Analysis Overview
SHA256
aa6390d1a73f29d8fc4b8c9a5a4f71cbc43e64b4a4d59658ad27de8f29810bfe
Threat Level: Known bad
The file abe8da89431cde6f75727b6fe29907f8 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Warzonerat family
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Warzone RAT payload
Warzone RAT payload
Modifies Installed Components in the registry
Executes dropped EXE
ASPack v2.12-2.42
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 12:45
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 12:45
Reported
2024-02-28 12:48
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4932 set thread context of 5004 | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe |
| PID 4052 set thread context of 4792 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 4052 set thread context of 4644 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 2272 set thread context of 1824 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
| PID 2272 set thread context of 1816 | N/A | \??\c:\windows\system\spoolsv.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"
C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4856 -ip 4856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4756 -ip 4756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3732 -ip 3732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 976 -ip 976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3316 -ip 3316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1104 -ip 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 396 -ip 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3056 -ip 3056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 196
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3736 -ip 3736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 528 -ip 528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3176 -ip 3176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3024 -ip 3024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1528 -ip 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2524 -ip 2524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1424 -ip 1424
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3772 -ip 3772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4224 -ip 4224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3324 -ip 3324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3792 -ip 3792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 332 -ip 332
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3884 -ip 3884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4684 -ip 4684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4884 -ip 4884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1404 -ip 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5012 -ip 5012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3396 -ip 3396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3396 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1100 -ip 1100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1100 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4924 -ip 4924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 768 -ip 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 892 -ip 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4972 -ip 4972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5108 -ip 5108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 228 -ip 228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2524 -ip 2524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 316 -ip 316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4604 -ip 4604
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 192
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
Files
memory/4932-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4932-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4932-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4932-3-0x0000000000730000-0x0000000000731000-memory.dmp
memory/4932-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4932-6-0x0000000000730000-0x0000000000731000-memory.dmp
memory/5004-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5004-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4932-15-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 0de93540c971ceec84651b9f612294fd |
| SHA1 | b7eb18850f069ebc6fc2ee452ceae5c413a4451f |
| SHA256 | d00d8421128e32ae83b550847a4738ac8e15014f9dbe9b38ed5bf0b98673c637 |
