce52c2a75b0499689a1f80e9b |
\Windows\system\spoolsv.exe
| MD5 | a851047182a30972d530088c1e79b395 |
| SHA1 | 8588b29ab0908560ffd5452c2f285df733309da2 |
| SHA256 | 7e9ad1316ee20074031bad9c9a0fa8dad7a12d4a7765771603d24a27d4588ca3 |
| SHA512 | d9396356f477c3852cba6b0c80e32e513a7a18daa215b8732e7072f4d3148950ad968deba3014933ba2c0c48c27c330eedf2feeb97e773cb7bbc1c9dd5083619 |
memory/3004-524-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | c329d0168468fe5eee17da90821f25b0 |
| SHA1 | 212b69e2114864669f04573b7c82199aee3cdf68 |
| SHA256 | 5f67152e714fc0d563cdd08bffd0a5b616ef1f39af2ba1119db4c679c63bbb55 |
| SHA512 | e909c9c476a6f63f14a409484976e7ea820963197db9ff09936a977971e4b866fe18a3428e46ae51704f80d42d1acd8c32d26fe1947a6760a5f86dd7a9657228 |
memory/1076-530-0x0000000000450000-0x0000000000496000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | d24e34236047cf5618110cf35ea94dbd |
| SHA1 | 113a9cdb375e6f78295723456859ff48d1958f10 |
| SHA256 | 7c6be192d7ef7ee0103be774135c03fed67acdee435916ce35404c4163d080ce |
| SHA512 | a7bd2ae4f34d9e80af8d1970f47352aa2ee86096baba16a502af8dd249ab4461bc55b3cf2216531d2bc36dad2549d3eb943781c0528f7a28a60fc16e4b05353c |
\Windows\system\spoolsv.exe
| MD5 | 0ff4766c22e11d6046392c2a9a89c3cd |
| SHA1 | 31e55d650ee62528b13448fdc8cbb60e02f2de09 |
| SHA256 | 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a |
| SHA512 | b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe |
memory/2156-562-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2284-564-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2096-565-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | e697c60e4ba4d674559179f980f0bec0 |
| SHA1 | cf2764df1a8a8b9536ab506cd0d87c9cee4945e8 |
| SHA256 | a103ebee3b9cdfea3194fe4cb85cc1e34494dfe06eb14945d8f768217dd61501 |
| SHA512 | 971f64d7111724be7ea55d7399273519e3fc122603910703f085ad5d5349f6c6ae4a1eac64f04a64df974f5fd1fec51b83bbfedcb697e330fe89331aed626818 |
memory/2284-576-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 375961cc0d60a883d0d19a3a7dfc6c38 |
| SHA1 | a028b0daa2bb82a04bc194693e4282ba64b97696 |
| SHA256 | 5b00bb04253a822d243611fed09b166fcf146d7f2d824a98436711ce98d9ca00 |
| SHA512 | a5e90e5d0c96e64944cc41ee271e681d54dfca2a095ca2b7e986dc7bedc257ec58af96376d9511aa857866bad50295bd1c2f2beeb5636bc330e4e53638b3428f |
memory/2156-575-0x0000000002950000-0x0000000002996000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 6da78d130093184be2906bd57c075141 |
| SHA1 | 51066287bf0ece662bec977310640fd91d430de6 |
| SHA256 | 196e99e7b0572a826c5659cbda605ab364003fcde49ed2f5b2f8bd341a034eea |
| SHA512 | 7158c020cb8e9d8e53016c884669d4fafbe3935c89ebbf92ddbdad09cb0b26aeeb1892fc422601c4491500ec7e329ea0fdc8a03a7efc5af1f158c1664901dea8 |
memory/2104-618-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | cbfc7465c03ac5cea4484695f266a1fc |
| SHA1 | dbd9d583ee37f2e39093f5094e9cde935b3e7aec |
| SHA256 | 95dcb86664a161c11525823838d22b007218cd830f68d0cca1f25aba0400f2a5 |
| SHA512 | 9b84a4dadac1f9513f7bcf5381528f4d70e2ab18fae174edc7ba26b2ec7ca0532b97c38cec3838cd821bde4e21c763ea33f3ed6c174ebb24edb9999e8a80a53e |
\Windows\system\spoolsv.exe
| MD5 | c813d28c244c9d5d536888347e8d2550 |
| SHA1 | 01c013d16ce87fb8e9572db848abe7621b715819 |
| SHA256 | ed94c809e1365461d6fe24c1b11ee78597591a6514648d9d71654a49f8c896c6 |
| SHA512 | 9647e849f092f726fdb82540803aa380528ccdd91204997b800ebadd854dedfd5c7badf5fd627e127a1441fd9750c11c1572725045ad198f838728568802da01 |
memory/2104-623-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | b1882b37545d0e36b421843c7bd2d290 |
| SHA1 | 71721c278fa9c792a40194b243096aebdb313707 |
| SHA256 | 7ee1f5ecc968f287275ba6d4b5c458a8efbd8b58878fa0cd26844fb2782f24bc |
