Analysis Overview
SHA256
b5bd9cc017f112ce8dc8bfa382dbc0f9e41279b8f4986fc374bf85ff128cc5f5
Threat Level: Known bad
The file ad9fb7c8be1e320ce0e8571e63c2ad2e was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzonerat family
Modifies visiblity of hidden/system files in Explorer
Warzone RAT payload
Modifies WinLogon for persistence
Warzone RAT payload
Modifies Installed Components in the registry
Executes dropped EXE
UPX packed file
Drops startup file
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-29 03:56
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-29 03:56
Reported
2024-02-29 03:59
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
"C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
Network
Files
memory/2040-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1684-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2040-4-0x00000000003B0000-0x00000000003F6000-memory.dmp
memory/1684-3-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-6-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-14-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-20-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-23-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-24-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-25-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-26-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-27-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1684-31-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-34-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2040-37-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1684-38-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1684-36-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1684-39-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-41-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-40-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1684-42-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-43-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-44-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-45-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-46-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-47-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-48-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1684-49-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-50-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1684-51-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1684-53-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1684-54-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2256-65-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1684-67-0x0000000007020000-0x0000000007066000-memory.dmp
memory/2256-61-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2256-59-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2256-57-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2744-72-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2744-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2256-82-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1684-86-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2744-87-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1684-88-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 0d56ffbf35a3a47eb1f01960bd3ad4a0 |
| SHA1 | bad4c95dd56fb913149fa6fc183cc616cff911c7 |
| SHA256 | dcca027f6b3b8ddd74e8ca86232e5808033df55896e2f58d9d2a78f181215820 |
| SHA512 | 0e5d6563aa424d1eddb2b66906453a2090a055de97d7d7d0635c445fda63e181b5e0b6e26e7cc24a4a3ef81e098f17790e47e97702404f62a04a89566921406c |
