Malware Analysis Report

2025-03-15 06:28

Sample ID 240201-1re5zahbfr
Target 87c01caff217290589a047c46e655e21
SHA256 6919d13020e4c037e5a26e04e8bf812af3b3abb9f0aaba8d279ccda7ba80130b
Tags
rat upx warzonerat evasion infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6919d13020e4c037e5a26e04e8bf812af3b3abb9f0aaba8d279ccda7ba80130b

Threat Level: Known bad

The file 87c01caff217290589a047c46e655e21 was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat evasion infostealer persistence

Modifies visiblity of hidden/system files in Explorer

Warzonerat family

Warzone RAT payload

Modifies WinLogon for persistence

WarzoneRat, AveMaria

Warzone RAT payload

Modifies Installed Components in the registry

UPX packed file

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-01 21:52

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-01 21:52

Reported

2024-02-01 21:55

Platform

win7-20231215-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2312 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2788 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 2788 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 2788 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 2788 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 2788 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 2788 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 1952 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 1952 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 1952 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 1952 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 2196 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 956 wrote to memory of 1932 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

"C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

N/A

Files

memory/2312-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2312-3-0x0000000001D90000-0x0000000001DD6000-memory.dmp

memory/2788-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2788-4-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-19-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2788-28-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-31-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-33-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2312-35-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2788-36-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2788-37-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2788-38-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-39-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2788-40-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-42-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-44-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-46-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2788-47-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2788-48-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2788-49-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2788-50-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2788-52-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1952-57-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1952-60-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1952-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2788-59-0x0000000008AC0000-0x0000000008B06000-memory.dmp

memory/1952-55-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2012-70-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2012-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1952-81-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2012-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2788-84-0x0000000008AC0000-0x0000000008AD2000-memory.dmp

memory/2788-87-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\system\explorer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Windows\system\explorer.exe

MD5 50a557665c5bb4fa372fadbeba73303e
SHA1 df2eddc14a72381cc26c83268faa2f1806a58457
SHA256 26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e
SHA512 59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad

\Windows\system\explorer.exe

MD5 7314e8612d9c91e4348c5373a985a117
SHA1 fefbed3392d74bd4a14993ff4c16a3c4f77ae62f
SHA256 f86aa2f325bfd3f125c7fe41ff2a64340cb863f5bd5bb824c991c11b6c6b3ec1
SHA512 545fd2f23e788076b9d56207129315fc10cc4d3cf28ef9edeb8fa51fdfb1eaa5e73052c229d2ca770fa61301ab1c94cebe0ff2e2e46fc16d5ae4e555ca03434b

memory/1952-92-0x0000000002CB0000-0x0000000002CF6000-memory.dmp

memory/1952-97-0x0000000002CB0000-0x0000000002CF6000-memory.dmp

C:\Windows\system\explorer.exe

MD5 57bfe90eb22648f5bbf1676d56ffdb22
SHA1 9d6d9360b66a5d76c48ff736ee63755b5b345f9e
SHA256 487807a94bf28d3c3c73364d85deb64885cef1a6709df0308b73ee8c5db5648c
SHA512 1e396ec5718bcf91068c2c5cf89822e15bed0a3c84d827e9b163b5b5ddd3bb7ee59775e60461b8ba0f6bd67bc21a2d1aa1865c6bb870bbd4f83ba61e85ad0f4a

\??\c:\windows\system\explorer.exe

MD5 69c64574544f62856bbdc10790fe42fe
SHA1 b8fabc08fe5fe0aadf8a63935dd95d6583dc241d
SHA256 b5b353ff3eab0db14ac92ac8bb506c20aa1ed3433c2fb716f0e52e917237441d
SHA512 8bbe5318ad17a8f884d24d81147cc01c5957cc41da5f58d8a473cb9695fc224f59c90041f8612ff160e07f5cf479d24f6386456a4a4961433cddec156bf641e4

memory/956-99-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/1932-138-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\explorer.exe