| SHA512 | a217491991b86e1a92ea8f31e4efb670d45352c060223549567e8d959e270b3b98301d6f3ba872a9b53afdf19120bc14acd703202f9a2e781b31cfe301c060e2 |
memory/2156-626-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2508-630-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2104-635-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 978ee5996a61f522f457af539f3883d1 |
| SHA1 | 66ba349ef38c3142e3601bf2ff9c32df4feb3b88 |
| SHA256 | b4f1ce528fdcab8bd7b9c8644471eba2c4fe5ff13788ace4a76575c9ae0a10a3 |
| SHA512 | 16e4fd96338fc9e9e4669eb3a03644ae266a279062c00b4cf332930c24abe20e98d927baa71a17b189ac82928f77891d70bc67ea7a93520de59ee618bcb18bd8 |
memory/2156-639-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2156-641-0x0000000002950000-0x0000000002996000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | bab13d1b3c7720592c6c7b2f267b4813 |
| SHA1 | 4e4dc0598c400410d7d3b0cd40193a0ca3b8f8f6 |
| SHA256 | 37c37fc3f0b7ead8700b0a173e03f9bb48cacd535abc1dd20d6c86de20fd9e06 |
| SHA512 | 28f0aac1cf1175350ea4dda487afff6c2545801f5d404ed1ddd9983db10efcf4e8c942abcc6219f7a98ee44d250c7b4d9e96a223b283491a4f42e46e0f1ec740 |
memory/2156-669-0x0000000002950000-0x0000000002996000-memory.dmp
memory/2800-671-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2156-685-0x0000000002950000-0x0000000002996000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 13:16
Reported
2024-01-24 13:19
Platform
win10v2004-20231215-en
Max time kernel
134s
Max time network
146s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 352 set thread context of 4672 | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe |
| PID 4672 set thread context of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe |
| PID 4672 set thread context of 1404 | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1876 set thread context of 1896 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1896 set thread context of 1972 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1896 set thread context of 1992 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 4080 set thread context of 2948 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
"C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
memory/352-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4672-2-0x0000000000400000-0x0000000001400000-memory.dmp
memory/352-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4672-3-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4672-5-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4672-7-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4672-6-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4672-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4672-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4672-10-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4672-11-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4672-12-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4672-13-0x0000000007530000-0x0000000007531000-memory.dmp
memory/4672-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1732-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1404-23-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1732-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4672-22-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1404-29-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1404-27-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4672-28-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4672-31-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 9a11d5281f55a05b3b4817cfca8ed013 |
| SHA1 | 7d65c8d75a313f51d7e70ab2eaec712302202e5d |