\Windows\system\explorer.exe
| MD5 | 679ed6a4fc978b0a367ff37c9255c658 |
| SHA1 | dafceeab1f436049df898cb331c55ce758dc73f3 |
| SHA256 | a5e4fff1944b643b8b2a6709a36099df97381498e23636e974d63dbb3486f28c |
| SHA512 | c403dd519e866ebcd6c3ff952b22eaa8bb7fe9b215e3221c0bca514ef1cdee9cc4809a3483113c9fce8e0eac5eb22da29ea439e2b794e6ce69abbb573ea0b2c1 |
memory/2256-93-0x00000000028A0000-0x00000000028E6000-memory.dmp
memory/1964-101-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 63dba527c04c0953ce30e7dbb2fc8d45 |
| SHA1 | 2f8934ae99ec14b2564aae2ed5950b4645a272e2 |
| SHA256 | 46c78628a367f45e24a26b8b2c63f10b17cd60a48f9dcfd6cc25b738b8499ae8 |
| SHA512 | 6bc8456f89610069ce77c22119afe7543cc30ef59ae47d0e33b9285d37025a124e882bb0d12554bca8c16aa8168196b663c6d5d5a307ea3b19c36554b1737c7c |
\??\c:\windows\system\explorer.exe
| MD5 | 83c6176be78250509facbc8d26fd36b1 |
| SHA1 | 1b3fd2557b5c078ad208ab47be30ea55ec1fa3dd |
| SHA256 | 35293365736f928920f9aa85876f32125c61c18dd53d953a6ae51cefd46b5fec |
| SHA512 | 8e3e1d2ce6c6cb61fdcbac245ec964e7d48502e97a0cb64f74df6858f28cb20c58bde66e87e2253892ffcd5c09d1d65aa4adab81b494ecedf774ff39a8a9f506 |
memory/2256-99-0x00000000028A0000-0x00000000028E6000-memory.dmp
\Windows\system\explorer.exe
| MD5 | 47cefc1432f35406ee652a9b666da0a8 |
| SHA1 | 2aa7673c799d81c87acd6c7c8679b967028f3c2a |
| SHA256 | b7306ad56a1ef8c6e34e7e529f7e22d1134a0119f786ddd35908d8f6706975b4 |
| SHA512 | 249c5c59b7a5cfc86dfa7c1c9931cf642557f3956a54949b277b45c01700ef6a1d7a6c8375575d33ad14aaf1b9b5b3c33b453f94b9d479dbd895f819499a7b42 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\system\explorer.exe
| MD5 | 298436d82c8c631fcb427497d1f33d1c |
| SHA1 | 703b41c134f828553efc687766c10d6c447ccd86 |
| SHA256 | b95f14327966c8e30e1ad3d227208f6f2ddb1eb1e5d24e4f7ddf8ac848706ffa |
| SHA512 | dc846dbffd50f6750e839149f7fc9b61cd96b146ae5d74b3dbfcd9be3d1af023ec807ac411bf15591f9ae61929db627949c4b49a8df9bbeea772821acb15f693 |
memory/2256-144-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2188-155-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2188-158-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 797070700a664ee7617facd622eab321 |
| SHA1 | 64a6faea3aed4661fb69a1ec1632d566ca570ded |
| SHA256 | 9603e1da0b5bbcdb845e9e751f6b951666a3da2f721ae63c4ba6be355a94b6a6 |
| SHA512 | fa80e6ce00df749bd3fb452533fc0d0b30ad2bab199e041aaad5bc26727580fea2a88b1e5707366853478ee12d69da5a771f97e9067343c8db993cf3281778a0 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | b09c01636b4242d7f61106abb1d9d4c4 |
| SHA1 | 9d70d9ca3f7cadbeb110fa8da2aff9f1e581ecc5 |
| SHA256 | 5b47c8475ecca1c4d1dd23414419aa8e4478a04fcce95004ac0fd01c0a37c4fc |
| SHA512 | 98d70ab663222ebc4b6b559467298222a0c05972f410960fa80dce4783326ed4a809cc18d024c80383f8c25cac29e314f2012232b903a61985518a2df8092fd6 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | b7c9c1e83778258ddd4b4c3765433679 |
| SHA1 | 38dbeec8df33d2b72da624e07cf32f5fdc252b52 |
| SHA256 | 6aa22d74603123d5bcc2ca38e304e9312406616b8df98bbe06fb3f818b3c4099 |
| SHA512 | 0113edd8941724d48eb043e312b5088cd5b776930d144644965aa8d2363596be6d5a3a9a089979dac81b980f76160ff1e0d147f2ac713dea3b51a40c120aec41 |
memory/1912-190-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2188-192-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | dee55e62c5e85576d9233eba3b0e3673 |
| SHA1 | acd28609a1136a7e5592e41ba7814aa9a339ce57 |
| SHA256 | fe60b07087bfb461f87b6a8bcc85921922d4a3cdaf346e38341ece68e48e0574 |
| SHA512 | adec42cd2c5b70424edb09ba827b4584c7684c5664249323b9c2c9fc82fd3852248dc6d738a17949514df1b6a02919f5f1f30758cd70a6088fd2634191091c1e |