| SHA512 | ab420b217cb776b9cca739c349beb841b0da45bad66169ce1e16146e0be3d3d9c65d0ded213443aee771b55225860d3042918d4b183d17ec49d01bf4473e7a92 |
\??\c:\windows\system\explorer.exe
| MD5 | f5a7d0a17fdd08faaaeccdfa7b82387e |
| SHA1 | 4fa5807b9bbe6775d76d28c0052ecaf18708a5b5 |
| SHA256 | 33a100f479b0f2ba51fc0e1d194d24f3df1ac8b81fe9f066be745e0f236a3296 |
| SHA512 | 5f7916ee74b94109511916bd32a91a7050a8d52f5cc7cfca8b8cac3d4e6f183e3f4e558294b613a947d8f11115a6f852b55f495f7ef0c216b86ada4f77c0984c |
C:\Windows\System\explorer.exe
| MD5 | 0dbfdc7ed68be197cab7cfe466e84876 |
| SHA1 | 0727399b94f4ddbac0c43f644be10ca1486cf035 |
| SHA256 | 46e20a2c686ed01212e305fdac589affff44aad8b1a06cafdf0681e0b2478d45 |
| SHA512 | 31ae22e0822711857bc41bfe7e57d83fc4b88b28746de35fb269c021615e8e1badb5583b3850f50c6ae260e962f678b5c3700ebc76c2a1f6fd2a50d22685eb9a |
memory/4052-24-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4052-25-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4052-26-0x0000000002300000-0x0000000002301000-memory.dmp
memory/5004-27-0x0000000000440000-0x0000000000509000-memory.dmp
memory/5004-28-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4052-29-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4052-31-0x0000000002300000-0x0000000002301000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 040abe3654d96d6df3d6a92faf26b765 |
| SHA1 | 8ac1e1e4f41d89004b5850152a8364b96249da55 |
| SHA256 | 75cc9a9f37cc8402e17c8e51e60b693a45476359ed47574d8894f29e201cb7a2 |
| SHA512 | 91620cf77bb13f5d03048e7133b9bb6a9b113e788f314e069248e50640455f75b57e8fc52efb23e1c560ee80e7ebc55063e9b9984c279d7a9d55320c3721cc01 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 65130a730e03e9bed6e8446efa69a45b |
| SHA1 | af4cce941e1cbf3f12494f68442de9bafa43f082 |
| SHA256 | a2d05dbe7cd195b7f5ee8f3f557055c75e1bb20c9c9d9aa8fbb38e63b2efb95e |
| SHA512 | 4e6debfedf8d0288331979c9507332fa00c4650affc34b627e9cb8f3b7ab438a086aa43c8a94a2bc2dc3ddb6fd62589d2236cb7b6abe103fd9a71e1d223bf422 |
memory/4644-41-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 27f7629258989fd10ccbf8162011a769 |
| SHA1 | 60e2eb7878d98720e11b12627565986083ba16ca |
| SHA256 | 082803052c9ea87697bf7c078a6919ad62c44cb71ade169ca5da2902f66b72ec |
| SHA512 | 8875c76aa1d24c11c7ddd90fb3685ed8ed5925614a8b8550999c2fa1a74aaa5fab127fa0b09d4fb7cc68b3732f705c3bf10ab5979184d45831731f2904f09fae |
memory/4792-42-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4052-45-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4644-46-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4644-48-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 085db8662bf3f8e0d2639ce5a685dd29 |
| SHA1 | aca6d8760c631930cbb2f2aa06fce045ae5c5f8a |
| SHA256 | 665a4046fdd25e9c3a0dba98e74b711bc8bcfaf5d808ebdcce6b659c70e6a88c |
| SHA512 | 97f4fa735fe98cb0592f09d36d343c90e574fbfea32fad02f9cf850b43b84dde8f4b702eea98538f86df50a14c32063cb0b74053f4e58f3d9aaf0e0725d6595a |
memory/2272-56-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2272-57-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2272-58-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2272-59-0x00000000008A0000-0x00000000008A1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 8ede9771a346d642c9c6f386c879113f |
| SHA1 | ab8dc480f97cd9310f80313f7f4d092951ded73e |
| SHA256 | 66e7cfe63e8c69dc36a0f58c59359a3fd62b4dc474cee997a86c5ee94d7b0e98 |
| SHA512 | 19477a4ba5adaa1c4c32c206b8ff2ad4450a3b08465a0cba14d7521173ebdb6ace9a31c62475022c1bab124525ba31c259650427bcaaae6c0bc6947f6bd01110 |
memory/4856-63-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4856-64-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 75de465cb8e1e8b3aeb6b5d606b9dd2d |
| SHA1 | 34774a56df9285676a47633eb3678be29eee8909 |
| SHA256 | fa115b4cd55beaacd232a74f6ff6e4692a0deed7d69e6a6e3bccb9b80ebb8e75 |
| SHA512 | d9c208a8df665daa2e204fc1e2365cd312fdb20856fb3bf925a71e6bb41ba2c6bc790c03ef7373936561a6419d85595062d55b9dbeae331e5c7957c08ee266cf |
memory/4756-66-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3732-68-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4792-73-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2272-76-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2272-78-0x00000000008A0000-0x00000000008A1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 748a5cf4f219e7183aa61dd2bfbd144c |
| SHA1 | a4ba24ee2594d5e6c51bde6cb8a8eb495b1c4cf4 |
| SHA256 | d85b937e23483c526987726f3e5c4ef70dcb92b2b1f868013899decc5e92fa03 |
