Malware Analysis Report

2025-03-15 06:30

Sample ID 240124-qhxnjsbbdl
Target 72574ebc8ac037a668c637ccfc74e538
SHA256 cb2ab7c671df235643f807f9d81d28eb8cab4cceacc05175fe6719e6cebf0d77
Tags
rat upx warzonerat infostealer persistence evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb2ab7c671df235643f807f9d81d28eb8cab4cceacc05175fe6719e6cebf0d77

Threat Level: Known bad

The file 72574ebc8ac037a668c637ccfc74e538 was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat infostealer persistence evasion

WarzoneRat, AveMaria

Warzonerat family

Modifies WinLogon for persistence

Warzone RAT payload

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies Installed Components in the registry

UPX packed file

Loads dropped DLL

Drops startup file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 13:16

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 13:16

Reported

2024-01-24 13:19

Platform

win7-20231129-en

Max time kernel

94s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1724 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 1632 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 1632 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 1632 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 1632 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 1632 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 1632 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 2172 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 2628 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1568 wrote to memory of 1452 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

"C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

Network

N/A

Files

memory/1724-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1632-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1632-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-5-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-13-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-19-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1632-31-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-34-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1724-37-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1632-36-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1632-38-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1632-39-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-40-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1632-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-42-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-44-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-47-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1632-48-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-49-0x0000000007160000-0x0000000007161000-memory.dmp

memory/1632-46-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-50-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1632-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1916-70-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1632-69-0x0000000008AA0000-0x0000000008AE6000-memory.dmp

memory/2172-81-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2172-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1632-84-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1632-86-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1916-85-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2172-59-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\explorer.exe

MD5 482e677561d0c69101f48d1998b3349a
SHA1 8c6c6bdec2535422a8b96f0664dca1339894d548
SHA256 631fc6f75b42bc0eb86b6a084415510c77fbc275b4026cca63b0055a3fde47a7
SHA512 2b33a64ccc1738a9ffd71c264d169e93cb5604dcadeb577a84bfd2d6b087f3a62dbb04e10bd4297eff7816236e132363c2998fa8d04b55cae80ae886cfef4cad

memory/2172-57-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2172-55-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\explorer.exe

MD5 66e775d70cf231509762acf1d8972339
SHA1 dd6691aa3fe928ffa180ee89e1aad2694bef6e46
SHA256 691704d570dfbaf4c6c00e7d05b4b9bfd54c14357923c87c985c83da2e8b73ff
SHA512 d6cbada6626a600803cb715d7df55ec8c6f574bb94882f73d732cf5ad715904adb92dae6f159535cb19c3760aad757c006154a549b1b9fbf984c0ee65efbb2c1

memory/2172-98-0x0000000002740000-0x0000000002786000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

\??\c:\windows\system\explorer.exe

MD5 dc748c9afecc1044626e335b0d51d193
SHA1 23220499c363281c4d4aa3df26e37c4731092ffb
SHA256 f40a9b9c16beb78f20855a254184bcb68aa286d271ad63b5e66f52fd31c9930b
SHA512 5ecb8741ff8d1b673bd7bd5797a35a56acfcd54b0bce855d47bd1afac632cfecdc4a89420a251c47f865bb46dfeef765012f3cec86a8ff0b0cf17dd3dc9fb8a0

memory/1568-99-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2172-97-0x0000000002740000-0x0000000002786000-memory.dmp

C:\Windows\system\explorer.exe

MD5 3827080c6777613afc1b85332496dc4c
SHA1 4d12f7961c24265fae9a25ed09f5056e6d5b704c
SHA256 01620e03f2eb22c03dff4e2e531b6f18f8bb0a1af7fd8f346f75f00aee8c8f9e
SHA512 954f335cae9fdc22e2b1d35e431dfa1f2a155c5c4abe209ae90949463ba054f4ac975371aadcfa16e8ff55fc3a7fa677fbfd96c44f381ff94a91cf4eb0f54ad0

\Windows\system\explorer.exe

MD5 21abbcf8f0f7ef3e5a3016fb45185821
SHA1 c5c7849ca88e25656b35a044fd3c9a15b567b563
SHA256 fd2b815077f83669e2a85453da2d91ec0e4c694fefc9991ec1dfc494a23158af
SHA512 7f1efc470ce89429f72987987cbf9f6a1c0032a063774d7d5f840ec0268895785092d85707b41b19b7b3054eeb437dd9492e9a2e62ddeceed33f50f5fa573d4c

