Malware Analysis Report

2025-01-22 14:20

Sample ID 240229-ehqpfscg6t
Target ad9fb7c8be1e320ce0e8571e63c2ad2e
SHA256 b5bd9cc017f112ce8dc8bfa382dbc0f9e41279b8f4986fc374bf85ff128cc5f5
Tags
rat upx warzonerat evasion infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5bd9cc017f112ce8dc8bfa382dbc0f9e41279b8f4986fc374bf85ff128cc5f5

Threat Level: Known bad

The file ad9fb7c8be1e320ce0e8571e63c2ad2e was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat evasion infostealer persistence

WarzoneRat, AveMaria

Warzonerat family

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies WinLogon for persistence

Warzone RAT payload

Modifies Installed Components in the registry

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 03:56

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 03:56

Reported

2024-02-29 03:59

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 2040 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 2256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 2256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 2256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 2256 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1436 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1964 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

"C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

Network

N/A

Files

memory/2040-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1684-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2040-4-0x00000000003B0000-0x00000000003F6000-memory.dmp

memory/1684-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-26-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1684-31-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-34-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2040-37-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1684-38-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1684-36-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1684-39-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-40-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1684-42-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-44-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-46-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-47-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-48-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1684-49-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-50-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1684-51-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1684-53-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1684-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2256-65-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1684-67-0x0000000007020000-0x0000000007066000-memory.dmp

memory/2256-61-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2256-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2256-57-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2744-72-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2744-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2256-82-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1684-86-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2744-87-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1684-88-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\explorer.exe

MD5 0d56ffbf35a3a47eb1f01960bd3ad4a0
SHA1 bad4c95dd56fb913149fa6fc183cc616cff911c7
SHA256 dcca027f6b3b8ddd74e8ca86232e5808033df55896e2f58d9d2a78f181215820
SHA512 0e5d6563aa424d1eddb2b66906453a2090a055de97d7d7d0635c445fda63e181b5e0b6e26e7cc24a4a3ef81e098f17790e47e97702404f62a04a89566921406c

\Windows\system\explorer.exe

MD5 679ed6a4fc978b0a367ff37c9255c658
SHA1 dafceeab1f436049df898cb331c55ce758dc73f3
SHA256 a5e4fff1944b643b8b2a6709a36099df97381498e23636e974d63dbb3486f28c
SHA512 c403dd519e866ebcd6c3ff952b22eaa8bb7fe9b215e3221c0bca514ef1cdee9cc4809a3483113c9fce8e0eac5eb22da29ea439e2b794e6ce69abbb573ea0b2c1

memory/2256-93-0x00000000028A0000-0x00000000028E6000-memory.dmp

memory/1964-101-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\explorer.exe

MD5 63dba527c04c0953ce30e7dbb2fc8d45
SHA1 2f8934ae99ec14b2564aae2ed5950b4645a272e2
SHA256 46c78628a367f45e24a26b8b2c63f10b17cd60a48f9dcfd6cc25b738b8499ae8
SHA512 6bc8456f89610069ce77c22119afe7543cc30ef59ae47d0e33b9285d37025a124e882bb0d12554bca8c16aa8168196b663c6d5d5a307ea3b19c36554b1737c7c

\??\c:\windows\system\explorer.exe

MD5 83c6176be78250509facbc8d26fd36b1
SHA1 1b3fd2557b5c078ad208ab47be30ea55ec1fa3dd
SHA256 35293365736f928920f9aa85876f32125c61c18dd53d953a6ae51cefd46b5fec
SHA512 8e3e1d2ce6c6cb61fdcbac245ec964e7d48502e97a0cb64f74df6858f28cb20c58bde66e87e2253892ffcd5c09d1d65aa4adab81b494ecedf774ff39a8a9f506

memory/2256-99-0x00000000028A0000-0x00000000028E6000-memory.dmp

\Windows\system\explorer.exe

MD5 47cefc1432f35406ee652a9b666da0a8
SHA1 2aa7673c799d81c87acd6c7c8679b967028f3c2a
SHA256 b7306ad56a1ef8c6e34e7e529f7e22d1134a0119f786ddd35908d8f6706975b4
SHA512 249c5c59b7a5cfc86dfa7c1c9931cf642557f3956a54949b277b45c01700ef6a1d7a6c8375575d33ad14aaf1b9b5b3c33b453f94b9d479dbd895f819499a7b42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\system\explorer.exe

MD5 298436d82c8c631fcb427497d1f33d1c
SHA1 703b41c134f828553efc687766c10d6c447ccd86
SHA256 b95f14327966c8e30e1ad3d227208f6f2ddb1eb1e5d24e4f7ddf8ac848706ffa
SHA512 dc846dbffd50f6750e839149f7fc9b61cd96b146ae5d74b3dbfcd9be3d1af023ec807ac411bf15591f9ae61929db627949c4b49a8df9bbeea772821acb15f693

memory/2256-144-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2188-155-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2188-158-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Windows\system\explorer.exe