| SHA512 | 2acdea2625d22203b749a85ab7532d0c9a81a67cd6191aabef516d6ea2d73f12c0a11a2765e037e286be0b5cf36754fe5f506f8a5ec6020b7cf1f41f3c67c89c |
C:\Windows\System\spoolsv.exe
| MD5 | 532be26935ed4d0337f5299a2a903892 |
| SHA1 | 5306debfd7fa0ffc7c7da7b8f3ab6cc5084b1c61 |
| SHA256 | 2fb8e981a2fdcd97b1e96337ccc2928f6686df10da588897f377d678156c3944 |
| SHA512 | daba83f5d7c13fe9a0e6403c5eeff6b326db21803e51a103f95caeaaa4a8b6f09f88b59f927122adad22bd565c35ea3ea70044c9639eb02c606d9f6249550db4 |
C:\Windows\System\spoolsv.exe
| MD5 | 41f60f0600ad9f7b9c1dc6ff1f52455a |
| SHA1 | 9a6eb596e9ee675ccb15540336ba31c509ab3b00 |
| SHA256 | 5c37adfa9278d8738354222f958a1a02301a76e81bbf1406df7a5816c6044b37 |
| SHA512 | 8205be8e908c365e24febca6faddb7dc479c43972b2ebe4863f4002b693996c47fa227509b0ca1c1a3d248a4a246260d664b1a2d3b9ed555377e9d8feb36e75d |
C:\Windows\System\spoolsv.exe
| MD5 | f67892779ab109f1495268cf4afffae9 |
| SHA1 | a655ea8cda7c7932f2e52fa0aec1366e02d71ba8 |
| SHA256 | fcce94f2f09fe4dc11c9ee19fe18c7d593b0dca3e2fae95235ce8623398cc836 |
| SHA512 | 079e82782ce0ab73ef14446e58d43d8d521a3d433d70dc351a95587bb2e7b3408e981642d70bd66058f8e926b7eb5000132e33fc7a0027e634cf7732c3b082d7 |
C:\Windows\System\spoolsv.exe
| MD5 | 8915e8db1a9b220e878e2923748e5b2d |
| SHA1 | 6d66dead36e744d08d8617223c73695890a65280 |
| SHA256 | 46b3324e3d02045b0d1a5729d3fb08feda4e198197b4f8213d3d88d84a65bcf3 |
| SHA512 | bb3c3055b4cb6033159f185f9cc4d151e3a5cb9a307edd8214ca77b69c1e844020e70ff54ea338fa5982dd3b99911c1fd48a784835a498f2a590f84f58acf80b |
C:\Windows\System\spoolsv.exe
| MD5 | 4322e599836a2dbde4c14f275e54557b |
| SHA1 | 64f3defbf892af2b8eb579ec43ebf94ccac00b51 |
| SHA256 | 59b1c63953338be1f9866941aace0ba4c01d34db1269be7fb22d4f4589755e3e |
| SHA512 | 369a7d90f7bef59cab64681469fecd8a8dd70821ce339ebb9521ab7e2e228ce0e74cebab968c8618c50de9843d1148dc46f632708f1740faa7784ed3d6dbb1ba |
C:\Windows\System\spoolsv.exe
| MD5 | 557688e4c114df9d248751b452f30413 |
| SHA1 | 91e14aa6ccf80d886740a7f54d9d02e034d11837 |
| SHA256 | c066d79254b8c9f82daa9956fb1ec190e90eec49f7748c13a7c1b2a0e1dac8c7 |
| SHA512 | fb74ad93b4382ed713972fb81c89e85a4be7d5368613936bd4235e3bb0a0895994401cd8b3ca3ebcc222178ffec78a737ec42d0f68202de55ebaa03f562391f2 |
memory/892-109-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 647904c20bf212dce7a295fe41ef697c |
| SHA1 | ac6c31f020eceacd0e5f5dc52f2694cf76b82ebf |
| SHA256 | 679cd1a3b148a4252a691ed0a80eb42a1b9e0d921886261570423fb52fd76254 |
| SHA512 | d539821b2559ce2a4f1bdb3e292dc2855b9a0a563ebe18b4941fc5fa4e9e4d605a9976a3718bcd54ef02b6ab0df3fdd92bd43914b669e64e3871fc52cf57d44e |
C:\Windows\System\spoolsv.exe
| MD5 | 944738be0093ecc2bdaec9f6de1199a9 |
| SHA1 | 59c425e331daabf4e9e2ad7410b1651a9f059340 |
| SHA256 | f704e17f1045461a873fc2eebc8ad03f91d9ae6fe7df1a8f52ebb735ad5af72a |
| SHA512 | b01ff11a5b92504100e34b65c549568eb26382ddaaf362f1f13b6f25cb2b968040d4c33f3580ea56ccd057d9e15c91506dcd4df30b1e7fcb2f7c604a71fe61ff |
C:\Windows\System\spoolsv.exe
| MD5 | eb52cae2ac76eaff666a7c22dcc57d45 |
| SHA1 | e8bc4d202805624b32ab9e9254717796fb096bea |
| SHA256 | 24f198f67d4d0431e257955e53221a823a1e3c7868b346639dee015fe8c6bd9f |
| SHA512 | e2358421733b86e154c1238ef15ab299c9c3b55bc411d374400d6b1564989f2c110d638c6b408f78b8bece18de39ffdb939a13a8f79e4104c3cc9ed2bb63f980 |
C:\Windows\System\spoolsv.exe
| MD5 | f925f082f763a7f9f4ad2c4d0b51c7b2 |
| SHA1 | e80cb74c6d587c9e6659b3b640bcaa86b3a8a63e |
| SHA256 | 4fab8755cf613d3bd9b3120434f9edbf90f5057136cfb474aa051c1adf70ee7d |
| SHA512 | 813f4fc8bc6ae8df89073e83f26f02a8f1ee200a05b222cf2db2010025192de928fa984719a2b7581777af06c0947eadf6a0e4bd02467f4ae76db34b1d614180 |
memory/2272-133-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1816-134-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 325488de3b99c286b886ec20d2edf1d4 |
| SHA1 | 92ee13a324c674f1e4e85e842cdef338f8f43207 |
| SHA256 | 2ed6de9f8a62a3d5c57c5644dba5328f9620a7d109a8236345e0d81b144e273d |
| SHA512 | d6e7f7e5629424deb9e6ffada6273cb80465ec5d40de544fbc6170229563fdf3e4694ecf158fad80c4b179fb890205465d533cff6984f4e416a3bad4444dae10 |
C:\Windows\System\svchost.exe
| MD5 | aff44c7d0dad962c4ad7fbf7cddaa967 |
| SHA1 | e2d017d7b764eb6b051bb34439d18f7576559883 |
| SHA256 | 03c3933352e796c129cfe3663f27859539f04213ea981cb898f01c01b462f102 |
| SHA512 | 0e8fe1709b67f0a3c9991273b390c96b8600ae83e8178904610654ed7507eae1172c66cb6dca59172a1d072544568ef9ab28aea069a64ba53f406f1f441dfaec |