C:\Windows\system\explorer.exe

MD5 9c4eb0b5c15a2d2eb462f735b78d0705
SHA1 9933cc43a3bc21c4f055cd72e395624f0f5cbbcd
SHA256 385e60e0f48074bd6b8ff4b130d70ce10e238b1468711ff57653b995370f2993
SHA512 c46952d1af77500640a9c60c308554288674964a792e49c020633ece000edcbd920de0939f7c16ffb615b5bf6ff7b31263f5e75f7dc0035eef10615c42356cb8

memory/1452-129-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2172-135-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1452-145-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1452-148-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 bbf265f3a2e3ef4dc2fba9b7a3b55c66
SHA1 f0d0ecb54f7fdaa8014fbdc83f5996116669ac86
SHA256 6a57d10db0c561f8725d003ff1e3f1a6c5f62ab11cf92f33e6ca919d1fe2553e
SHA512 f022f10e41293b8f15bbeaad84716a7065badf4f080bf8089ef7d9ea6947f0247eb2feadc123eb81f54007c7c36ef253ca4212f11c6ab941fe35ae0682985412

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 deb496be149ae8f1265e1ca3f4900f0d
SHA1 f84bb47c9810deeb5c2ac5bc932edb73a8088ffb
SHA256 60f08097740012cea06c7242d4230b4078546ac0b8d9b0e4d0ef6e477fba5dde
SHA512 317069a174c18a568b8cb168e1e6791931c048b0f9e71e3a97ceeea06dc1fa18a3121ddd107edc0f403352f1191ab0e762ad1e03914c330311dab654dcf202e7

memory/2156-175-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1092-182-0x0000000000400000-0x0000000000412000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 36d6d99539fae4ad95e2658ba1a0cf6e
SHA1 093559d6b40b999cdf2b86c6e02e02deb999a0ce
SHA256 75a393ca26b15d7a3c9c66f196f3a2b5015eb97648a025104bb1daab7eb9afea
SHA512 d4f3e8ffd190f1410e20957ee35d5137a04fc28000dc2c6fbcf264f57c068384a5bdbad2b613d81aee8cc5e8d810b2aa31e8537d02151b68ab041e13f4a6db54

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/2300-196-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2156-195-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2156-193-0x0000000002950000-0x0000000002996000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 c414dfad4a14e46203766dadef049784
SHA1 b2d552b1ee6657396bd1a4bbaa9e91b0fd9bcc4c
SHA256 953a94fae26f9407a00513e94c1ccecd8e510d2c34685658841739ea51f53cb9
SHA512 c80dd1ad2677ea2f8817d27fa17e40a8ac9188ecbf85ce4bcc52c5264b132df3d2982489897a34f7c0b697e7e268ae926b1e2dacbf6d3192da8800d3ae10f747

\Windows\system\spoolsv.exe

MD5 f14a5ec9243f4e1e5b73fe137d89d185
SHA1 55eec5741d954b2df6feb9d796ec9ca1bc5b7ffc
SHA256 8d586ffe8ac3676d7d99db9e315a9272433bfdf561a1c9c72919f24e5ff7817b
SHA512 7b538f48c229ea7eac88c04216334e1a0dacde9d6802aa0ae98eb39da6433092e697cffd63cf638b2d6278db8681bd857100e0796c38b9720b019a91b13ba8c6

\Windows\system\spoolsv.exe

MD5 98d4e3691f5da06b85746b193f6f52fb
SHA1 f16a00810437c3519cfd34439a986c7e02707b1a
SHA256 77795c483e07c2f562885f4e9dd2b924cee7efb0f43c93622a597a5e252ada76
SHA512 92acc4abf1d84edc324332c92dc7619f231e56c873f39e3be7c4771a88294923bc89c970cbc6958e4cb529f1caaf594932d74eb0638ad241248b47a6de141e12

memory/1452-185-0x0000000000400000-0x0000000001990000-memory.dmp

\Windows\system\spoolsv.exe

MD5 db64b5e69f73eccfbc45efdbf756d3a7
SHA1 b2f3900ce81cfbe0bf3c2bfb3c09185f8a82e6a1
SHA256 09350e786f927004c01dee99353a801d9dc3f64be4f596a9c03cc59ce3b38e3b
SHA512 6fa493e5c4074493efb551c5b55d58d4aa74120d3daf17a34867c08f3d456e070ca92cd8960baeeed05fd94b03f1966c31b84b5b9bb545d6925a30edec7f7248

memory/2300-203-0x00000000003B0000-0x00000000003F6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 3820dbda23f63b95debbc418086121ee
SHA1 f829c8e28ff34ea589488fa28d1ddd6287315d30
SHA256 39cb2234c7475b7e071655a9a5bf2c00aa530a2117c8de9e9fc09b3940b0320c
SHA512 c4d7e423becb75609b2dedd1320a141c1d521f2746275e1c1e1c82e0c347fb999bcda9b7e5f44302b630d00c6114f93541ba17bdc1835d41dc6d570aedc568c9