MD5 797070700a664ee7617facd622eab321
SHA1 64a6faea3aed4661fb69a1ec1632d566ca570ded
SHA256 9603e1da0b5bbcdb845e9e751f6b951666a3da2f721ae63c4ba6be355a94b6a6
SHA512 fa80e6ce00df749bd3fb452533fc0d0b30ad2bab199e041aaad5bc26727580fea2a88b1e5707366853478ee12d69da5a771f97e9067343c8db993cf3281778a0

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 b09c01636b4242d7f61106abb1d9d4c4
SHA1 9d70d9ca3f7cadbeb110fa8da2aff9f1e581ecc5
SHA256 5b47c8475ecca1c4d1dd23414419aa8e4478a04fcce95004ac0fd01c0a37c4fc
SHA512 98d70ab663222ebc4b6b559467298222a0c05972f410960fa80dce4783326ed4a809cc18d024c80383f8c25cac29e314f2012232b903a61985518a2df8092fd6

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 b7c9c1e83778258ddd4b4c3765433679
SHA1 38dbeec8df33d2b72da624e07cf32f5fdc252b52
SHA256 6aa22d74603123d5bcc2ca38e304e9312406616b8df98bbe06fb3f818b3c4099
SHA512 0113edd8941724d48eb043e312b5088cd5b776930d144644965aa8d2363596be6d5a3a9a089979dac81b980f76160ff1e0d147f2ac713dea3b51a40c120aec41

memory/1912-190-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2188-192-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 dee55e62c5e85576d9233eba3b0e3673
SHA1 acd28609a1136a7e5592e41ba7814aa9a339ce57
SHA256 fe60b07087bfb461f87b6a8bcc85921922d4a3cdaf346e38341ece68e48e0574
SHA512 adec42cd2c5b70424edb09ba827b4584c7684c5664249323b9c2c9fc82fd3852248dc6d738a17949514df1b6a02919f5f1f30758cd70a6088fd2634191091c1e

C:\Windows\system\spoolsv.exe

MD5 4c1118698ee3ed03c8f5ca95f9b3edc0
SHA1 640e5a10f4f4926051cdcd56b8b43389ed509970
SHA256 08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0
SHA512 5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a

\??\c:\windows\system\spoolsv.exe

MD5 2bef761fc56caae13488ed01d672ab7b
SHA1 7dbc485265b1968de0a9e08db11e98d0f4d86a23
SHA256 8e3f2a1f0942dfea0d61f8dbc4bb3e5abbe67ca4b799a75bb8ae33a21bf1e449
SHA512 9f4f75fcce41b4a77347af25252cbd797aa9ae6018ac0f01486b63bbaf4a5f6337f32915a101db5214c3364b46be4c6c59e3024f77dad606d4dc2ca54ad7adb2

memory/856-202-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/2868-205-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7314e8612d9c91e4348c5373a985a117
SHA1 fefbed3392d74bd4a14993ff4c16a3c4f77ae62f
SHA256 f86aa2f325bfd3f125c7fe41ff2a64340cb863f5bd5bb824c991c11b6c6b3ec1
SHA512 545fd2f23e788076b9d56207129315fc10cc4d3cf28ef9edeb8fa51fdfb1eaa5e73052c229d2ca770fa61301ab1c94cebe0ff2e2e46fc16d5ae4e555ca03434b

memory/856-197-0x0000000002570000-0x00000000025B6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

\Windows\system\spoolsv.exe

MD5 67a965e20c4f6f7875a0bd59cef3f072
SHA1 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002
SHA256 ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe
SHA512 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c

C:\Windows\system\spoolsv.exe

MD5 268df02a74534d367fa3b7085937a55d
SHA1 477e6f77066f35a086b57d33c7b01fe04824070a
SHA256 4ee4ab3b8f60fbca814b8da20f4481470e7a446549b6ee3458969e712b214dcf
SHA512 89c1a8c45430f97df0378092b2eb31f91502fc4abf79645efdf3a415260efe264ae6a86363067730eaa5ff9117f5fa6338e1c678d17ae0f141e1ec031989e304

C:\Windows\system\spoolsv.exe

MD5 3a6373f26310deee26ba77fa102a8666
SHA1 4f465d8a7dc559f9a684a71e277e6079f79a077a
SHA256 bd998e6ed077f6989df710cb26bcd2752d6debe55450466b7f3573bcfcbdefae
SHA512 4aae79ac083fcc07de3bfbb199482409a31797c738a18a2172774a160249dbb9d43869b4799f301f3fd24ae9aa708e15088053ecf074fcfd20a63d397368e28c

memory/1272-255-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 5132a41535fa8fa6eb41b01f4fd4988f
SHA1 1b2b166555fffa865acbf79afbc18c5cbc5ce690
SHA256 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611
SHA512 f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407