| SHA256 | dd6f48b3cd84e0a1386c770154034e16232eeb191b181950e9a95a9b2608de38 |
| SHA512 | bc40473fc96e2005b78471e433c9f0577ae53f4b3fc0f7cc376faf3cf68c384e6415e83580876f13704f466fbe58afce3cce6eedb5e97ff86991c5129037498c |
C:\Windows\System\explorer.exe
| MD5 | fba478552e3b8e6ad8346b0e4e757c24 |
| SHA1 | 9545adebc305cec19a9b8b8a54a38d12cac72dec |
| SHA256 | c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248 |
| SHA512 | c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29 |
\??\c:\windows\system\explorer.exe
| MD5 | 3a6373f26310deee26ba77fa102a8666 |
| SHA1 | 4f465d8a7dc559f9a684a71e277e6079f79a077a |
| SHA256 | bd998e6ed077f6989df710cb26bcd2752d6debe55450466b7f3573bcfcbdefae |
| SHA512 | 4aae79ac083fcc07de3bfbb199482409a31797c738a18a2172774a160249dbb9d43869b4799f301f3fd24ae9aa708e15088053ecf074fcfd20a63d397368e28c |
memory/1876-39-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
memory/1896-44-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | c08e3de0f4dd75bd37ffe405d863ad6f |
| SHA1 | 98422d88f5a930d095c7536d375913e07e3d39f8 |
| SHA256 | 9124fc0aa94e018d3280d9ea0d2e86eb6132f3dc605ef540a9fb617f0912e001 |
| SHA512 | 7c6cbe5416ac11d0ea2841e9c74bb4cd759de97689c0baf31985bcc0c6f18a165cbd3c13f41970171851d581e47281f55f2616a223101ff45d858236b13d0f5f |
memory/1732-45-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1896-48-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1896-50-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1896-51-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1896-53-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1896-52-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1896-54-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1896-55-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1896-56-0x00000000071D0000-0x00000000071D1000-memory.dmp
memory/1896-57-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1896-59-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 70cf203d405e77cee4c98146cc788ea0 |
| SHA1 | 8e044b16c16c92f786219780f2ab486602afc95f |
| SHA256 | 34a13ac898868da643586e5ea443dba8cae0eb6722b6992f36e4c7b82974c820 |
| SHA512 | 6f04fc82635b6b31f7893de5e726a9402ee583e36b90207c3022a93a6147382af26322aa5de54dde43ae8379c03229b788914d563a84660c6b84b424b46975e7 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 7314e8612d9c91e4348c5373a985a117 |
| SHA1 | fefbed3392d74bd4a14993ff4c16a3c4f77ae62f |
| SHA256 | f86aa2f325bfd3f125c7fe41ff2a64340cb863f5bd5bb824c991c11b6c6b3ec1 |
| SHA512 | 545fd2f23e788076b9d56207129315fc10cc4d3cf28ef9edeb8fa51fdfb1eaa5e73052c229d2ca770fa61301ab1c94cebe0ff2e2e46fc16d5ae4e555ca03434b |
memory/1972-69-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 4733967cb3d7519edaf46adb2dedecdb |
| SHA1 | e9533d9b98980506f7d828be7f7368fd060b2c17 |
| SHA256 | 681b07390abbf6b93b99363f84c2232e49606d2089ad779f914c72f0266bbea2 |
| SHA512 | be556b6a484a4cf863804999b4428cff4ffcf635f6da1098c1421f6e6c005ef755dd734d83ebb6cb4be6c01c380e20480ac10c649457e5f5cf2ea0b36d8f1c73 |
memory/1992-77-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1896-79-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1896-73-0x0000000000400000-0x0000000001400000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | d633cf877e170d96be79c41bf0af2c8d |
| SHA1 | 08b751f2d20054dce22c1a4faa1071e55c656866 |
| SHA256 | abb0afcf3c3b8b2fcfacd79dcce67de94d4d47de96ddaf06f14d38685caba7a7 |
| SHA512 | 3f702fdcb0e81abeb7b5ccbd3eb6599de9592816829267998a5cdcffaa0fd95c93e559385e4b1a0844ba3ac50f1c6286489b5a172e7d837588c78d47fc4eb373 |
C:\Windows\System\spoolsv.exe
| MD5 | 17c31cb7ad10c27b2cea9360d6c70a2c |