memory/292-238-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 170a480b4b345fbdbb68b57adcc65f26
SHA1 e94a1c79a17659b0421f7fe0e974c61ee023305f
SHA256 76706c529849010561683db2f73d2091f7a38f861ebeb87d579d8531b6774c3f
SHA512 4f898d5b21849ec830bf86cf11546b92b7e283a07fb684f2225796fffedbe02ce3d0107a5599cb37341de80845a72ce12b8784d47068901ade6527d4fd2845bd

memory/2156-246-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2980-248-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 137d9d46575552ab6a64449bd464e723
SHA1 cff7cd20eb07dfe10beb9b5f52d61429c5365d03
SHA256 a4a031bc314e117681080d416b5fe954a664d15045fb4a6b20c65a6756f79c25
SHA512 0f20ee2706d6ad1bec6e480f1cdd343ec5dc478b9dca7248040895e67d48e4c80f3361015f0cff3d704141c6fda0370462a444c774ec160e7ae0783c89949d6d

\Windows\system\spoolsv.exe

MD5 bbebf21ea0592ef8392e9f81f1a99392
SHA1 3c36633070282b464887d6c6b3d46807ac3ef0a6
SHA256 5ef0fd49e3443bc8599f89769d27cb863fbe04787d95c0ba1329c62f11c9dd5d
SHA512 ac6732dc048ebbed16b07c725cf39aab98929d56d26475ed7f6f7e20498658d6e589c6f4b49a01b9c8cd48cf00a4d7bfcf2a8e645f925ce95a925ef7286fa4d8

memory/292-259-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c30b96a591c451dde06d9fb72ce4f1f8
SHA1 aba73f70d1483895d54ccf387c58ad8d2f8ce38f
SHA256 5cfa0ee1ece811776ffe8ee93c364bd2bdbce61ed19ba3fa0b87ad849eeaaedf
SHA512 a1f8b42683d5ab007ef5eb59c3db0393979d2ec36f254eb5fe9864aafc9dbadf21d3038e9f4a3f11f4f4ff31cd71436da3e56e91ad36e19f494ba947f10f8d5c

C:\Windows\system\spoolsv.exe

MD5 973834869494c7c89c99f9984b24cc12
SHA1 bfc8a102b36010af5bb33676e51de84c7350967d
SHA256 61abc0ee9a88060d240e7e96e1b5fc71492224289641c2b3953e3bd630ce6fe0
SHA512 2a52d2544fb2653c91ee705dc456cc26f2e9f7c8a44f8302658afc1e0e55f4e85b4a40e47c868c6f8b5b8b28b578b867e5c97f6ad5047d2fbd9f7dac6ef2aa18

memory/2604-295-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 66c1dd33f05d442fba43e7a933c187c6
SHA1 4a9dfadf6d34fcf660cf06c2b977a1d8b430bb1c
SHA256 355991712122466b2df8afffc15d58d592800f301d3a4ae6afe3f3e6186274b8
SHA512 fbfb2b9a4ab8af1a220a784b05b22e895d4b71e7cfbb108f07ed6353a892fa6b5419576b34454e60ae56decdd1cb840081a49373f381d7394ec5c3e9fb85a6a3

\Windows\system\spoolsv.exe

MD5 4efe0b9d8cacafbbead56f15fdf3fa52
SHA1 ac5af1d8d9f5963f3ee85cd4ddfdd676ba099e6c
SHA256 7ec7b6bafa8a88052e7eabee4b19e2412206ff33a40dff974836775d4f7b1a8e
SHA512 58f892124bc4e89ae9c5f307348e0347fb5b46cb8b8728dbe1c37f2b7f66da896e740329f16340577665a44b2542721d0c7f274480b3581d7e9f628f1ae26bc3

\Windows\system\spoolsv.exe

MD5 b91190416112a39c23d0833c34a71e1f
SHA1 5f23ff3d4853b9a2f43c1b17653fe860d01bd7a1
SHA256 6220c43b86c433363334f80bab9663f8e264fcf3a0bc4f2a503ec4c2ee9c10c1
SHA512 6719db37788cb7f44e86c272189f7744d26d025e6bfc83979259c76257c19e68acd8508932dcceb7b020b64a54315d4910d3c1793c598b1bfab827e3bba5309f

memory/2536-309-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2156-308-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 160b20a14b24d014a6dca9a274495735
SHA1 7c03df9d0909c15f3806a8e8dc3a32d095b818df
SHA256 407263e8e9e54a42c9041740fdae2a8cb82692aab2daf59d44d5d8d51535789f
SHA512 eec5f79769c55af322597a4d0bad4914fd4d19f2a7622d29f4aa81cde9c862e69dfa9145f270fc8c85ce7ce5b9f23109cf594ccad8a5936b324a9804383d840e