\Windows\system\spoolsv.exe

MD5 2dda9be27a9c18d3f5b674099b811bd3
SHA1 ef96177c49a830120f76fee77aa5315bab5814fb
SHA256 0a432f2bf8e1277fc7a3b2136fa515e885c9afea76af04a0f86ac32213482809
SHA512 429858db5e5b0b8681080b49c3bc5baf8b17f599597be5fbabd33c8e60b1c6ed73f7eabae27915ca58c100f248a39f521db47168ae4f23c302fa5385fa911131

memory/1920-247-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1920-258-0x0000000000400000-0x0000000001400000-memory.dmp

memory/856-266-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 9047901f6be1841c6be69b587f9a9bef
SHA1 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc
SHA256 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f
SHA512 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b

memory/1272-269-0x0000000000310000-0x0000000000356000-memory.dmp

memory/856-278-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/1920-280-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 6b3159725f8ded76b9d763714c81fec4
SHA1 acac0941e662fb6d380f170d641a7c877817b8b1
SHA256 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0
SHA512 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8

C:\Windows\system\spoolsv.exe

MD5 a3b26615ba68708fd08a00e2ce1255d6
SHA1 34bf4e32bdfbb5a1079461678b10eea7f2ba1e4c
SHA256 30182af963eb5f74876a49dc5c0347d153e135894824517326b2cbd924329126
SHA512 7d359c52f2328f21fd42cf0489956f3a164884679dc1a7b15d3853863bd2ba24ef5035d7a68e8164c25aa8e0a9aa9867467637109ecaa5b27105fddc56ff3478

memory/856-305-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/2664-309-0x0000000000400000-0x0000000000446000-memory.dmp

memory/856-307-0x0000000002570000-0x00000000025B6000-memory.dmp

\Windows\system\spoolsv.exe

MD5 9f68d3209e568d7fe24130f706505c6a
SHA1 c46545846337c7d416d2f4a989b30345a0c12a0a
SHA256 23986e39ebb84ffc3ee58ec06e1926b5e5f2c307ed9da6875a1c3db3961b7738
SHA512 c8883d42e065ffcb40c2acc43fed50e7e26057db7ac98d4d7c7f47b7ca2b904b112fb784bac37eb92142b0dbb82e4e1e5386063e0e9ee3c0ab56686711b0c7b8

\Windows\system\spoolsv.exe

MD5 c366d96561050981f6c1a936a91577cb
SHA1 414be328d4b1dc2bfb32c989dd1c060eaf5c61dc
SHA256 fab22b8176c9f67af76cebe381459eb1d4fd2cfd7c39670350bb7590a9cb66c3
SHA512 e3c71b114b8e39d40f291c92310e4538f51e90805666a50b9d41d3d3385a4b31d4d5a1db3f169c86f4bc5b9eec82d166cff8b58554f6539054d82ea2325838c1

memory/856-299-0x0000000002570000-0x00000000025B6000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b0e1590486c4453ce8ac30a70d612d62
SHA1 c7e2722d8688c72d50e4fcada31cc502639a15e1
SHA256 a050f5a6e047c09e323bfc084947573e3887ed46e6d91adb51cd05cb90438b03
SHA512 60d3316064e8a4f89650a9a62fb98aa4b2e79626f29c65fb199ab1424ddd4a347fbe24aeb1a584d10249228b70ba648fd8fa4707bba1446d9e64cb27bb3c944c

memory/2664-320-0x00000000003B0000-0x00000000003F6000-memory.dmp

memory/2264-327-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 1dfb8c9373e65d8f3885359015c7cf54
SHA1 3554302584f899733f6f99f27ac15fb51dfd7183
SHA256 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593
SHA512 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8

memory/2180-366-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 180106611196716aeef379b295b7a062
SHA1 f3157c52bc8720f326142b95539c932ffe6b648f
SHA256 8149325ce2fa44de7f6d8fdf71bdc8646ff9befc6f0e62d6e610cc4124dc977c
SHA512 cec62a5089ba194de4ddae1382581d7a120026c6bf5dd8dc74e6f049ebfa0298d7577bb1ddb5b4f97a729544f08065baecfffead54c9572428d56f31645ad6d9

memory/856-368-0x0000000002570000-0x00000000025B6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 805016469e0125dece58243b4983d37b
SHA1 7e270964dba515f1776b2dcb1337b6babb766cbf
SHA256 981fb066f67c8ab89d330a6e129ead81b51859946e30e1283ca80f49386106df
SHA512 86937bde7fff1aada2dfd1e0e7fe59c90446b5a70fb8a37ae6f45f09883295648231b3db6c1158a42fcf077b6fbf69c3ab6bd3a204385687c0bc425aeacb6314