MD5 8b7ec4d3d67a165c2fb6e23a9b5c15aa
SHA1 c741fa02cfb8c2f628e06a0785215e4e6aa33354
SHA256 cd203d169ff5cad3a86d1ab95acf2fe27ae81882ad36036dcfe8514a921c796c
SHA512 15de131246ab26d054ab3f3090b53f48db3679a71aeadc9eb2fb3a2033fcb9e9841a683efcc2a933522b04978aacb4215bf22d6b617e4ff8917d52ef42826211

memory/1952-141-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1932-145-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1932-153-0x0000000007110000-0x0000000007111000-memory.dmp

memory/1932-157-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\explorer.exe

MD5 6eb0277a2d9d24ca2c4c10949da31a71
SHA1 2878a975c10f678ca7bcd5d3d0483159608084fb
SHA256 ae6b12651af9864ac3baf2bd4b27ae4344d97290a7acd1720613ae22a787caa3
SHA512 96194f9e50a9d17bd5773ca0b4084965cc6c79dbf94d372e3bd70571ae62d1a33dbbf04a82e143a9039c264f9b338c2db6a56f01f0b3d9eeb1edb213260f081f

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 e51597f0e28eb72c6d1afc5d68777e1a
SHA1 536ec194342d07cc58faff2c044e8b5e7c1bd40b
SHA256 f6ffa8333e82869357ef5e427b24042fc0a307dfdfa03ce2beafbea18be2738b
SHA512 7377d41e0bb18b24fa7591a24361505663a0798e363de8ceab11ba1227105984ec7351819f6d065f19f57ce4ed9bdda5d0f3f73a5ba953d77d15d9f0b85c8177

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 3a6373f26310deee26ba77fa102a8666
SHA1 4f465d8a7dc559f9a684a71e277e6079f79a077a
SHA256 bd998e6ed077f6989df710cb26bcd2752d6debe55450466b7f3573bcfcbdefae
SHA512 4aae79ac083fcc07de3bfbb199482409a31797c738a18a2172774a160249dbb9d43869b4799f301f3fd24ae9aa708e15088053ecf074fcfd20a63d397368e28c

memory/2128-187-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2056-189-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1932-191-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1932-193-0x0000000000400000-0x0000000001400000-memory.dmp

\Windows\system\spoolsv.exe

MD5 9dcbcf11e81986399dd071284b517ad0
SHA1 f7b87968f329b71f24704e33e0a622c34153e359
SHA256 5d0843a451c07ff70dec99dabfb374689497fb25c4dadb5d45143f48343b3875
SHA512 dabfd46670b670e3dbc2270ec016d16657000429b2c92fc3338e6fe2c6c5078a2b814e3aa7f29cc3242729e5352593da4d3dc8a07f682508519e580375da2241

memory/2056-203-0x0000000002690000-0x00000000026D6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 679ed6a4fc978b0a367ff37c9255c658
SHA1 dafceeab1f436049df898cb331c55ce758dc73f3
SHA256 a5e4fff1944b643b8b2a6709a36099df97381498e23636e974d63dbb3486f28c
SHA512 c403dd519e866ebcd6c3ff952b22eaa8bb7fe9b215e3221c0bca514ef1cdee9cc4809a3483113c9fce8e0eac5eb22da29ea439e2b794e6ce69abbb573ea0b2c1

\Windows\system\spoolsv.exe

MD5 f6d012961c9dae2fcc8abb56ca438c6f
SHA1 c01b37a515c16807b34e06b253a29beb67729ed5
SHA256 64c1b262352126f2e25dc39591cbbad7db1a6f25f8005eb30345bdccefa1856c
SHA512 24fed6b43c3080651c634b92c88291425d2625e2baf6fb1e2b4d8955616a39a4c00bdf339fffcc2c97c2dc9f2d63b55d7c545764535acc3c93e445183f4453ef

\??\c:\windows\system\spoolsv.exe

MD5 c667cee2f2d1ab7d07868ed6260b9618
SHA1 30a9417187059c37a8ed9726a39311080accbc23
SHA256 da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af
SHA512 d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/2104-205-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2104-209-0x00000000002D0000-0x0000000000316000-memory.dmp