C:\Windows\system\spoolsv.exe
| MD5 | 4c1118698ee3ed03c8f5ca95f9b3edc0 |
| SHA1 | 640e5a10f4f4926051cdcd56b8b43389ed509970 |
| SHA256 | 08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0 |
| SHA512 | 5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a |
\??\c:\windows\system\spoolsv.exe
| MD5 | 2bef761fc56caae13488ed01d672ab7b |
| SHA1 | 7dbc485265b1968de0a9e08db11e98d0f4d86a23 |
| SHA256 | 8e3f2a1f0942dfea0d61f8dbc4bb3e5abbe67ca4b799a75bb8ae33a21bf1e449 |
| SHA512 | 9f4f75fcce41b4a77347af25252cbd797aa9ae6018ac0f01486b63bbaf4a5f6337f32915a101db5214c3364b46be4c6c59e3024f77dad606d4dc2ca54ad7adb2 |
memory/856-202-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/2868-205-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 7314e8612d9c91e4348c5373a985a117 |
| SHA1 | fefbed3392d74bd4a14993ff4c16a3c4f77ae62f |
| SHA256 | f86aa2f325bfd3f125c7fe41ff2a64340cb863f5bd5bb824c991c11b6c6b3ec1 |
| SHA512 | 545fd2f23e788076b9d56207129315fc10cc4d3cf28ef9edeb8fa51fdfb1eaa5e73052c229d2ca770fa61301ab1c94cebe0ff2e2e46fc16d5ae4e555ca03434b |
memory/856-197-0x0000000002570000-0x00000000025B6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
\Windows\system\spoolsv.exe
| MD5 | 67a965e20c4f6f7875a0bd59cef3f072 |
| SHA1 | 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002 |
| SHA256 | ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe |
| SHA512 | 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c |
C:\Windows\system\spoolsv.exe
| MD5 | 268df02a74534d367fa3b7085937a55d |
| SHA1 | 477e6f77066f35a086b57d33c7b01fe04824070a |
| SHA256 | 4ee4ab3b8f60fbca814b8da20f4481470e7a446549b6ee3458969e712b214dcf |
| SHA512 | 89c1a8c45430f97df0378092b2eb31f91502fc4abf79645efdf3a415260efe264ae6a86363067730eaa5ff9117f5fa6338e1c678d17ae0f141e1ec031989e304 |
C:\Windows\system\spoolsv.exe
| MD5 | 3a6373f26310deee26ba77fa102a8666 |
| SHA1 | 4f465d8a7dc559f9a684a71e277e6079f79a077a |
| SHA256 | bd998e6ed077f6989df710cb26bcd2752d6debe55450466b7f3573bcfcbdefae |
| SHA512 | 4aae79ac083fcc07de3bfbb199482409a31797c738a18a2172774a160249dbb9d43869b4799f301f3fd24ae9aa708e15088053ecf074fcfd20a63d397368e28c |
memory/1272-255-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 5132a41535fa8fa6eb41b01f4fd4988f |
| SHA1 | 1b2b166555fffa865acbf79afbc18c5cbc5ce690 |
| SHA256 | 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611 |
| SHA512 | f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407 |
\Windows\system\spoolsv.exe
| MD5 | 2dda9be27a9c18d3f5b674099b811bd3 |
| SHA1 | ef96177c49a830120f76fee77aa5315bab5814fb |
| SHA256 | 0a432f2bf8e1277fc7a3b2136fa515e885c9afea76af04a0f86ac32213482809 |
| SHA512 | 429858db5e5b0b8681080b49c3bc5baf8b17f599597be5fbabd33c8e60b1c6ed73f7eabae27915ca58c100f248a39f521db47168ae4f23c302fa5385fa911131 |
memory/1920-247-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1920-258-0x0000000000400000-0x0000000001400000-memory.dmp
memory/856-266-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 9047901f6be1841c6be69b587f9a9bef |
| SHA1 | 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc |
| SHA256 | 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f |
| SHA512 | 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b |
memory/1272-269-0x0000000000310000-0x0000000000356000-memory.dmp
memory/856-278-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/1920-280-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 6b3159725f8ded76b9d763714c81fec4 |
| SHA1 | acac0941e662fb6d380f170d641a7c877817b8b1 |
| SHA256 | 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0 |