memory/856-370-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/2728-372-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c0bfdcf8155d9730950037ad3d9e6807
SHA1 55fc4d4c5932f3846c3bf34a7b5a83d9489a205c
SHA256 3e5666e84d8eba3e1fd0e573187e9e1b44ae7652112080a3d9d18345433fd137
SHA512 554ea054f8d5a054369cf78cb914b28838a454f52b5031261ebe57533488750221cafe441d4a01e766a15aec11fd99ec33545d2ac82109772998e3d9f4d3a053

memory/1920-387-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2180-388-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 ccd691ebf9ce183997328ce851d025a8
SHA1 5f84118b58fd407502dae3bc6ce2789df2508f8b
SHA256 6955e4e8f5e0dee98b15630cb8d117c1232c85bdfc28c90aec109e5cd062fce5
SHA512 11c508a99ff87ef08e2cfaabd59c3da0b34768d99e644ae1bba909b5734e406e01571365c4035bbc25f6aaf70e6cdec60528714eabb04218a4c8981ca3c7c09f

memory/1700-423-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 c667cee2f2d1ab7d07868ed6260b9618
SHA1 30a9417187059c37a8ed9726a39311080accbc23
SHA256 da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af
SHA512 d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7

\Windows\system\spoolsv.exe

MD5 fba478552e3b8e6ad8346b0e4e757c24
SHA1 9545adebc305cec19a9b8b8a54a38d12cac72dec
SHA256 c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248
SHA512 c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29

\Windows\system\spoolsv.exe

MD5 dc9629fa0a0b5814548be64ff72e6898
SHA1 4889f710cbbe4f01039351dc7c2a04fdea66eb8a
SHA256 17bde2e02dcb5e3f440204ff3d59e077fbf04de30d4339b3dbf20d8eeb2f5ce0
SHA512 a0978c68285d1ce400666448d27d0421e766fe9b9e5373959b8ae4b651e7959cff163dc5837e707d0ede61c17788a8b428c294d73108fbc24c3184fa09254fdb

memory/856-440-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/856-442-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/2156-444-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 50a557665c5bb4fa372fadbeba73303e
SHA1 df2eddc14a72381cc26c83268faa2f1806a58457
SHA256 26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e
SHA512 59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad

\Windows\system\spoolsv.exe

MD5 3539b3ba7389bf9b5ed5d8528da03acd
SHA1 636a283f53ae2dd4c4ee45bf163d4aba104d5029
SHA256 05f64fe9c75ba529ea5f35bf34e1e721142dde526276e98c8409e8c6140b1a4f
SHA512 56274731160884806390035e2483d43fcc502dea0b779ba085f766d0f48b2a7a80cfa13abe06c859968f65d58a52e27bd73f4a4c6b1bd68903e19ce581ef01d2

memory/856-488-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/856-486-0x0000000002570000-0x00000000025B6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 a64610bc369035f5734293095b06cee2
SHA1 daad37a336241ea731802b00e176b2416b244260
SHA256 2f74e9e8f96ed036765369b69939ac71c2cbb3c03d77e43e7cc6ce6211a16380
SHA512 3ee71d2254e58071ec7ae7482fe7c27c56449432a0e7083f5ce5c1854f1abdd85d223c88e0c65073d51701acf0277efc0676be11a9949cc09a941233b6c90ddd

memory/856-490-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/856-484-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/648-491-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2356-493-0x0000000000400000-0x0000000001400000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e54706f5b2162228cd7b1be98d1a321a
SHA1 033c0d3df38d415863779b0cdcdbe252a7f1148d
SHA256 b1fd74a808dc3b0fa1fce94b8561a18d4c24f41d41c21fed95158764eca591cc
SHA512 a167895baee84aecf9db9700e44777349acc97b816c4258b706272566ada58050adb64ca243ca7a4693f2f558cd9ef351003c32f4f31818b6d29b5fd7ae6e5e4

memory/648-498-0x0000000000450000-0x0000000000496000-memory.dmp

memory/2356-516-0x00000000002A0000-0x00000000002A1000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 71103e754e8f6a51e030d97ffd9711ed
SHA1 2e2535601f88baa120adadc2a150c521f80ff2f9
SHA256 f7d33a87dd500616d1412460b86ed54dbe08dc6879ac0e08d8664f2d3680442a
SHA512 ef0b3d408b6087cbce87465620aada96f818ac72df63d20dd152ac7a8801781af525b9805d5f52dc84a7ef2e0fefa7fe0f390e261d1acda42ab468b5083878a1