\Windows\system\spoolsv.exe

MD5 fcb24441fd64fe17f85a4387f8cab4da
SHA1 907eae02a8da423afe25325bbb65e0e214be47a8
SHA256 a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150
SHA512 563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93

C:\Windows\system\spoolsv.exe

MD5 70cf203d405e77cee4c98146cc788ea0
SHA1 8e044b16c16c92f786219780f2ab486602afc95f
SHA256 34a13ac898868da643586e5ea443dba8cae0eb6722b6992f36e4c7b82974c820
SHA512 6f04fc82635b6b31f7893de5e726a9402ee583e36b90207c3022a93a6147382af26322aa5de54dde43ae8379c03229b788914d563a84660c6b84b424b46975e7

\Windows\system\spoolsv.exe

MD5 d610ba04d8c538112b58334dd727757d
SHA1 5a708c6fa8f151e9dd47ade1ab037fdc7a6343d2
SHA256 71dccbc9b55d6c12de21ac989d74ce2ff01a15c0fde4ba588cf9bd2c659b5de0
SHA512 6a1e9ec814b9b5d5ad1d9cacde3fc31013f57af79b49943785fc0d27a4027fb6be76c0ed1ec880d6f3bb397916c243a4935a75d020e708b5f07b4eee582dc8f2

\Windows\system\spoolsv.exe

MD5 2ddf6df817160984e047117d0375347f
SHA1 11f608ef7e7133e40188df577b54111c9f95cb06
SHA256 dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21
SHA512 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215

memory/1688-247-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 805016469e0125dece58243b4983d37b
SHA1 7e270964dba515f1776b2dcb1337b6babb766cbf
SHA256 981fb066f67c8ab89d330a6e129ead81b51859946e30e1283ca80f49386106df
SHA512 86937bde7fff1aada2dfd1e0e7fe59c90446b5a70fb8a37ae6f45f09883295648231b3db6c1158a42fcf077b6fbf69c3ab6bd3a204385687c0bc425aeacb6314

memory/1688-253-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2720-254-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 113183def317d6bebc3e747da8642b3f
SHA1 7fcfb6215e2a4e5c1f5d30237237df873e22e033
SHA256 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5
SHA512 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2

memory/2720-262-0x00000000004D0000-0x0000000000516000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-01 21:52

Reported

2024-02-01 21:55

Platform

win10v2004-20231215-en

Max time kernel

122s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 2752 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe
PID 4808 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 4808 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 4808 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 4808 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 4808 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe C:\Windows\SysWOW64\diskperf.exe
PID 5012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 5012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 5012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 212 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 212 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 212 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3420 wrote to memory of 1124 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

"C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Users\Admin\AppData\Local\Temp\87c01caff217290589a047c46e655e21.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 137.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

memory/2752-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4808-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2752-5-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4808-6-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-4-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-7-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-11-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-13-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

memory/4808-14-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4808-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-18-0x0000000008DB0000-0x0000000008DB1000-memory.dmp

memory/5012-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3904-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3904-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5012-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3904-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4808-31-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4808-33-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\explorer.exe

MD5 fae7941341425eaf63a50ee21bc109f9
SHA1 97cc1e290f01e315902642e2e1168e6f3db63320
SHA256 9ba728088ef16d942f4e0058b5002923f5362152781037fd662977d7312f272c
SHA512 73df2f34d9d00e4d491b5603fec5399229d265102e84902527d267c7df0b51f88bce583792432749f910f9ab14ab57afc39fcaca6d7a89fd0246133e2771b967

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 805016469e0125dece58243b4983d37b
SHA1 7e270964dba515f1776b2dcb1337b6babb766cbf
SHA256 981fb066f67c8ab89d330a6e129ead81b51859946e30e1283ca80f49386106df
SHA512 86937bde7fff1aada2dfd1e0e7fe59c90446b5a70fb8a37ae6f45f09883295648231b3db6c1158a42fcf077b6fbf69c3ab6bd3a204385687c0bc425aeacb6314

memory/3420-45-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5012-47-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1124-49-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1124-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1124-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1124-53-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1124-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1124-54-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1124-55-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

memory/1124-56-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1124-58-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\explorer.exe