| SHA512 | 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8 |
C:\Windows\system\spoolsv.exe
| MD5 | a3b26615ba68708fd08a00e2ce1255d6 |
| SHA1 | 34bf4e32bdfbb5a1079461678b10eea7f2ba1e4c |
| SHA256 | 30182af963eb5f74876a49dc5c0347d153e135894824517326b2cbd924329126 |
| SHA512 | 7d359c52f2328f21fd42cf0489956f3a164884679dc1a7b15d3853863bd2ba24ef5035d7a68e8164c25aa8e0a9aa9867467637109ecaa5b27105fddc56ff3478 |
memory/856-305-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/2664-309-0x0000000000400000-0x0000000000446000-memory.dmp
memory/856-307-0x0000000002570000-0x00000000025B6000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 9f68d3209e568d7fe24130f706505c6a |
| SHA1 | c46545846337c7d416d2f4a989b30345a0c12a0a |
| SHA256 | 23986e39ebb84ffc3ee58ec06e1926b5e5f2c307ed9da6875a1c3db3961b7738 |
| SHA512 | c8883d42e065ffcb40c2acc43fed50e7e26057db7ac98d4d7c7f47b7ca2b904b112fb784bac37eb92142b0dbb82e4e1e5386063e0e9ee3c0ab56686711b0c7b8 |
\Windows\system\spoolsv.exe
| MD5 | c366d96561050981f6c1a936a91577cb |
| SHA1 | 414be328d4b1dc2bfb32c989dd1c060eaf5c61dc |
| SHA256 | fab22b8176c9f67af76cebe381459eb1d4fd2cfd7c39670350bb7590a9cb66c3 |
| SHA512 | e3c71b114b8e39d40f291c92310e4538f51e90805666a50b9d41d3d3385a4b31d4d5a1db3f169c86f4bc5b9eec82d166cff8b58554f6539054d82ea2325838c1 |
memory/856-299-0x0000000002570000-0x00000000025B6000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | b0e1590486c4453ce8ac30a70d612d62 |
| SHA1 | c7e2722d8688c72d50e4fcada31cc502639a15e1 |
| SHA256 | a050f5a6e047c09e323bfc084947573e3887ed46e6d91adb51cd05cb90438b03 |
| SHA512 | 60d3316064e8a4f89650a9a62fb98aa4b2e79626f29c65fb199ab1424ddd4a347fbe24aeb1a584d10249228b70ba648fd8fa4707bba1446d9e64cb27bb3c944c |
memory/2664-320-0x00000000003B0000-0x00000000003F6000-memory.dmp
memory/2264-327-0x00000000001B0000-0x00000000001B1000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 1dfb8c9373e65d8f3885359015c7cf54 |
| SHA1 | 3554302584f899733f6f99f27ac15fb51dfd7183 |
| SHA256 | 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593 |
| SHA512 | 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8 |
memory/2180-366-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 180106611196716aeef379b295b7a062 |
| SHA1 | f3157c52bc8720f326142b95539c932ffe6b648f |
| SHA256 | 8149325ce2fa44de7f6d8fdf71bdc8646ff9befc6f0e62d6e610cc4124dc977c |
| SHA512 | cec62a5089ba194de4ddae1382581d7a120026c6bf5dd8dc74e6f049ebfa0298d7577bb1ddb5b4f97a729544f08065baecfffead54c9572428d56f31645ad6d9 |
memory/856-368-0x0000000002570000-0x00000000025B6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 805016469e0125dece58243b4983d37b |
| SHA1 | 7e270964dba515f1776b2dcb1337b6babb766cbf |
| SHA256 | 981fb066f67c8ab89d330a6e129ead81b51859946e30e1283ca80f49386106df |
| SHA512 | 86937bde7fff1aada2dfd1e0e7fe59c90446b5a70fb8a37ae6f45f09883295648231b3db6c1158a42fcf077b6fbf69c3ab6bd3a204385687c0bc425aeacb6314 |
memory/856-370-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/2728-372-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | c0bfdcf8155d9730950037ad3d9e6807 |
| SHA1 | 55fc4d4c5932f3846c3bf34a7b5a83d9489a205c |
| SHA256 | 3e5666e84d8eba3e1fd0e573187e9e1b44ae7652112080a3d9d18345433fd137 |
| SHA512 | 554ea054f8d5a054369cf78cb914b28838a454f52b5031261ebe57533488750221cafe441d4a01e766a15aec11fd99ec33545d2ac82109772998e3d9f4d3a053 |
memory/1920-387-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2180-388-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | ccd691ebf9ce183997328ce851d025a8 |
| SHA1 | 5f84118b58fd407502dae3bc6ce2789df2508f8b |