\Windows\system\spoolsv.exe

MD5 e3deb109c419189a759b3240fa723e94
SHA1 8402667484d7a517ebfb571a36b7a9b6732a961e
SHA256 4eee9c710137abc067b02148ce310861479f2d4133884c0e0a3f2a42883e491b
SHA512 e0fda3225d88f16c1106e6ec167f647e16a5109eaa46d379f02fe3fd4eb9741b05ce5b33d3dbeb581da834d26f15c557e1124bb09ca07fab1e2fa3f66761d1d1

\Windows\system\spoolsv.exe

MD5 5a1ebd5b95652b5790a346ce2d865bc1
SHA1 4e2259d94fcb6c19cea3acc89c6ae89722575224
SHA256 07c2d71b1ca2231d3e3b7206dfdd8b1d2d174f8dcf554345c6f8fbf2bcb426e0
SHA512 b7dc244b24785fa52d1cd53264d0cf6c046b7e02cd4c355f06f0d5f4978ec58f957df10253d31578fc9bc84dddc53ffbe78f5ba9c816a02755acfa7fff1b773c

memory/856-543-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/864-549-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1532-548-0x0000000000400000-0x0000000000628000-memory.dmp

memory/856-547-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/1532-552-0x0000000000400000-0x0000000001400000-memory.dmp

\Windows\system\spoolsv.exe

MD5 fcb24441fd64fe17f85a4387f8cab4da
SHA1 907eae02a8da423afe25325bbb65e0e214be47a8
SHA256 a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150
SHA512 563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93

C:\Windows\system\spoolsv.exe

MD5 2250303bd076b77e02cba25cc19ffd3b
SHA1 9388c7608a70e4a84f54852e1c5f939215194e3a
SHA256 96ac12c068be4b00a98c11030ac49cf021a373f5f30f1093c50fd6666b3b27df
SHA512 cd5e8505bc9ca5f7ab9dd85e2cc803c1e11ec4fd480e716953bb8f6a45180f43935e851175112037b17e251072a524153bfb1e5ba6fee6072036a3a79e699ecc

memory/1532-562-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 63a3a954864aca34f057c15c02be6590
SHA1 cf3ede97211de5a9a72bc81639fcf0eeda600bc7
SHA256 2d535fd771f6d837d4f98c4230884e25723c7b592c5c63bd76510c16d59efa04
SHA512 e295181e438faf76fed0fbf482b563ca95e9579404a6abfe97089a62a9ad270edd68058a7b7ac578c3bd156bde01564acbab0f9282e30275177a3f2b443c36af

\Windows\system\spoolsv.exe

MD5 1da9b42e228d5f1dd1d6918de8475852
SHA1 4481b9e0d6c481383f27102327f9f537a6a232ab
SHA256 d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad
SHA512 caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022

C:\Windows\system\spoolsv.exe

MD5 d56c4265b79ac55551d9be733e758e75
SHA1 3ee6dcc2322deb1ad10cfe885b917aafab5469b0
SHA256 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e
SHA512 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

memory/856-591-0x0000000002570000-0x00000000025B6000-memory.dmp

memory/2460-598-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 5d74a4aae0b45f38c79245afda9154ba
SHA1 a299484e050d3c2d1bfe5676487065ad4aa985b2
SHA256 6703d672ad3bf07347a827c94bc5f8036ba7798270c565c49def723ed966e409
SHA512 781f17cd86d0a5d3d47c8b72a7242f416167fb500140849a07f5bc4a298aa09746820286bd87dfde550abaafc1dd1ce8483ab90184902f56e832fde4d6558053

memory/2460-607-0x0000000000300000-0x0000000000346000-memory.dmp

memory/856-610-0x0000000002570000-0x00000000025B6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 587ee4d5bf246fbd0bfc6b4f078bc8ba
SHA1 5fab4e2f28d515630b0505bacb5bbb05e6994e09
SHA256 19b64ededc3d49ec92e5220b8c0df17c97262fb1d335740681341256e9944dbc
SHA512 f95544662c78a98607e26ceb9e67833acfb51ed490a6fd34a545960a62d8b7027007898ebf5c48a751b31bd589120f4f80abb12e27677a1ac70df064ba933f09

C:\Windows\system\spoolsv.exe

MD5 4cd1a1f262ea1c494b675a834a6232d8
SHA1 bcd65005adac1ad553134825cbe0cc9c4f4aed22
SHA256 65460b5cee279311488de317bd50eb9ecb31eb4f9a230841fd040a8bfecfea25
SHA512 4c3e13e7f292034b5531e05586836e9a9f05609e011d30354d644b25eb7fd8dbe909b1e9f8b825497731f83cb55c0f306d7eb1b20db04517a3bd9be7de13916a