MD5 1da9b42e228d5f1dd1d6918de8475852
SHA1 4481b9e0d6c481383f27102327f9f537a6a232ab
SHA256 d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad
SHA512 caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 d64579985be59941da25529f147aab92
SHA1 47d17d23ee66de97c5ca876ae4cf11059f22e07a
SHA256 a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b
SHA512 ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f

memory/3260-67-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 50a557665c5bb4fa372fadbeba73303e
SHA1 df2eddc14a72381cc26c83268faa2f1806a58457
SHA256 26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e
SHA512 59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad

memory/2432-75-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1124-76-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1124-78-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 656a8377ba3c8204b598efa2037181df
SHA1 163d7cad97d438d0e07811a059d9b0535680e51f
SHA256 9ada91996c3df9d40dc246ff038e60d9dd1c2f9bc2f6ef0fbd35b937b21dda53
SHA512 3b1c16f88674f427e9bb1e0d0844c4c04501fcd0754ef0b00373dd8a714ff57a2ca09973c9458643e01b192f185f1d029c3201515c5e79034052a2e1e5a545c0

\??\c:\windows\system\spoolsv.exe

MD5 c891c11aa3f05311c2e1506098291bb4
SHA1 c6f0504b9c31559fe595702f15fa7bb77255f6c3
SHA256 063a9ea98f9df4ab0257033e6708deffbe8ebcb58f4d51f56ecf7d0c2f4df019
SHA512 2cfaf03278dd9fb9e8305e0bfa2b0e8ef317e6141df10dc736c27ccdf6e4bd9369a2858a07718016672675058dca50e38f7e5925c618ab987c4e83b5050a018f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

C:\Windows\System\spoolsv.exe

MD5 36ee445885f11bed5ebdf8fef99f3ab4
SHA1 0fa06a4cba9d83f86ddaf759595428e9661d5af0
SHA256 e8458d4e9b0e6ec65dc346b3b6c4552f4f0e6dd5efb5da970891382349bf6f03
SHA512 71dbcfe25ecb07911d1a0355cad0d049a47ea6d17ee51b28a967189472546094e4299ebfb322bff7cfe0bd7f34eada5a6f64c254b211281e710975972b65ff6d

memory/4180-89-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3456-93-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0c14a3e04bcd0491807db5db589657a8
SHA1 a817e93212a35277fc6f319103850f7a083889cc
SHA256 8a0d6aae4dba5794c506c03dbf3d2562fe8deece47f5aa018852fb3dff6cb690
SHA512 b946e1cefeb1ead8666d8106b9d1a66f1d8615d80d4f57afa4acc0e632b519445d08c4cd44983824d10d443a4e4e59ce3301fe2df0422a5a667ca08a4cfaacc5

memory/3456-94-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3456-97-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3456-96-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3456-98-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3456-99-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4404-100-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3456-101-0x0000000007180000-0x0000000007181000-memory.dmp

memory/3260-105-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9dcbcf11e81986399dd071284b517ad0
SHA1 f7b87968f329b71f24704e33e0a622c34153e359
SHA256 5d0843a451c07ff70dec99dabfb374689497fb25c4dadb5d45143f48343b3875
SHA512 dabfd46670b670e3dbc2270ec016d16657000429b2c92fc3338e6fe2c6c5078a2b814e3aa7f29cc3242729e5352593da4d3dc8a07f682508519e580375da2241

memory/3808-104-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f0e948a925da0cb6836bf7e90d761ab4
SHA1 6e0ec59790a91e4c7871c61def682eb6cc31e355
SHA256 94f8dfeeb2cd793bbcfefee3e6dfd04d58148feaa8b9f9ebe16bd944ad20399c
SHA512 471505cf20ccebdfe2b9c20e96afc14487ab58f939d365f0b48b4142116fa7e1e7ea17b1b27c938ec9ebeb8614a54f312743c008c8eaf74c179485bdb6def9e6

memory/3808-107-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4840-108-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3808-109-0x0000000000400000-0x0000000001990000-memory.dmp