memory/1552-141-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1552-142-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1552-143-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/1824-145-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4792-146-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1552-147-0x0000000000400000-0x0000000000514000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 12:45
Reported
2024-02-28 12:48
Platform
win7-20240221-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2232 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe |
| PID 2232 set thread context of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1248 set thread context of 1972 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1248 set thread context of 2196 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1572 set thread context of 3000 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
| PID 1572 set thread context of 1908 | N/A | \??\c:\windows\system\spoolsv.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"
C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe
"C:\Users\Admin\AppData\Local\Temp\abe8da89431cde6f75727b6fe29907f8.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 848 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
Network
Files
memory/2232-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2232-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2232-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2232-3-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2232-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2232-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/3028-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2232-11-0x0000000002F10000-0x0000000003024000-memory.dmp
memory/3028-12-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3028-14-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3028-18-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3028-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2392-27-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3028-28-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2392-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2392-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2392-35-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2232-37-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2392-38-0x0000000000400000-0x0000000000412000-memory.dmp
\Windows\system\explorer.exe
| MD5 | d5aa0a5a08596d69eb33910ddcf9d10c |
| SHA1 | 6bd7a389d8f9457928ba27b4d60011b14158afa8 |
| SHA256 | f1be0ca70cd1edcc5ff988bf09d0da94a52c8a81b8a1c28a92cc5babd0a5d0f5 |
| SHA512 | 90bb651b9a112f68950b800644982516a5f6260cf545e8b951178d42a461317d9d888ed0cfe50ef58c39075db1b6312e894d9329da88aba7f2c5228e63616007 |
C:\Windows\system\explorer.exe
| MD5 | 5e4e035a0ea5ddb4d97980d1ad8244cd |
| SHA1 | a293a602a3e9d4e9bb98147eb22214ccffe26f43 |
| SHA256 | d6ec56e9654938f800b34ebf9e878bb984174adb0bd3d2338d8e9c8453ab2e72 |
| SHA512 | 501bea698a713ac7f18166c3fd06f733672bcf231d96b6483c65aa0f7c253e3d419cd51eee24b2fb3a3de50a81a2ffd8ff91accae33d1bdfeed0a69a8508d7f0 |
memory/1248-48-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1248-49-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\explorer.exe
| MD5 | 2ff3137d295c33fb00e156c599d7b087 |
| SHA1 | 71eebc389c78d3f3e56bb2a206c584627c0efc8c |
| SHA256 | c283a3e474e6f2e94e88996166e7ffb050cafe19aafa02a1846eddc9f10dbf73 |
| SHA512 | e006e5d42d8efd268ae5e8ba29ed90189049bb25047e2e2573458c100c43c2788d8ad739b049a829472ce982785c3a4e25a8e042617c591d94852c7cc4dff950 |
memory/1248-50-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1248-51-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/3028-53-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1248-54-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1248-56-0x00000000001B0000-0x00000000001B1000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | 7105cd75e9c68b9ecdc6a3b9cc23f78d |
| SHA1 | b7a92738ac425fd59fecebaa24c2095d38674867 |
| SHA256 | b5f5b0832c163e26991d52cbc747aa5e300753ce801513b8f416ef94e09549df |
| SHA512 | cdb2075a716edae1e68198e2e40f98af48cb2c39b0cb2c16248ae95c89cffed6de3fe17f3cbd2e97c6209d27ce09265cefb2a43f7f0826758d4dfa64353c7286 |
C:\Windows\system\explorer.exe
| MD5 | 684590f64d2e60d78e0ed32b1c14d0a5 |
| SHA1 | ca52e2d56f9c982b3351f35310019e011c49ee9b |
| SHA256 | 2990e00ea3b7e3f9c5d5bd7c16d9cc8c4f70dc33e457891bab8e5b4e54b30676 |
| SHA512 | 2f0ac208312dec0eb031cbb122467ad1b9a620d6ff4767e262b1f8f270c153d04bf47c5dd5e855efeff30aa463d28ec2e23339bcd198909974f949d534ada72a |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | ca089ae542369601d4c906ee72616340 |