\Windows\system\spoolsv.exe

MD5 a4ac7886777e9efb0faf6d7a2e5957d9
SHA1 38a14ad8f9e32b107080f7c9a6a864b7b507eed6
SHA256 b0d87fa6b2249e8beeefd8bb6a72628c5f49110bb2d30bb3fdf7daa2019b8803
SHA512 24f3330d155757f4b5d8c5ab267293bcf0b79c6796219a04e497202875a3b78fa23fc9588bfde7f66da21f05e9be2baa97d3d8ebb19b345066fcf7777c78ab3d

\Windows\system\spoolsv.exe

MD5 fd6a7ae6efdd4613f387af832d4f022f
SHA1 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd
SHA256 f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e
SHA512 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78

\Windows\system\spoolsv.exe

MD5 65d5c6dd1d0afe7b189defe15e04ef01
SHA1 0419974180e6af739c95c58e44782bc93ca0fdff
SHA256 2822ea0f1710966273dc4c719a0ba573a55088f2ebcf473fee0c4fd28484747c
SHA512 a09a894381d901deaa7bebbe2e2f968f801bb54123753a5db139b49ff0ebdc057786988333046fadb8db20ff20f3ca7033bedfdff4660f6ed81dce1860cd2aae

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 03:56

Reported

2024-02-29 03:59

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 820 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\cmd.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 820 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
PID 1912 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1912 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 1912 wrote to memory of 656 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe C:\Windows\SysWOW64\diskperf.exe
PID 4384 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 4384 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 4384 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4308 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4308 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4308 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3036 wrote to memory of 4460 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

"C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/820-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/820-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1912-5-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1912-6-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1912-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1912-7-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1912-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1912-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1912-11-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1912-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1912-13-0x00000000073C0000-0x00000000073C1000-memory.dmp

memory/1912-14-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1912-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4384-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4384-22-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1912-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1912-28-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1912-29-0x00000000093F0000-0x0000000009419000-memory.dmp

C:\Windows\System\explorer.exe

MD5 844acdb9e06b0d4e56c48ee244d20c6f
SHA1 09d260e700d2bb59bb695212d597758ccd5b3419
SHA256 2515ac4574e54096988dc6da1f9f6498b0893fa1bf54106aabfb1f2ffe725d04
SHA512 100a961588d300de146bb24ccf0b4f90149a48cf549efee18e9c97a99049603bfbaf8920d6f879cf3a842310dd9021f359cc38dec25caa835941626fa433c4a8

C:\Windows\System\explorer.exe

MD5 09a7b3c6426c87e7372356ba6a38fcff
SHA1 0c990b3990e67a9643328f4e721ecc7e15f01651
SHA256 fe6f28958d4a0f073ce4d94f5ffce64fbd050323b22d22e4f182d318c747b108
SHA512 b61798995c35a116e7a06eec53d16b732420e425e5538daf0f853528b948876174ddf9ae86187d5fab311c0d6746ed7d93d05288e90be4602bcd79bb694424c8

\??\c:\windows\system\explorer.exe

MD5 5ab874f417dc0f32ccb1e36af212ecef
SHA1 d8b01d645f6184b118c65055d488533708855323
SHA256 1ff218f19e91eec79f554034fe7e6cfad1fa8e27b83a43448d0a921833829264
SHA512 f5ef7dfe8103cda3ff0228bfb861d2f87e663fbee0a0432beb65b6568f0c54dc1925f2b515d106975d658dae918eb2863b15ca8f748427f5a1d2a07dd3ebf9d4

memory/4384-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3036-37-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 fe3ae34997ae8bc00441a6a6c7ab103b
SHA1 330211a198e55d946ed11fb298505a0dfe3f4c07
SHA256 3536f51aab6f661465aa4cf89eb1a9b6eb99b9c8913709f6053cc38d8f86f057
SHA512 acdd4f296f3e86771d74d494d9a59457a4f37e944267718496db4a4b0c9ea897afb5927a7522c4233338df5643f11bc75ddca99ae0a3553a4b030972e09cfb13

memory/4460-42-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4460-44-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4460-46-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4384-45-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4460-47-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4460-49-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4460-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4460-51-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4460-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4460-53-0x0000000007650000-0x0000000007651000-memory.dmp

memory/4460-54-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4460-56-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4460-57-0x0000000007650000-0x0000000007651000-memory.dmp

C:\Windows\System\explorer.exe

MD5 78efb896613ce766e381764b27ddbb79
SHA1 28511368e32715ac2965fb915f2072d415343513
SHA256 2701e15a0677871f2e599843eb8c12c0cb2e3cc5809d99164861c2c4d7e89389
SHA512 1da84eb60d698e0dde1b8eef088f931ce3cbd0d02fea5fbe3db80d5a697e38fe573a494ec6f66e215e37023da1d2e271c53aa7ec1f84ca00bd68722e108184b2