| SHA256 | 6955e4e8f5e0dee98b15630cb8d117c1232c85bdfc28c90aec109e5cd062fce5 |
| SHA512 | 11c508a99ff87ef08e2cfaabd59c3da0b34768d99e644ae1bba909b5734e406e01571365c4035bbc25f6aaf70e6cdec60528714eabb04218a4c8981ca3c7c09f |
memory/1700-423-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | c667cee2f2d1ab7d07868ed6260b9618 |
| SHA1 | 30a9417187059c37a8ed9726a39311080accbc23 |
| SHA256 | da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af |
| SHA512 | d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7 |
\Windows\system\spoolsv.exe
| MD5 | fba478552e3b8e6ad8346b0e4e757c24 |
| SHA1 | 9545adebc305cec19a9b8b8a54a38d12cac72dec |
| SHA256 | c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248 |
| SHA512 | c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29 |
\Windows\system\spoolsv.exe
| MD5 | dc9629fa0a0b5814548be64ff72e6898 |
| SHA1 | 4889f710cbbe4f01039351dc7c2a04fdea66eb8a |
| SHA256 | 17bde2e02dcb5e3f440204ff3d59e077fbf04de30d4339b3dbf20d8eeb2f5ce0 |
| SHA512 | a0978c68285d1ce400666448d27d0421e766fe9b9e5373959b8ae4b651e7959cff163dc5837e707d0ede61c17788a8b428c294d73108fbc24c3184fa09254fdb |
memory/856-440-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/856-442-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/2156-444-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 50a557665c5bb4fa372fadbeba73303e |
| SHA1 | df2eddc14a72381cc26c83268faa2f1806a58457 |
| SHA256 | 26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e |
| SHA512 | 59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad |
\Windows\system\spoolsv.exe
| MD5 | 3539b3ba7389bf9b5ed5d8528da03acd |
| SHA1 | 636a283f53ae2dd4c4ee45bf163d4aba104d5029 |
| SHA256 | 05f64fe9c75ba529ea5f35bf34e1e721142dde526276e98c8409e8c6140b1a4f |
| SHA512 | 56274731160884806390035e2483d43fcc502dea0b779ba085f766d0f48b2a7a80cfa13abe06c859968f65d58a52e27bd73f4a4c6b1bd68903e19ce581ef01d2 |
memory/856-488-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/856-486-0x0000000002570000-0x00000000025B6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | a64610bc369035f5734293095b06cee2 |
| SHA1 | daad37a336241ea731802b00e176b2416b244260 |
| SHA256 | 2f74e9e8f96ed036765369b69939ac71c2cbb3c03d77e43e7cc6ce6211a16380 |
| SHA512 | 3ee71d2254e58071ec7ae7482fe7c27c56449432a0e7083f5ce5c1854f1abdd85d223c88e0c65073d51701acf0277efc0676be11a9949cc09a941233b6c90ddd |
memory/856-490-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/856-484-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/648-491-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2356-493-0x0000000000400000-0x0000000001400000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | e54706f5b2162228cd7b1be98d1a321a |
| SHA1 | 033c0d3df38d415863779b0cdcdbe252a7f1148d |
| SHA256 | b1fd74a808dc3b0fa1fce94b8561a18d4c24f41d41c21fed95158764eca591cc |
| SHA512 | a167895baee84aecf9db9700e44777349acc97b816c4258b706272566ada58050adb64ca243ca7a4693f2f558cd9ef351003c32f4f31818b6d29b5fd7ae6e5e4 |
memory/648-498-0x0000000000450000-0x0000000000496000-memory.dmp
memory/2356-516-0x00000000002A0000-0x00000000002A1000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 71103e754e8f6a51e030d97ffd9711ed |
| SHA1 | 2e2535601f88baa120adadc2a150c521f80ff2f9 |
| SHA256 | f7d33a87dd500616d1412460b86ed54dbe08dc6879ac0e08d8664f2d3680442a |
| SHA512 | ef0b3d408b6087cbce87465620aada96f818ac72df63d20dd152ac7a8801781af525b9805d5f52dc84a7ef2e0fefa7fe0f390e261d1acda42ab468b5083878a1 |
\Windows\system\spoolsv.exe
| MD5 | e3deb109c419189a759b3240fa723e94 |
| SHA1 | 8402667484d7a517ebfb571a36b7a9b6732a961e |