C:\Windows\system\spoolsv.exe

MD5 094587b2c7e6f9d1ea84ac5f87e46f23
SHA1 377cfb10030fd9be9cbb20dbf4ff46dfa6f63fac
SHA256 37b1928979baa7221934a00349b34e47b1bd171f0971a20a7d361dfbfdad3c7a
SHA512 261d7b27f30a7c25abf1bd5853e936fae2ce77d46833957d9df19f76089af020c5dfdd9a31895cca07cf1e4797db1be1172268b8131510d0a7ec6b4be6ac5e4a

memory/2156-342-0x0000000002950000-0x0000000002996000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 5409186198e750e6829f723380c92f22
SHA1 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c
SHA256 ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440
SHA512 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d

memory/2156-350-0x0000000002950000-0x0000000002996000-memory.dmp

memory/1908-352-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2768-348-0x0000000000400000-0x0000000001990000-memory.dmp

\Windows\system\spoolsv.exe

MD5 08d6e4cbe9b21074c645bc78b5af54bc
SHA1 a2a8d960b2ab8804f1936c938091ed3f4b98f5e4
SHA256 e6428b3001b1986c735c9d13d154be4d3acd6470349ceb78eea78ffd6091a0d5
SHA512 a7a4ed00f77ba296e60fd2e42c70d731930ed61ca4d98dff6ee78b82b73ec40944bf1453c465bfa78bc6619afb318560941fe012563ca30074b23abd2aaddbb1

\Windows\system\spoolsv.exe

MD5 90b32da84bbd74de384dfdc3b7f34cf8
SHA1 ee854df4fd8dca4abd4efa6acb3d50daf20e7717
SHA256 3ad17dad343eb675413f145684576841088b904552ae0d8ab711f9c49e0d6367
SHA512 033554c51430634a970c3cf801cf02d03e291070fa145c08714fb8a514ffeb82b659bda84dcfd2001bb77021ab911226a1ec5caf8740478f62aecdcfaedacdea

memory/2156-344-0x0000000002950000-0x0000000002996000-memory.dmp

\Windows\system\spoolsv.exe

MD5 459850a52f9fea65cab89469d072efa9
SHA1 a329a2a88a0ef3a6437a1ab40a41fe438c7eefb7
SHA256 3e0d39e37a6084c9185b5edde0fff6f927c3d2b305e302f61d9733f47149de2d
SHA512 ae38ec1a892a4219fffd52a918e28ceffaa9449480c189619990e2d79889ca2ddff9f27d54fb6694b9e6fdf31cc3fe188000944343f28651e6fa221764111c2b

memory/2156-370-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2156-372-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2768-365-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2156-402-0x0000000002950000-0x0000000002996000-memory.dmp

memory/868-404-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2548-406-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 d0a54557bd17e46f3c02c666ae030e8a
SHA1 7d57eb679f04e6b42f8b339a1acc01a812df895b
SHA256 99cc5265e56e6dc746c420f8928bd145f5cf73ba6dade66ac0209bb96a8ab9c2
SHA512 ace899b3bc2b6bc06e5a9960f7bcd973aa2ed0fc18a7c9fcd621c207692d5b082c89c62b4bc8652bd8161c98bc60638350ad2aa5b95eb26cf2a761e10424d704

\Windows\system\spoolsv.exe

MD5 a2eb4733c91a5d5917fc965f19c25747
SHA1 a0de6ae4b27a375da69b66732234ab2e7f740a9f
SHA256 933cbef35190b87f3c9d241ba51e3e2da59a4a4e597c0a14dcb45960c19479d0
SHA512 154a4c7bb6196224202b80f0039620f566f24ebf02cf622629524e31f0cf2a84d9239942f5e647ca66459098b23389d4d594abe271c5a874ea6420c676070d11

\Windows\system\spoolsv.exe

MD5 87fc7519a571a0f572f742423332452a
SHA1 551587074276d4988f7b7375200672d387a2eb3b
SHA256 fe1218b934da15f2910043d52b6c4601beb99604bddcfe87db1f64f31af788cd
SHA512 d4c6ffddce96817dadec2ab994874fa26aafe7ab16cf10c4e3357258992b123e3586590486e9698bc151d0f60c7f38e37d415f08179f50137c2da9672e0f85de