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 c4b92dcf6bb6b0bf6b57ea3434826697
SHA1 09cbc5483a90d70610b82c968037dc31d1cfff6c
SHA256 8bd8e599bf34062dc1b3570e2e573d6f8cfb1db1c5c92786a1a113b10f549f92
SHA512 13c117b1225e063c3e94c175ece6ea46db653222455cad4d5bb15e897cd5472a0d871fdfcb445350c97864d7db491958667922109b1809d8376046696b71d540

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 5567c75f35e48c2937e8a29c98a70f55
SHA1 f4d75b9d6d3d78b377cccef977d2edcc8bc4faa1
SHA256 260719ad6fd8056db272b144e32344b00660ef5d9cd55636348dd6b3788d90f6
SHA512 ae58869f7d3d29874f1396a4d8b1b4e2935bc57de8732746754cd3284a77d85f256ba234e482ace816157c90d0ec00165126f6ab25456270684ffca172707776

memory/1116-66-0x0000000000400000-0x000000000043E000-memory.dmp

memory/8-68-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4460-72-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4460-77-0x0000000000400000-0x0000000000628000-memory.dmp

memory/8-76-0x0000000000400000-0x0000000000412000-memory.dmp

memory/8-74-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e9e8b3f26966e6e19a896552cb50317c
SHA1 1312c9c6e45caa910d6d83e1eb06377f69f9d644
SHA256 185a43a5017c7de3d1e9c0c9b77537f4891fccc3b9a2571a6212388426712945
SHA512 0eb6ed3480f488da80554161c87c20258d320278d7b308e44f712023a8055b9531967f50641130e3af0b9bbf98e7510ad37ef13857cc4d50f5f439338ae42f33

\??\c:\windows\system\spoolsv.exe

MD5 47b9125546859250648699a2e8649ec5
SHA1 197af0f99dd2a9d8b35999fb79e77efc91e2acf2
SHA256 34704b7c3ccd21f80d4c9e77875dac1a25f601eebb8140045ee241f8a78d6475
SHA512 b4b161b6b279dab3b0d1ed0d069733a69b1ff9249e352ccb725c08ef64d1618a20a64fdec445d7b712425081fb6c39d66ec5320fffb7ccc4adfe6480dd8003ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

C:\Windows\System\spoolsv.exe

MD5 2ddf6df817160984e047117d0375347f
SHA1 11f608ef7e7133e40188df577b54111c9f95cb06
SHA256 dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21
SHA512 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215

memory/3240-88-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1728-90-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1728-91-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1728-92-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9047901f6be1841c6be69b587f9a9bef
SHA1 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc
SHA256 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f
SHA512 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b

memory/1728-97-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1728-95-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3644-99-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1728-98-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1728-103-0x0000000007390000-0x0000000007391000-memory.dmp

memory/2104-108-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2104-107-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2104-109-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b5b4236914b8f315dea48740ef641a1d
SHA1 3caf195ad42d9710dc6684e63f67938428027d06
SHA256 6a9a5d664864f599c869f0b326ce46a7eaf0c30e926096a402a549fcb96563f7
SHA512 bb7076912ffa5f83d2953c509285e08ce157284f2a3cf2ccc9ffff655a1d3d818e4564b60e9f7074f12c685db69a023a7f31f6bc96bba2a984f79ef82b91bc09

memory/2104-111-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2104-112-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2104-113-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2964-114-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1116-115-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2104-116-0x0000000007390000-0x0000000007391000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6b3159725f8ded76b9d763714c81fec4
SHA1 acac0941e662fb6d380f170d641a7c877817b8b1
SHA256 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0
SHA512 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8

C:\Windows\System\spoolsv.exe

MD5 16bd25a3c6d3025ab13249e2c61d981b
SHA1 342fa28f45ff0c4f7c58441bff92d9ef6930ad36
SHA256 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764
SHA512 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059

memory/4240-123-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1728-126-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4240-124-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 fcb24441fd64fe17f85a4387f8cab4da
SHA1 907eae02a8da423afe25325bbb65e0e214be47a8
SHA256 a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150
SHA512 563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93

memory/860-130-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2bd81f8ec10438c465af48a55f7dcb5b
SHA1 a0f9aea762966ee0addf8a37f9bbb484b13eed1f
SHA256 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5
SHA512 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea

memory/4764-136-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4724-137-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4240-138-0x0000000007190000-0x0000000007191000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 676299d2055c11b6d60ba263a4d4af4c
SHA1 bfb8ba3ca1f4385980d30d2825896564e87e3691
SHA256 14b3e869246c9deec26621331155b406b6481c8d1125a15cc62bb6f6d338eb50
SHA512 67abd076159da03c7812a4cc5b40e3379c4b233e33baad4461de05ad3e9d4cbd05e197f71353bb506de550545feea9245e234caf56f87391aaf6d69b57df4f16