| SHA1 | b4789fb0b98f67efbac0f2901102935b04b5978a |
| SHA256 | d90550a2d5155eb7082a09206beb61e5ba8e40498cf4638ae9271bfa5597b6f1 |
| SHA512 | 54e0905562ecdec8cc99c9dd25922eef368d3b71ad847b05dde4de44cf9e84a2df4253a1b561850fc39b3d6b078ac90607c6df944e88458874070e384fb37fc9 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | de67740516e4b4186b76948d1e75ebe6 |
| SHA1 | 66828da4c17b886dd5353e7001a59219e6dda142 |
| SHA256 | 34c5965f537380d4e6363750ff1d37147baf23aeab8ff5de67a42a4cdc0a79ae |
| SHA512 | b423714a4224b2dbc9e1cf9bc96357c98a9e6d57d193b034a1483715b1e66900528b4a4169b940e35eaccde9ea446ab7b9ca583ace912a49834b3cf83c4e391a |
memory/1248-88-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2196-89-0x0000000000400000-0x0000000000412000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | d10c4f6a1823a6362461f275bd7e0837 |
| SHA1 | b1ded9c0e6502c3722c91876e771e95d727d450c |
| SHA256 | bc63a271f0ab501945e93e98b279293294ddf655abfe2c2518485108ac47c48b |
| SHA512 | 1d7363879b45d2a13b56a768959d0ca3cae572856a4a5bb44b326617d471abd223ad8ecfc20088bde6590567f3e31f1c8075fc1071abccd6bd90b300d828393a |
\Windows\system\spoolsv.exe
| MD5 | 35af054e0398aeced03a69f243c44cc9 |
| SHA1 | 13a1e431eeab154448bdf479175d1a349da73a14 |
| SHA256 | d4d0f51da08b6ae75fab478ef650c3bf88b0bf11db49fb573dfac3ca432d225b |
| SHA512 | fa0046546bbf047fcfbea90ec2e0cacf26124eee08739720d1db58bdb010c17c0b5dacdbf12daa5835da4277fedf5507bab42b8fef8ec46a44369e49b9a5dd25 |
memory/1972-102-0x0000000002E00000-0x0000000002F14000-memory.dmp
memory/1572-101-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1572-100-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1572-99-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | e7645b908e5a414c7361e2fb0d48ad8d |
| SHA1 | c7b03c5da4223ad8a3bf6912bb2733bcf3937ed3 |
| SHA256 | ffcd66991ccfbc224000f66600ec3e32269ad63c321790db865738509f17579d |
| SHA512 | 05eaaf4c96e914d96398b9f574fc0b81ed174ca9bbd542789c457168e638e78b8b6837523c369fa555e2ebefb67f24e38adaff1091e56633bb68381db1246a27 |
memory/1572-103-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 43636ec9a5b02942df4ff04429b73a06 |
| SHA1 | 1acf4771a710a9f5a1509ad6a99d14aa4ceda2ed |
| SHA256 | bd2d97e4ba6cd6ac9a672337799a61a485fe94445be3b2556533c3381753703a |
| SHA512 | fea9f4e14b87b95a1d7fc3e0f8f2cac3e4c0ad76cf3eb5c8ce2d4a1f850d99387cabc748dc24f3701a720570d499126aa83b9f5d4b5fba868f85880f5392b5d2 |
C:\Windows\system\spoolsv.exe
| MD5 | 2bb21ad8fd83e3765d130478eab989ed |
| SHA1 | aadaf583fee22a1ddbe1da1310d03cb8f40a7d3b |
| SHA256 | 6286bf1582f42de9a3d2a465572336d30f06a17b74d62aad96b33f53383f3360 |
| SHA512 | 5a84736d6f50ecb823219230c084ffd04503b63bf4cd94ad1b1bc87c99372052dfc3fcfc3d3fc7e2c5c201afab267d63344b65aece84fac4e9c54a20584b6806 |
\Windows\system\spoolsv.exe
| MD5 | 389552c70a7ccef91b898ec4b4823c38 |
| SHA1 | 0a6f441afd4b9a30ae2210524234a231690132ea |
| SHA256 | 91ef040a2a2a57d5f57097402ac69046b61d0b0defb23b417c4c51de0554534e |
| SHA512 | 991d783c2645d118c5a0c0e24d82101fc30c5124982a41b1c88d42db4feefd6c5b4c5d6b8ed13cf800b52619cb56c4d86d291115c4386bbe17ef334cab33ca7c |
memory/3024-114-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 09de68e1fc21c3fe26ad11208fd37ed9 |
| SHA1 | cd25f0f54a4d02daa6fde902f46ec377711d9133 |
| SHA256 | 8c3076b042958ad3be9a87f678f21e03379fe58ae6179fca6d3a851e56297a88 |
| SHA512 | 38f007aba37ba83c996702a3d87144de55c2832d3b0ab74ae1b5cd5e00a0eb05fb7fd45d84ec2fb61550db5de733b64e5e42927e86d8e7920f82fe6ef15c52fc |
\Windows\system\spoolsv.exe
| MD5 | 992f556ab30504867cb7d4c33ac4e647 |
| SHA1 | d34a6fdedbd68677115a9a37e869a595401c70a8 |
| SHA256 | 44f7491789ce74f63bd720a6af631193fe36d16e0a66ae9ec6589e0cb477b4cc |
| SHA512 | ddbc739034139ae9c02362253d60631bcb255ce1e2ad2da9dfb05c89e646e616e8c490b196ed7fea238f66db33f19ad075412f7fcd540e8330a7cb848abac738 |
\Windows\system\spoolsv.exe
| MD5 | 88ef994e451759f2f8f18414c0bf8bc4 |
| SHA1 | dea464d9ff9e923adf8cbeb36cad36fba28d7eec |
| SHA256 | bcc8fcd10f2d6ae44fcd2d525758fe832701e3668b7c22651f61f39dd1f2341d |
| SHA512 | e6adf8695528f24e06241435aee9876ad90009f40073cf0fe2d2f547467cb9929218d148f6777e54093bca802e0ea3132102f4df3d2ba89f2cdc0d5a351c092c |
\Windows\system\spoolsv.exe
| MD5 | 29fdf865c314612ef1b18eba56308302 |
| SHA1 | edd323e22885a0549a5f97e27d769914ad22188d |
| SHA256 | ae4ede1d27e8295114d6d25537090c5b1500b8f4fa00e0ad323d9b082ec5367b |