C:\Windows\system\spoolsv.exe

MD5 9a7fcc5692001ff4a66331d6f1e42b03
SHA1 d30b7b200be0543d53865c28ab70863ac8d4c03f
SHA256 e8366fe9653afbbf17194575e3c9dac3f918679bd437d527575ac19a7fc0b167
SHA512 952ec9d29b7172a35eaafa29b1f8a7dcc642e0ca260e9ad6c90a61699d2d13522b985284c7b680b8f00ace67be4698a0823359ee0ea13acf9d7f74321a3d9953

memory/868-417-0x00000000002B0000-0x00000000002B1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 bf7dbf134719d01106ee40c100379df2
SHA1 613a0811aa3140c7e6f9786f475791990f3a5845
SHA256 318b8401ed5a4a92e31bef1a61228ef4035fa0532131fb044d97a8934403e948
SHA512 0e5e58ffc7d7a963c7301fd55b4ac81f11398170a5b22e0f40e57eadd692e2e65b7944b5f65c306f0162080bc6dea5fd171ca4a2edea08af1e49edcd383e8f84

C:\Windows\system\spoolsv.exe

MD5 fdfb3f9947e63d388605ab26e16148ca
SHA1 8130d4d890fb62a6d04f2fa00a04fc40b19b4cf3
SHA256 8e145adfff5f7d390be7c4e040fa4e9a5cc485f186a9e8dfc16d55d7bfe82d18
SHA512 825296326eef1d7d3fce5789d42974418dab3a306703fac39e510869f4efcc8b409cd0a6989b8a6ba1c56b617c60b5ea406d78cd3bb5540eda5e439cacc2bfab

memory/2156-461-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2920-463-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Windows\system\spoolsv.exe

MD5 eca6c1c9f4bab9477caafe0ba61206e8
SHA1 f8b40d407c1ac78919748296bad31e2d1fc879dc
SHA256 1fa39a9f9c673da4b8dc3626fd1dc2a210e4e80bee0e7c1086e206448634ebaf
SHA512 87962469bf9a7aed7d58ab381decf62af4440623fe1704d9fa6c7847ac3ebb80b215f4e5cf3b0cda4356f9a2a0aa7962d2eda35d43fd1bbb8298f483557b47d6

\Windows\system\spoolsv.exe

MD5 4152cf36b3a7990f93328eec9c3fc8c3
SHA1 92ca3ac6a57ee6e4e3bd386b3f19d3f678ef578c
SHA256 78816b69bf70c183379ef8de1581cc17c32ef567807a8830411a2870b78c6f1e
SHA512 a5deb045700beb79119f6ed582f7e985b649b2e2401ae6409e2cb4d360656ebce95a99ae53924db39039127b11e7279cea9f5702415dafe6cbac25b8b5e69eae

memory/2132-475-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 663b24c1d7693fe129e2798a0e79f66a
SHA1 ecf4d646500da73753c59abfcd7741d9427ab54e
SHA256 7a812c4d9290c4bc3d30bba463b59b26c75c9d04f9fae5674065a0db7b66021c
SHA512 0289aa3d11d8ebc29861531d94b1f3af0a8222f95de68dc8572c8b0adc1f97cc3a7b0f6b78444f436903e16660750b6943a6a86a3af2d05be17d0133e5e82f67

C:\Windows\system\spoolsv.exe

MD5 632c9383a4e73a8d65c91cb4230c03ca
SHA1 e9a56b06759e7ec5d3cbbf2bf5c9b7ef34255435
SHA256 587ecbf8214211ff3b9c8507a26ade28a994fbcc785b3e1c0be60751323400fb
SHA512 3302581c15b7e13ab12a90b7122f0ec9b88f6dc1cec334b23c8a09172310f3a9c039dd8bd47ade97853d0f923f0942d67b6afee46d99d022c52f79427f5d54f0

memory/2156-509-0x0000000002950000-0x0000000002996000-memory.dmp

memory/1076-511-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 280a6018fc2334fa8929781326ec667c
SHA1 e98400ab13c8bfad4c92a92e405fb3bb870ac1ca
SHA256 f84c56b6d03f3273b33d1ce576810dda6cc0f32402b8f7dfdddf98cba989927d
SHA512 eebdb86e7463b834ca543d43b40b7b286c3f0b4e2ea7aa834455fa54dbae311c32bfad0e7f652931ec15ae863b23637bde97b69ce52c2a75b0499689a1f80e9b