| SHA1 | a875214efaa9ff587f134210173159ea287478c0 |
| SHA256 | 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8 |
| SHA512 | d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
C:\Windows\System\spoolsv.exe
| MD5 | 13728994efa248a6643ed4092716786e |
| SHA1 | 8fa00628cacea76fb24eaeb2d03ee71464ecd2f0 |
| SHA256 | 1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e |
| SHA512 | 902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c |
memory/4080-90-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e51597f0e28eb72c6d1afc5d68777e1a |
| SHA1 | 536ec194342d07cc58faff2c044e8b5e7c1bd40b |
| SHA256 | f6ffa8333e82869357ef5e427b24042fc0a307dfdfa03ce2beafbea18be2738b |
| SHA512 | 7377d41e0bb18b24fa7591a24361505663a0798e363de8ceab11ba1227105984ec7351819f6d065f19f57ce4ed9bdda5d0f3f73a5ba953d77d15d9f0b85c8177 |
memory/2948-95-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2948-96-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2948-97-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2948-98-0x0000000000400000-0x0000000000628000-memory.dmp
memory/628-99-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2948-100-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1972-101-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2948-103-0x0000000007140000-0x0000000007141000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | f962405ba617e0e33033b9e8d974d8d8 |
| SHA1 | 436d5d85cc73b56946322cd19dbc4eae8bd406cd |
| SHA256 | c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e |
| SHA512 | 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438 |
memory/1236-110-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 8e3268c291d2f7e0017896e068ea4423 |
| SHA1 | dbeba471c9bb94ff943288969f6566e3ee0f7b08 |
| SHA256 | e4f7694871d4b8fbdbad44bcf1bb27c9a9b1c2cccd2e78ebc2917fbac6283756 |
| SHA512 | 7b6ca1e2babd539ae17a92fe53b526f5b78aeaff8d8c4f0490e73de83fdb444c9e4636d96ee6541d6e7d5fd47e2b3d7122d23143e560dceb981ebaee53721410 |
memory/4300-115-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 69781dd2543fdf58d405ad90a51ac5c9 |
| SHA1 | 928d0ddc74eb09874a70c29de92cc23d71a7908d |
| SHA256 | a5bbf2e0624e8656faecf98f0a2dfe9215355995c05d9464b01ccea24259badf |
| SHA512 | abe9eaadccfc4b87eadd404418ba91aa863b74ef145acc12f0a847b48541773e3171551cecb5816c47c28683c3b8161740a8160aa708f6bb8ce4d9687cee5c30 |
memory/1236-121-0x0000000007100000-0x0000000007101000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | d56c4265b79ac55551d9be733e758e75 |
| SHA1 | 3ee6dcc2322deb1ad10cfe885b917aafab5469b0 |
| SHA256 | 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e |
| SHA512 | 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925 |
memory/3656-128-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 2bd81f8ec10438c465af48a55f7dcb5b |
| SHA1 | a0f9aea762966ee0addf8a37f9bbb484b13eed1f |
| SHA256 | 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5 |
| SHA512 | 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea |
memory/3232-131-0x00000000072A0000-0x00000000072A1000-memory.dmp
memory/4488-135-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2948-137-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 0612afb3e27451c56aaaf412088db0bc |
| SHA1 | 8913d87d487bc94c91b045dfe6f64e16a16059ca |
| SHA256 | 97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168 |
| SHA512 | 726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f |
C:\Windows\System\spoolsv.exe
| MD5 | 1dfb8c9373e65d8f3885359015c7cf54 |
| SHA1 | 3554302584f899733f6f99f27ac15fb51dfd7183 |
| SHA256 | 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593 |
| SHA512 | 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8 |