| SHA512 | 6afe9540fde1b8c08e9383480894e52b6e8afb4112e3dcf2b9cbab6bab1577ced787d28917c8e3e3f8527af6650573e6efae2e6cb8e9969b07fcadd3572c8d1c |
\Windows\system\spoolsv.exe
| MD5 | 5640b7155e5aa2cc74b2f1979d2a3e0d |
| SHA1 | b963950535a57e66886e17286c37d832338a9ba5 |
| SHA256 | 951150a7d54e422b80cba1fb5a450225c3d9ce03772af0fd98d063fd98cb9097 |
| SHA512 | 0593bc6398fd27495ae17aebb81bf920d32c9df71a93528a401b9a431a770a1208500bbef79161b5e31ae3f4f91adb084ee066fe9087355d70cd3232d1d2a44f |
\Windows\system\spoolsv.exe
| MD5 | f95af403f446237e6881e71945bca678 |
| SHA1 | 726aaaecdd198976a38d4f7ccfcc57027fbd05c1 |
| SHA256 | 661b37dea35e51fb1a4e88cad65d178780e9383562c40cd03c4aab07fbe3078c |
| SHA512 | 7d765739a67684e14792aed1e5d364c6fe3e6819ae1a798b30af6eb6052f4cccab08bfdd486e9050cecd79a90cb08dc40190dbf53ba00b3687dd0c8b69bd19f8 |
memory/1972-122-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1572-123-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 040abe3654d96d6df3d6a92faf26b765 |
| SHA1 | 8ac1e1e4f41d89004b5850152a8364b96249da55 |
| SHA256 | 75cc9a9f37cc8402e17c8e51e60b693a45476359ed47574d8894f29e201cb7a2 |
| SHA512 | 91620cf77bb13f5d03048e7133b9bb6a9b113e788f314e069248e50640455f75b57e8fc52efb23e1c560ee80e7ebc55063e9b9984c279d7a9d55320c3721cc01 |
memory/1972-133-0x0000000002E00000-0x0000000002F14000-memory.dmp
memory/1972-131-0x0000000002E00000-0x0000000002F14000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 28748d44815770c465357d5e08b41458 |
| SHA1 | 60f48709126f3e469c0d857b36091e07913f2602 |
| SHA256 | 8bde1dbf50c67b3f881e0dd20bbd966fca8e82a96bf2971f607efee3f3d3adf1 |
| SHA512 | 956451e337a53e92b4ae67ea38b35fa3c36881b1c0499c98032f7562c10c4c2e52f6efebdbd71072c0a26efe620b7485a45e5864964098da7b56625daa74bebc |
\Windows\system\spoolsv.exe
| MD5 | 49351b5e38d33aa5ee52855482b912f1 |
| SHA1 | 29b33a01caf58f47e24d77055e2669f968849a42 |
| SHA256 | c9a3f1da758d072490c014f794fc32b423e53d5db6e4f46cb6aecb82eb9eb9a2 |
| SHA512 | fb8465f4f2db7ce15f6f6999981bed5ecf50078bc042f9c1b230735251efefe67f75287a88f27349b30b4c273d0105e5fffb79145b0e0133230d5beebffecb53 |
\Windows\system\spoolsv.exe
| MD5 | 325488de3b99c286b886ec20d2edf1d4 |
| SHA1 | 92ee13a324c674f1e4e85e842cdef338f8f43207 |
| SHA256 | 2ed6de9f8a62a3d5c57c5644dba5328f9620a7d109a8236345e0d81b144e273d |
| SHA512 | d6e7f7e5629424deb9e6ffada6273cb80465ec5d40de544fbc6170229563fdf3e4694ecf158fad80c4b179fb890205465d533cff6984f4e416a3bad4444dae10 |
\Windows\system\spoolsv.exe
| MD5 | c688b326c322d63444db8e1d1ffd4f61 |
| SHA1 | a3643e2cfc51e905467db91c830c67777f10ae5b |
| SHA256 | f5783619d56c1970ad717484fbf073c93ea881494977e110be8e50a28a915157 |
| SHA512 | 00eee7983203d917bce8ecc374a1b792e4f78173c798da24b3e59a38d76edd77316ceba01d0301534150a9814df0ba396fe1805024a19f0c47a9a04f2ed83ffb |
\Windows\system\spoolsv.exe
| MD5 | 1c1f28fbb0ded41c81e89a3aebfcc280 |
| SHA1 | 5277415c706c0ad816dfe652157b1df955b07ead |
| SHA256 | 7d25896e84610c60c4b3717c1088535f65f51ba564e21184315c7a42a8faeb86 |
| SHA512 | df8ed343aba3efd0059c011a127433c47f17af422e646c6201d6c89eb89caf8f0425157c52a449ca751db7ce7adf05ae12c39c7a28d6ffa02299400ab8b60db0 |
\Windows\system\spoolsv.exe
| MD5 | 6536bef0a9854470b2ca44f6c69029e2 |
| SHA1 | 9bce608a1b3e9c723d34890c42588e000f7f5c03 |
| SHA256 | 93ae3a8c670087c054a351436a3b942607fb43ed42717c006a00ba48781b7604 |
| SHA512 | 67e190dd200eab46257ce123929d524fd3e9fdb0f5aabf43024bcb0193a857bcd836cac507af766a9d3d2e3db88674ce6ee201d90d3feeb22b5aba66af1557cc |
memory/1972-141-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | ba153aad460d6c5d35061122dc440da0 |
| SHA1 | 0d7738532678dfe46a55d1da4b4e6294c9496d18 |
| SHA256 | 8cacc6b6f8e258df482802db943accef1c88f6a767175cfa01a976d3afccc8c6 |
| SHA512 | 5318898301bba45dee3a2f6a191cf0d3d89b316bbab75b8c4ae6ced79b6dc43c066bf63cd0ffe4223dd4d92eb074d808e7c40383e64207d646a78c926eacab51 |
\Windows\system\spoolsv.exe
| MD5 | ac7d254c85f1979733453354f31ac469 |
| SHA1 | 055646f88be2f9f6b9a429b38643abbec52a0b28 |
| SHA256 | 43692776870a68e9eff84421059d7185a1c7ffdc839ec319217903e33ce6ddbf |
| SHA512 | eb7e952c920ebb17bc68d554047d329dd802453b2c0aad78ccc8924c1248d740580f29f660ccb653fe2864199a45b65a60f001135aa08ae6455daf509fe07122 |
memory/1484-151-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 703561e35a268ac4641fe57d79d67db1 |
| SHA1 | d981fe6cbfc577b2613eec04ce5c45a96f401bc5 |
| SHA256 | 949af92573442e2935ded3f277dc5581ca443025a7cbd32a987e348b0e25e803 |
| SHA512 | f779814ebbfcb3196832bf2eaf6ead4fbd61d83f6880de2380c8fb4de8406046c65254f479d211740a54fded1086bba8547990094a6ee9d33a2cf3d799e1b8cb |