\Windows\system\spoolsv.exe

MD5 a851047182a30972d530088c1e79b395
SHA1 8588b29ab0908560ffd5452c2f285df733309da2
SHA256 7e9ad1316ee20074031bad9c9a0fa8dad7a12d4a7765771603d24a27d4588ca3
SHA512 d9396356f477c3852cba6b0c80e32e513a7a18daa215b8732e7072f4d3148950ad968deba3014933ba2c0c48c27c330eedf2feeb97e773cb7bbc1c9dd5083619

memory/3004-524-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c329d0168468fe5eee17da90821f25b0
SHA1 212b69e2114864669f04573b7c82199aee3cdf68
SHA256 5f67152e714fc0d563cdd08bffd0a5b616ef1f39af2ba1119db4c679c63bbb55
SHA512 e909c9c476a6f63f14a409484976e7ea820963197db9ff09936a977971e4b866fe18a3428e46ae51704f80d42d1acd8c32d26fe1947a6760a5f86dd7a9657228

memory/1076-530-0x0000000000450000-0x0000000000496000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 d24e34236047cf5618110cf35ea94dbd
SHA1 113a9cdb375e6f78295723456859ff48d1958f10
SHA256 7c6be192d7ef7ee0103be774135c03fed67acdee435916ce35404c4163d080ce
SHA512 a7bd2ae4f34d9e80af8d1970f47352aa2ee86096baba16a502af8dd249ab4461bc55b3cf2216531d2bc36dad2549d3eb943781c0528f7a28a60fc16e4b05353c

\Windows\system\spoolsv.exe

MD5 0ff4766c22e11d6046392c2a9a89c3cd
SHA1 31e55d650ee62528b13448fdc8cbb60e02f2de09
SHA256 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a
SHA512 b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe

memory/2156-562-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2284-564-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2096-565-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e697c60e4ba4d674559179f980f0bec0
SHA1 cf2764df1a8a8b9536ab506cd0d87c9cee4945e8
SHA256 a103ebee3b9cdfea3194fe4cb85cc1e34494dfe06eb14945d8f768217dd61501
SHA512 971f64d7111724be7ea55d7399273519e3fc122603910703f085ad5d5349f6c6ae4a1eac64f04a64df974f5fd1fec51b83bbfedcb697e330fe89331aed626818

memory/2284-576-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 375961cc0d60a883d0d19a3a7dfc6c38
SHA1 a028b0daa2bb82a04bc194693e4282ba64b97696
SHA256 5b00bb04253a822d243611fed09b166fcf146d7f2d824a98436711ce98d9ca00
SHA512 a5e90e5d0c96e64944cc41ee271e681d54dfca2a095ca2b7e986dc7bedc257ec58af96376d9511aa857866bad50295bd1c2f2beeb5636bc330e4e53638b3428f

memory/2156-575-0x0000000002950000-0x0000000002996000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 6da78d130093184be2906bd57c075141
SHA1 51066287bf0ece662bec977310640fd91d430de6
SHA256 196e99e7b0572a826c5659cbda605ab364003fcde49ed2f5b2f8bd341a034eea
SHA512 7158c020cb8e9d8e53016c884669d4fafbe3935c89ebbf92ddbdad09cb0b26aeeb1892fc422601c4491500ec7e329ea0fdc8a03a7efc5af1f158c1664901dea8

memory/2104-618-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 cbfc7465c03ac5cea4484695f266a1fc
SHA1 dbd9d583ee37f2e39093f5094e9cde935b3e7aec
SHA256 95dcb86664a161c11525823838d22b007218cd830f68d0cca1f25aba0400f2a5
SHA512 9b84a4dadac1f9513f7bcf5381528f4d70e2ab18fae174edc7ba26b2ec7ca0532b97c38cec3838cd821bde4e21c763ea33f3ed6c174ebb24edb9999e8a80a53e

\Windows\system\spoolsv.exe

MD5 c813d28c244c9d5d536888347e8d2550
SHA1 01c013d16ce87fb8e9572db848abe7621b715819
SHA256 ed94c809e1365461d6fe24c1b11ee78597591a6514648d9d71654a49f8c896c6
SHA512 9647e849f092f726fdb82540803aa380528ccdd91204997b800ebadd854dedfd5c7badf5fd627e127a1441fd9750c11c1572725045ad198f838728568802da01

memory/2104-623-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 b1882b37545d0e36b421843c7bd2d290
SHA1 71721c278fa9c792a40194b243096aebdb313707
SHA256 7ee1f5ecc968f287275ba6d4b5c458a8efbd8b58878fa0cd26844fb2782f24bc
SHA512 a217491991b86e1a92ea8f31e4efb670d45352c060223549567e8d959e270b3b98301d6f3ba872a9b53afdf19120bc14acd703202f9a2e781b31cfe301c060e2

memory/2156-626-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2508-630-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2104-635-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 978ee5996a61f522f457af539f3883d1
SHA1 66ba349ef38c3142e3601bf2ff9c32df4feb3b88
SHA256 b4f1ce528fdcab8bd7b9c8644471eba2c4fe5ff13788ace4a76575c9ae0a10a3
SHA512 16e4fd96338fc9e9e4669eb3a03644ae266a279062c00b4cf332930c24abe20e98d927baa71a17b189ac82928f77891d70bc67ea7a93520de59ee618bcb18bd8