| SHA256 | 4eee9c710137abc067b02148ce310861479f2d4133884c0e0a3f2a42883e491b |
| SHA512 | e0fda3225d88f16c1106e6ec167f647e16a5109eaa46d379f02fe3fd4eb9741b05ce5b33d3dbeb581da834d26f15c557e1124bb09ca07fab1e2fa3f66761d1d1 |
\Windows\system\spoolsv.exe
| MD5 | 5a1ebd5b95652b5790a346ce2d865bc1 |
| SHA1 | 4e2259d94fcb6c19cea3acc89c6ae89722575224 |
| SHA256 | 07c2d71b1ca2231d3e3b7206dfdd8b1d2d174f8dcf554345c6f8fbf2bcb426e0 |
| SHA512 | b7dc244b24785fa52d1cd53264d0cf6c046b7e02cd4c355f06f0d5f4978ec58f957df10253d31578fc9bc84dddc53ffbe78f5ba9c816a02755acfa7fff1b773c |
memory/856-543-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/864-549-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1532-548-0x0000000000400000-0x0000000000628000-memory.dmp
memory/856-547-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/1532-552-0x0000000000400000-0x0000000001400000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | fcb24441fd64fe17f85a4387f8cab4da |
| SHA1 | 907eae02a8da423afe25325bbb65e0e214be47a8 |
| SHA256 | a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150 |
| SHA512 | 563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93 |
C:\Windows\system\spoolsv.exe
| MD5 | 2250303bd076b77e02cba25cc19ffd3b |
| SHA1 | 9388c7608a70e4a84f54852e1c5f939215194e3a |
| SHA256 | 96ac12c068be4b00a98c11030ac49cf021a373f5f30f1093c50fd6666b3b27df |
| SHA512 | cd5e8505bc9ca5f7ab9dd85e2cc803c1e11ec4fd480e716953bb8f6a45180f43935e851175112037b17e251072a524153bfb1e5ba6fee6072036a3a79e699ecc |
memory/1532-562-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 63a3a954864aca34f057c15c02be6590 |
| SHA1 | cf3ede97211de5a9a72bc81639fcf0eeda600bc7 |
| SHA256 | 2d535fd771f6d837d4f98c4230884e25723c7b592c5c63bd76510c16d59efa04 |
| SHA512 | e295181e438faf76fed0fbf482b563ca95e9579404a6abfe97089a62a9ad270edd68058a7b7ac578c3bd156bde01564acbab0f9282e30275177a3f2b443c36af |
\Windows\system\spoolsv.exe
| MD5 | 1da9b42e228d5f1dd1d6918de8475852 |
| SHA1 | 4481b9e0d6c481383f27102327f9f537a6a232ab |
| SHA256 | d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad |
| SHA512 | caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022 |
C:\Windows\system\spoolsv.exe
| MD5 | d56c4265b79ac55551d9be733e758e75 |
| SHA1 | 3ee6dcc2322deb1ad10cfe885b917aafab5469b0 |
| SHA256 | 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e |
| SHA512 | 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925 |
memory/856-591-0x0000000002570000-0x00000000025B6000-memory.dmp
memory/2460-598-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 5d74a4aae0b45f38c79245afda9154ba |
| SHA1 | a299484e050d3c2d1bfe5676487065ad4aa985b2 |
| SHA256 | 6703d672ad3bf07347a827c94bc5f8036ba7798270c565c49def723ed966e409 |
| SHA512 | 781f17cd86d0a5d3d47c8b72a7242f416167fb500140849a07f5bc4a298aa09746820286bd87dfde550abaafc1dd1ce8483ab90184902f56e832fde4d6558053 |
memory/2460-607-0x0000000000300000-0x0000000000346000-memory.dmp
memory/856-610-0x0000000002570000-0x00000000025B6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 587ee4d5bf246fbd0bfc6b4f078bc8ba |
| SHA1 | 5fab4e2f28d515630b0505bacb5bbb05e6994e09 |
| SHA256 | 19b64ededc3d49ec92e5220b8c0df17c97262fb1d335740681341256e9944dbc |
| SHA512 | f95544662c78a98607e26ceb9e67833acfb51ed490a6fd34a545960a62d8b7027007898ebf5c48a751b31bd589120f4f80abb12e27677a1ac70df064ba933f09 |
C:\Windows\system\spoolsv.exe
| MD5 | 4cd1a1f262ea1c494b675a834a6232d8 |
| SHA1 | bcd65005adac1ad553134825cbe0cc9c4f4aed22 |
| SHA256 | 65460b5cee279311488de317bd50eb9ecb31eb4f9a230841fd040a8bfecfea25 |