\Windows\system\spoolsv.exe
| MD5 | 386bf9cf4343a52f1991ef8fa53882f2 |
| SHA1 | a0e8343a360b6b4af6c32d7f6d4f21c80a640e2c |
| SHA256 | 7249eeb7e95ce713db00829a23fcf70298f285847f51a1ab3c34b854935cb4b1 |
| SHA512 | 369604ee2fa922ca768de2a2f90930f64063b21e281ff1286eba4500e1fa1f2c8a91307d07128ee7ccee470100fb4dfb3bce2210b52fcee1e91a130a8899b96c |
\Windows\system\spoolsv.exe
| MD5 | 1e63c03ab3dd62b85558db1aa9177098 |
| SHA1 | d8dd68fd81999d53de30d2ff887a6a68bbe93c8d |
| SHA256 | a7577d27c2c8b8a6d67b3c25c70fe7619178a1d1d4771b0909e0c2955f5515bb |
| SHA512 | af33bc1a52150c18768be1412e121d60449f11c31885322682f661479f0fa78551fa562183d1ad295ee5710483a5efabf1daca99a4dca117d0908abbc778d197 |
\Windows\system\spoolsv.exe
| MD5 | 78fb6d8aab327aa3181ec4a7373beda7 |
| SHA1 | 91289795e2b713300b384b0a1a6b9565f076209f |
| SHA256 | ff5cdad69024eed02e26d5fdc22413698baacb06c9ab083a085ac3fb7a46a86e |
| SHA512 | 5af29311407b33aa2cf3192516e2fe0a445a54d8c6dd2d61ff252032a3ca86e551241a88d433cda7932c9f866c08530beb13d1eece2ebc9e64c343f7ce7761b3 |
C:\Windows\system\spoolsv.exe
| MD5 | 042eac7e38d3f1235b731c52ba6e62cb |
| SHA1 | e43097e193986eca9e710aaa62ceaa59eb4638df |
| SHA256 | 0379cfc03971793c6a364fd3dba0902507dc0577a6e7ffc65fe3e984f5c02c71 |
| SHA512 | 7f7126d22d585b792ee8f0319203113e351bbb43c58f283aed027af3fca2ec5c68bdea8999d553f077ae6173c373a9163b136212ad938566a541bad2b1caae86 |
\Windows\system\spoolsv.exe
| MD5 | 485cf8aea06b4d4d7fd1ed5449e057ab |
| SHA1 | 7f3551b97a8d10dcdc697681271fd147d35da476 |
| SHA256 | f7d1660bfd1541c7339ad38f92e3122ea12a101af5dea27d25c7e49188ccef60 |
| SHA512 | 87af282c3af1d52a5169e035c2251071c654582bf9d0738b430acca3044a22a403eaad179cad087608c9c75f0116960aa0bf61a476abba9aa6a3b013d826486c |
\Windows\system\spoolsv.exe
| MD5 | c1d86839b95302e13c16ba2545c88006 |
| SHA1 | 0265daf0c6d6a5472f697cc8e09e03d43cbde8b5 |
| SHA256 | 8cf16c96f5e04ecbccba97003b4899b056c953d4cec62648688719ac197354f1 |
| SHA512 | c9458a282d7ff672566084bb05599d2c2dc9bca1e80f020b5c47422cd97f9fb76c06408fbb0539bfcaf86c407e7c10f10fd4945ae44fbf14e38977247f4e067a |
\Windows\system\spoolsv.exe
| MD5 | bb408058e1259c931f3661a0fffa58a3 |
| SHA1 | ab93b79d17ec61204dae6dec0235f66552b36e79 |
| SHA256 | 9f1ea2839661dd7a6f136c599c556501447969eae88112c3e372bccb71f3739d |
| SHA512 | cb79b24334cc43b3d1cc54c4e3a350bf01dc9b1705de954b4310571853966a02176ad1e43ba1a2ac85e71dbf5fa31cb12267ab1ad416cd2fde29259ee2e90487 |
memory/1972-168-0x0000000002E00000-0x0000000002F14000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 83aba96cbf89a0c2175fba7dda88e223 |
| SHA1 | 9cf0f157a4542c227fd808991e839908198e168a |
| SHA256 | 96cbc475a0a0e0e857f973dd6921d565a66ea44dbd092175a08fbba5c90f822c |
| SHA512 | d11d4f852fa294e128c332c5e623d5bf43788a1b06e441d2a026b736a883e39e017d7b6238d7ae56d3e731ff57618a4deb2882168686ce19f288c690a89c94b4 |
\Windows\system\spoolsv.exe
| MD5 | 351e2a85b20f6e5551d2ef084867813d |
| SHA1 | 219c13a078fc38889fadeced5a6d3f4e924c72dc |
| SHA256 | 1e49254383e340b2e2134bfa6b53239bd6b821bc79c39f211e4b3f568a62667c |
| SHA512 | 79fd64cb333ca6a1ba68fa906ce070863a2881a68495751444e987a3d77357115484384812b2df096c98051c8bb79c7b1b24398ebe95fe807c52640582f6adce |
\Windows\system\spoolsv.exe
| MD5 | 89594c727cc88d9b10a7ac26c76cfaff |
| SHA1 | fdb9a4dc31eaaff26ef7618b95c15c5ef09e5654 |
| SHA256 | c1b4be6e5cb260c1d82518d62611cbff73c9daf5d915c748ddd2eaa8b2a1f467 |
| SHA512 | f44aacb604e61fe54ed5e30ad49e0181e181b7d00ce61729759ce68de2eaf0467bc1c9b34dbad94f8a2b5d52babbf182a7d97332980ecc60181cb3ec37f7b855 |
\Windows\system\spoolsv.exe
| MD5 | 3e06ca10a5ffa37d6ae32912c2adb229 |
| SHA1 | 2c820d543430e16a4a02afe76a5d192062b83904 |
| SHA256 | 72ed31bfcd1285c225ecfdd5f18a9f2c2c85b45197e1c12394c2aba288920f20 |
| SHA512 | b9b162fedecbac5eff0ca64420740192c7afef952447f881a377bb9657f3517227cec59cf796746a7338c5cc4a8a95b5175cd0483c63f4607a2fbbb233c053e2 |
\Windows\system\spoolsv.exe
| MD5 | 80b0d7263e82fc67eff7bbe16d28c23a |
| SHA1 | abc564e6d4c29c1497893383e11018a18c2a901a |
| SHA256 | a3539844a4538250bb2c28c2628f40b8724acc99342f7dadb0b5249c691cbd3c |
| SHA512 | ff72ae19ebdbe66c69763ecb99a20e1093e9ff4ece29c7b42fefe64292272cb02dc4b90ef6d533a5776497b5ad7cdf358ad3f015ff14ae1277634e8ea87c2fef |
\Windows\system\spoolsv.exe
| MD5 | 65130a730e03e9bed6e8446efa69a45b |
| SHA1 | af4cce941e1cbf3f12494f68442de9bafa43f082 |
| SHA256 | a2d05dbe7cd195b7f5ee8f3f557055c75e1bb20c9c9d9aa8fbb38e63b2efb95e |