memory/2156-639-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2156-641-0x0000000002950000-0x0000000002996000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 bab13d1b3c7720592c6c7b2f267b4813
SHA1 4e4dc0598c400410d7d3b0cd40193a0ca3b8f8f6
SHA256 37c37fc3f0b7ead8700b0a173e03f9bb48cacd535abc1dd20d6c86de20fd9e06
SHA512 28f0aac1cf1175350ea4dda487afff6c2545801f5d404ed1ddd9983db10efcf4e8c942abcc6219f7a98ee44d250c7b4d9e96a223b283491a4f42e46e0f1ec740

memory/2156-669-0x0000000002950000-0x0000000002996000-memory.dmp

memory/2800-671-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2156-685-0x0000000002950000-0x0000000002996000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 13:16

Reported

2024-01-24 13:19

Platform

win10v2004-20231215-en

Max time kernel

134s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 352 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\cmd.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 352 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe
PID 4672 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 4672 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 4672 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 4672 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 4672 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe C:\Windows\SysWOW64\diskperf.exe
PID 1732 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 1732 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 1732 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 220 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 220 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 220 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1876 wrote to memory of 1896 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

"C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Users\Admin\AppData\Local\Temp\72574ebc8ac037a668c637ccfc74e538.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/352-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4672-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/352-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4672-3-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4672-5-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4672-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4672-6-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4672-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4672-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4672-10-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4672-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4672-12-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4672-13-0x0000000007530000-0x0000000007531000-memory.dmp

memory/4672-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1732-18-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1404-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1732-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4672-22-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1404-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1404-27-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4672-28-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4672-31-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\explorer.exe

MD5 9a11d5281f55a05b3b4817cfca8ed013
SHA1 7d65c8d75a313f51d7e70ab2eaec712302202e5d
SHA256 dd6f48b3cd84e0a1386c770154034e16232eeb191b181950e9a95a9b2608de38
SHA512 bc40473fc96e2005b78471e433c9f0577ae53f4b3fc0f7cc376faf3cf68c384e6415e83580876f13704f466fbe58afce3cce6eedb5e97ff86991c5129037498c

C:\Windows\System\explorer.exe

MD5 fba478552e3b8e6ad8346b0e4e757c24
SHA1 9545adebc305cec19a9b8b8a54a38d12cac72dec
SHA256 c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248
SHA512 c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29

\??\c:\windows\system\explorer.exe

MD5 3a6373f26310deee26ba77fa102a8666
SHA1 4f465d8a7dc559f9a684a71e277e6079f79a077a
SHA256 bd998e6ed077f6989df710cb26bcd2752d6debe55450466b7f3573bcfcbdefae
SHA512 4aae79ac083fcc07de3bfbb199482409a31797c738a18a2172774a160249dbb9d43869b4799f301f3fd24ae9aa708e15088053ecf074fcfd20a63d397368e28c

memory/1876-39-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/1896-44-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\explorer.exe

MD5 c08e3de0f4dd75bd37ffe405d863ad6f
SHA1 98422d88f5a930d095c7536d375913e07e3d39f8
SHA256 9124fc0aa94e018d3280d9ea0d2e86eb6132f3dc605ef540a9fb617f0912e001
SHA512 7c6cbe5416ac11d0ea2841e9c74bb4cd759de97689c0baf31985bcc0c6f18a165cbd3c13f41970171851d581e47281f55f2616a223101ff45d858236b13d0f5f

memory/1732-45-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1896-48-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1896-50-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1896-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1896-53-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1896-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1896-54-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1896-55-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1896-56-0x00000000071D0000-0x00000000071D1000-memory.dmp

memory/1896-57-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1896-59-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 70cf203d405e77cee4c98146cc788ea0
SHA1 8e044b16c16c92f786219780f2ab486602afc95f
SHA256 34a13ac898868da643586e5ea443dba8cae0eb6722b6992f36e4c7b82974c820
SHA512 6f04fc82635b6b31f7893de5e726a9402ee583e36b90207c3022a93a6147382af26322aa5de54dde43ae8379c03229b788914d563a84660c6b84b424b46975e7