memory/3808-112-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3808-110-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 113183def317d6bebc3e747da8642b3f
SHA1 7fcfb6215e2a4e5c1f5d30237237df873e22e033
SHA256 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5
SHA512 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2

memory/3808-113-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0612afb3e27451c56aaaf412088db0bc
SHA1 8913d87d487bc94c91b045dfe6f64e16a16059ca
SHA256 97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168
SHA512 726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f

memory/1860-119-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3808-117-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1860-121-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1860-120-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1860-124-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3808-122-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 63a3a954864aca34f057c15c02be6590
SHA1 cf3ede97211de5a9a72bc81639fcf0eeda600bc7
SHA256 2d535fd771f6d837d4f98c4230884e25723c7b592c5c63bd76510c16d59efa04
SHA512 e295181e438faf76fed0fbf482b563ca95e9579404a6abfe97089a62a9ad270edd68058a7b7ac578c3bd156bde01564acbab0f9282e30275177a3f2b443c36af

memory/2756-130-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1860-131-0x0000000007210000-0x0000000007211000-memory.dmp

memory/3808-132-0x0000000007490000-0x0000000007491000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 17c31cb7ad10c27b2cea9360d6c70a2c
SHA1 a875214efaa9ff587f134210173159ea287478c0
SHA256 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8
SHA512 d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4

memory/2200-136-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3456-139-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 16bd25a3c6d3025ab13249e2c61d981b
SHA1 342fa28f45ff0c4f7c58441bff92d9ef6930ad36
SHA256 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764
SHA512 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059

C:\Windows\System\spoolsv.exe

MD5 c08e3de0f4dd75bd37ffe405d863ad6f
SHA1 98422d88f5a930d095c7536d375913e07e3d39f8
SHA256 9124fc0aa94e018d3280d9ea0d2e86eb6132f3dc605ef540a9fb617f0912e001
SHA512 7c6cbe5416ac11d0ea2841e9c74bb4cd759de97689c0baf31985bcc0c6f18a165cbd3c13f41970171851d581e47281f55f2616a223101ff45d858236b13d0f5f

memory/4124-148-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2912-155-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 8b7ec4d3d67a165c2fb6e23a9b5c15aa
SHA1 c741fa02cfb8c2f628e06a0785215e4e6aa33354
SHA256 cd203d169ff5cad3a86d1ab95acf2fe27ae81882ad36036dcfe8514a921c796c
SHA512 15de131246ab26d054ab3f3090b53f48db3679a71aeadc9eb2fb3a2033fcb9e9841a683efcc2a933522b04978aacb4215bf22d6b617e4ff8917d52ef42826211

memory/4124-164-0x0000000007520000-0x0000000007521000-memory.dmp

memory/700-170-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2568-174-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4192-176-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 1dfb8c9373e65d8f3885359015c7cf54
SHA1 3554302584f899733f6f99f27ac15fb51dfd7183
SHA256 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593
SHA512 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8

memory/4192-178-0x0000000007390000-0x0000000007391000-memory.dmp

memory/700-182-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1620-188-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4192-190-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9047901f6be1841c6be69b587f9a9bef
SHA1 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc
SHA256 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f
SHA512 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b

memory/4864-200-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2552-203-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2572-215-0x0000000000400000-0x0000000000446000-memory.dmp

memory/700-223-0x0000000007320000-0x0000000007321000-memory.dmp

memory/2552-225-0x0000000007390000-0x0000000007391000-memory.dmp

memory/464-229-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f962405ba617e0e33033b9e8d974d8d8
SHA1 436d5d85cc73b56946322cd19dbc4eae8bd406cd
SHA256 c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e
SHA512 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438

memory/3776-246-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d633cf877e170d96be79c41bf0af2c8d
SHA1 08b751f2d20054dce22c1a4faa1071e55c656866
SHA256 abb0afcf3c3b8b2fcfacd79dcce67de94d4d47de96ddaf06f14d38685caba7a7
SHA512 3f702fdcb0e81abeb7b5ccbd3eb6599de9592816829267998a5cdcffaa0fd95c93e559385e4b1a0844ba3ac50f1c6286489b5a172e7d837588c78d47fc4eb373