| SHA512 | 4e6debfedf8d0288331979c9507332fa00c4650affc34b627e9cb8f3b7ab438a086aa43c8a94a2bc2dc3ddb6fd62589d2236cb7b6abe103fd9a71e1d223bf422 |
\??\c:\windows\system\spoolsv.exe
| MD5 | f36852e1a248c6e8166bfe42afe271ac |
| SHA1 | 1a6fea804c037dba9736238b6f3f0c369596f48e |
| SHA256 | 5637ec4f788592178e85ed2d805ecdb6c182b0320414d72a9b0ccf5c8fc2d3a0 |
| SHA512 | d81b4ef36fdb210a917c41f29284651bfe756ebbd2ef6667e0797ef8b9ccba20d2fad5767e366199dc1d17c41c5a22844349eb085f233304571f2c7e2d78007a |
\Windows\system\spoolsv.exe
| MD5 | c99c2b42bf37344d76d7c15ba4f2d934 |
| SHA1 | 754207587ba1cdfb42e6b15c28a4587c05ae6559 |
| SHA256 | 852a8429e960a4be097a0a865317f18c4bef8272cdf03d55847895322c3bb200 |
| SHA512 | 14add7fc0d59b8dd5b8932723fc06fc0af0559d8305f84274c0106e0440da1034150a1317fc28274cf4e4f7db6adf1b962f2f33b94239f3ff664215b2eecb04c |
memory/1572-206-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1908-207-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1972-209-0x0000000002E00000-0x0000000002F14000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 187bc17e8ae4717a467a9f0c8ffdd4bd |
| SHA1 | b4fefe78805ee8f476d8ce48f41c84c87375ce64 |
| SHA256 | ee04356278adc3bd244fcefc90a75349a0728ae211fc999d282702f83e2fe8ee |
| SHA512 | 8178ce6fa831a57b241098cef28d480a0ff0bdf40db519c3479eb387b76bd9ccf59e3b4aec7649e3fe2411122a7337480dc20ba82f4af689d4809edd0c777b01 |
\Windows\system\svchost.exe
| MD5 | f4cc8f1ac29dd8d88aecff639ad60a8e |
| SHA1 | c62477a609fe1e080a13927b8a1b4b13a270f739 |
| SHA256 | 1ed9adb5c2e1c63d2d9d921fb7cc6670ce7953cb94b7c097b7f0c34c1a9ad078 |
| SHA512 | a09dc367c3501f7ff4a7a23e02a19d48e88314e495c1255e4180e807fb149a4f6d04d113c31979e0d20522ab9c5427b5d0244710c81731b4d573e1e8b590f360 |
C:\Windows\system\spoolsv.exe
| MD5 | ae12664bf72d04aad0f76c3d2903a6fc |
| SHA1 | 0fbfff71421cc9280ce44ab1f203c331b014a516 |
| SHA256 | f9105b37ac2f49175ed08b50cec407d4d703c708c9f72269b26d9128e8ddc8d8 |
| SHA512 | 946a99f0399af9b24614007bb4cc598e03f409792704833d024e44f6e567154c89d02e1886198123321b98f154a67a3782b724c771e7d9e06b0bb62e76859357 |
C:\Windows\system\svchost.exe
| MD5 | fa5d231fa267388c70fb77eeb086ec80 |
| SHA1 | f5f3471d4549b731abd9349a843cf2623129e3bb |
| SHA256 | eb888bb2bd7276e1729fb698696222bb0cf24590696cd68acf14fc7e8b9cfa03 |
| SHA512 | defda67cce1b47c5fc59950ac71a14494b9f8f5c6ec3265372379903c94a487d32e3bf271cc36ebbc17261b97ac90320028bf0e512a958b6f6a0d248ec0e5035 |
memory/3000-222-0x0000000002CE0000-0x0000000002DF4000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 9924cd5126b8f8e7ef1636aaa5e247c6 |
| SHA1 | 9d6bc6309f8725eea40200cba8bca67df86bae9d |
| SHA256 | cfe389ed68770b40e3453d5e44f088a71bbec1bc4d5e8c8666a5c6ac6163c7bc |
| SHA512 | 531cdb5fc9750933747e997601552bd2acae1ea3964d720b6c057f05c1176af1ccf70e1f648cd235c1df38957d43b6203bb4be6350ce5523dee43d2ec2e38390 |
\Windows\system\spoolsv.exe
| MD5 | e8e26d2b436e55a85a938c5ce3b09ae8 |
| SHA1 | a8c8e5d20dff2f736e984da1857a7a77659f8017 |
| SHA256 | 01c6eb5a031bd1cfa829c660a5db0202bedb94b8615c305a7e2d66d47734665b |
| SHA512 | c979864b158fd4db8c034e95b03849dd7b3e26264e83b4c57fb8cf8c592458d6a34078d8a92e701c1cfee5f239f7067c046a9e509baa3789799a37192e258e0f |
\Windows\system\spoolsv.exe
| MD5 | d73803edb69db1f9c5dd1487bff9371f |
| SHA1 | 4653457b4756416678f05a890efe8ecdea0e2532 |
| SHA256 | 42ffb94a00ce55c7c33ffae025cc69dca28f18d91f6fb4a3bbd42b05a897c600 |
| SHA512 | 7f09b7a4b94ec653f4b90fb079f186e41bd8f5426e28b541a42944eb0b7c6e4c1f11f38dc60025df17b223544f4828107172a63e0c880e13581ebeb15432d8a3 |
memory/3000-232-0x0000000002CE0000-0x0000000002DF4000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 1213a52fbe31b6c73ccbd2113a9fb314 |
| SHA1 | 5dc28b22c119ad0d689f11ec8a6d6ec531e664d5 |
| SHA256 | 5a3bde6d11efa268c6f43df02ff9e3e7dca5ea6b80788beaa25e9686e7533d20 |
| SHA512 | 2d16500bc29dd43eee7054344b163e39d784892dc402a7b3901aa0171b9c8b78275405f518045db7a716d35f7b45f99baedffe8fb6b546fbd6e504eacfffde3c |
\Windows\system\spoolsv.exe
| MD5 | f82eebd6fee380d7623b7d343d03a6b5 |
| SHA1 | c47eb41595d369bdd4f1b0c72cd7c13d2604081f |
| SHA256 | f8373cbd5edb9c07471f742c813296769bbedd5dd0fc9e1c81965e62ec19d74b |
| SHA512 | f6d66a2c57aadb92198624d5ac921ea660164648411c719b6c6aef687691590c4477c7bbdf0d52a74149129e79947d289324cce10a307723cc8e47bbb60df6ab |
memory/1972-225-0x0000000002E00000-0x0000000002F14000-memory.dmp
memory/1944-233-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1944-235-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/3000-238-0x0000000000400000-0x000000000043E000-memory.dmp