C:\Windows\System\spoolsv.exe

MD5 75b15df8a4e8144c0bfd6e4f74ea8653
SHA1 a62267625cd2190836ce4a01ea1905dc4ba1c2d1
SHA256 14d1077ecb62f61c2476c04bd2046cbcfb105ad586e14b964fb7822c0d51d84b
SHA512 d01d6de8674a1c6fad8a9fed6686cbf925f78484f5f1d8f2504070f41f02355309ace577aa247df2336f31bed0d00674be8e8bf272fa3a5b9a121f86f0a3a458

memory/2400-154-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4068-158-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e15b0cb57b0d1ed9f55a822fce9d4730
SHA1 864e950130f94c3334ebd890d26fb3cef06eb9cd
SHA256 6a9484bc37e17638ec03070b13f8e70bc0fe7032ce321fb7bdb5fccd357be1c8
SHA512 3374a81652a171714e8e994cbf7ea407e55fd64e54fccf850e673c010891b63247d56be75c2a13a4b25d5f6181eaa23fdf3b676c9d6d0be6b4e59c131d2638ec

memory/412-167-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 67a965e20c4f6f7875a0bd59cef3f072
SHA1 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002
SHA256 ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe
SHA512 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c

C:\Windows\System\spoolsv.exe

MD5 1da9b42e228d5f1dd1d6918de8475852
SHA1 4481b9e0d6c481383f27102327f9f537a6a232ab
SHA256 d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad
SHA512 caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022

memory/4336-179-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 16926b3dd12c0fc69561d4a3b336fcbd
SHA1 d225b3495dc9782b161ef79ef7dd2c4f12ce71b5
SHA256 8e2b326f6ee3287b9d7f413c227ab4dfb4bf08e7add4971db38ba245737be3fa
SHA512 989253c5d480c67b532ed9c09f1d162486fc36391b059ade2b75ee08aecd5eebc403f9e98666f184bd6b1e683fcd6ee489b34c8991ad7ab89000c2fbe1c60deb

memory/2892-182-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ebaa137a72aa80bf6fef8c7f3d08f527
SHA1 9c45e02846432ea3fdb5aa159fcdb983955e60a6
SHA256 06304c9a76103c7c0e0e98ba453c9736b1da41a82a8f3c108d5d2dccd3996380
SHA512 2f345f8b05a1d311b5c9f8e670004a0bc0e7bb0f8ba5c28b60e83b04c46e2a339f0b4f9a896d12497f5636408ed2094bbe235e6f45b5a70f46f7f574b0a8bc72

memory/4724-191-0x00000000074A0000-0x00000000074A1000-memory.dmp

memory/4336-192-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4336-195-0x0000000007140000-0x0000000007141000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 775d6d5aae14fb9eae069c5a3effe1f5
SHA1 1210f1f2c16edad8ee5a7a1103af896b84e85570
SHA256 51e84df2ad91700dc109d733224fd2d2f8015d06608f3122126bb167c96b3164
SHA512 0b83219e6e15e4585d9a5141ad1efe5950cfd71bd5e2103212e8fa1ca78ba7d256cdacb6eba0b49d1937c097ee909c3335f4ea771418d60d20d095d0e9a86cad

memory/640-198-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 30a91c091c2f9fd6dc1af98b9e4f64e8
SHA1 12644033256a60fae6d301d02a43c48cb2dd3fe8
SHA256 f6b9839a8d4fa1e835d2281e046b43cd3ae4b09cf4900e5c898b5460ec8ee87b
SHA512 dc4a1c8df45b5e1b55364caab99a54e6448010ac4c66ddc08cdb66006c5f32eb64e29560c7765acbe45a97dce3d889c6b3cf65d413ec7793245a680910c64d19

memory/2104-202-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1388-210-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 47772e1e36e2b44987b5b2de3b16faf1
SHA1 380d4fac049041c8a4d268c6fb88357030cc11bb
SHA256 81a8d99bf2aebc7382063bcd83e650ae1042884af2355b4d68ba1346dc7cbd9e
SHA512 7060629449452413ed94511c54d4f052d062392ecbf2fb53f2158ecef7f24b9587fa70cc6e4bcbb8b39d2fbd370b7e1b98ccc48f50acbe782a1d2b6c356ef408

memory/2616-216-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 06148545616a466c522f72813b54b0ea
SHA1 c7c4e41673ed02bd9130113d3cce62d7f691fa0f
SHA256 cd1d7bef947f97f28389867f67b656fa43ec7a22573a6181c20d955fcf5325b2
SHA512 982b3e244437ab4fa443cd7075f2efc8d95109aa835f866ab4577348306bacbdbb3cb84c47f40fe3c370f687a067974c08787cf89e6a0de27064d9f36d615c94

memory/1328-222-0x0000000000400000-0x0000000001990000-memory.dmp