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 7314e8612d9c91e4348c5373a985a117
SHA1 fefbed3392d74bd4a14993ff4c16a3c4f77ae62f
SHA256 f86aa2f325bfd3f125c7fe41ff2a64340cb863f5bd5bb824c991c11b6c6b3ec1
SHA512 545fd2f23e788076b9d56207129315fc10cc4d3cf28ef9edeb8fa51fdfb1eaa5e73052c229d2ca770fa61301ab1c94cebe0ff2e2e46fc16d5ae4e555ca03434b

memory/1972-69-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 4733967cb3d7519edaf46adb2dedecdb
SHA1 e9533d9b98980506f7d828be7f7368fd060b2c17
SHA256 681b07390abbf6b93b99363f84c2232e49606d2089ad779f914c72f0266bbea2
SHA512 be556b6a484a4cf863804999b4428cff4ffcf635f6da1098c1421f6e6c005ef755dd734d83ebb6cb4be6c01c380e20480ac10c649457e5f5cf2ea0b36d8f1c73

memory/1992-77-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1896-79-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1896-73-0x0000000000400000-0x0000000001400000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 d633cf877e170d96be79c41bf0af2c8d
SHA1 08b751f2d20054dce22c1a4faa1071e55c656866
SHA256 abb0afcf3c3b8b2fcfacd79dcce67de94d4d47de96ddaf06f14d38685caba7a7
SHA512 3f702fdcb0e81abeb7b5ccbd3eb6599de9592816829267998a5cdcffaa0fd95c93e559385e4b1a0844ba3ac50f1c6286489b5a172e7d837588c78d47fc4eb373

C:\Windows\System\spoolsv.exe

MD5 17c31cb7ad10c27b2cea9360d6c70a2c
SHA1 a875214efaa9ff587f134210173159ea287478c0
SHA256 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8
SHA512 d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

C:\Windows\System\spoolsv.exe

MD5 13728994efa248a6643ed4092716786e
SHA1 8fa00628cacea76fb24eaeb2d03ee71464ecd2f0
SHA256 1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e
SHA512 902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c

memory/4080-90-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e51597f0e28eb72c6d1afc5d68777e1a
SHA1 536ec194342d07cc58faff2c044e8b5e7c1bd40b
SHA256 f6ffa8333e82869357ef5e427b24042fc0a307dfdfa03ce2beafbea18be2738b
SHA512 7377d41e0bb18b24fa7591a24361505663a0798e363de8ceab11ba1227105984ec7351819f6d065f19f57ce4ed9bdda5d0f3f73a5ba953d77d15d9f0b85c8177

memory/2948-95-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2948-96-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2948-97-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2948-98-0x0000000000400000-0x0000000000628000-memory.dmp

memory/628-99-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2948-100-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1972-101-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2948-103-0x0000000007140000-0x0000000007141000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f962405ba617e0e33033b9e8d974d8d8
SHA1 436d5d85cc73b56946322cd19dbc4eae8bd406cd
SHA256 c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e
SHA512 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438

memory/1236-110-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 8e3268c291d2f7e0017896e068ea4423
SHA1 dbeba471c9bb94ff943288969f6566e3ee0f7b08
SHA256 e4f7694871d4b8fbdbad44bcf1bb27c9a9b1c2cccd2e78ebc2917fbac6283756
SHA512 7b6ca1e2babd539ae17a92fe53b526f5b78aeaff8d8c4f0490e73de83fdb444c9e4636d96ee6541d6e7d5fd47e2b3d7122d23143e560dceb981ebaee53721410

memory/4300-115-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 69781dd2543fdf58d405ad90a51ac5c9
SHA1 928d0ddc74eb09874a70c29de92cc23d71a7908d
SHA256 a5bbf2e0624e8656faecf98f0a2dfe9215355995c05d9464b01ccea24259badf
SHA512 abe9eaadccfc4b87eadd404418ba91aa863b74ef145acc12f0a847b48541773e3171551cecb5816c47c28683c3b8161740a8160aa708f6bb8ce4d9687cee5c30

memory/1236-121-0x0000000007100000-0x0000000007101000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d56c4265b79ac55551d9be733e758e75
SHA1 3ee6dcc2322deb1ad10cfe885b917aafab5469b0
SHA256 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e
SHA512 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

memory/3656-128-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2bd81f8ec10438c465af48a55f7dcb5b
SHA1 a0f9aea762966ee0addf8a37f9bbb484b13eed1f
SHA256 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5
SHA512 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea

memory/3232-131-0x00000000072A0000-0x00000000072A1000-memory.dmp

memory/4488-135-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2948-137-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0612afb3e27451c56aaaf412088db0bc
SHA1 8913d87d487bc94c91b045dfe6f64e16a16059ca
SHA256 97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168
SHA512 726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f

C:\Windows\System\spoolsv.exe

MD5 1dfb8c9373e65d8f3885359015c7cf54
SHA1 3554302584f899733f6f99f27ac15fb51dfd7183
SHA256 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593
SHA512 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8