| SHA512 | 4c3e13e7f292034b5531e05586836e9a9f05609e011d30354d644b25eb7fd8dbe909b1e9f8b825497731f83cb55c0f306d7eb1b20db04517a3bd9be7de13916a |
\Windows\system\spoolsv.exe
| MD5 | a4ac7886777e9efb0faf6d7a2e5957d9 |
| SHA1 | 38a14ad8f9e32b107080f7c9a6a864b7b507eed6 |
| SHA256 | b0d87fa6b2249e8beeefd8bb6a72628c5f49110bb2d30bb3fdf7daa2019b8803 |
| SHA512 | 24f3330d155757f4b5d8c5ab267293bcf0b79c6796219a04e497202875a3b78fa23fc9588bfde7f66da21f05e9be2baa97d3d8ebb19b345066fcf7777c78ab3d |
\Windows\system\spoolsv.exe
| MD5 | fd6a7ae6efdd4613f387af832d4f022f |
| SHA1 | 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd |
| SHA256 | f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e |
| SHA512 | 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78 |
\Windows\system\spoolsv.exe
| MD5 | 65d5c6dd1d0afe7b189defe15e04ef01 |
| SHA1 | 0419974180e6af739c95c58e44782bc93ca0fdff |
| SHA256 | 2822ea0f1710966273dc4c719a0ba573a55088f2ebcf473fee0c4fd28484747c |
| SHA512 | a09a894381d901deaa7bebbe2e2f968f801bb54123753a5db139b49ff0ebdc057786988333046fadb8db20ff20f3ca7033bedfdff4660f6ed81dce1860cd2aae |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-29 03:56
Reported
2024-02-29 03:59
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
156s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 820 set thread context of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe |
| PID 1912 set thread context of 4384 | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe |
| PID 3036 set thread context of 4460 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 4460 set thread context of 1116 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 4460 set thread context of 8 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
"C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Users\Admin\AppData\Local\Temp\ad9fb7c8be1e320ce0e8571e63c2ad2e.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/820-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-2-0x0000000000400000-0x0000000001400000-memory.dmp
memory/820-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1912-5-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1912-6-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1912-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1912-7-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1912-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1912-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1912-11-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1912-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1912-13-0x00000000073C0000-0x00000000073C1000-memory.dmp
memory/1912-14-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1912-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4384-19-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4384-22-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1912-27-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1912-28-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1912-29-0x00000000093F0000-0x0000000009419000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 844acdb9e06b0d4e56c48ee244d20c6f |
| SHA1 | 09d260e700d2bb59bb695212d597758ccd5b3419 |
| SHA256 | 2515ac4574e54096988dc6da1f9f6498b0893fa1bf54106aabfb1f2ffe725d04 |
| SHA512 | 100a961588d300de146bb24ccf0b4f90149a48cf549efee18e9c97a99049603bfbaf8920d6f879cf3a842310dd9021f359cc38dec25caa835941626fa433c4a8 |
C:\Windows\System\explorer.exe
| MD5 | 09a7b3c6426c87e7372356ba6a38fcff |
| SHA1 | 0c990b3990e67a9643328f4e721ecc7e15f01651 |
| SHA256 | fe6f28958d4a0f073ce4d94f5ffce64fbd050323b22d22e4f182d318c747b108 |
| SHA512 | b61798995c35a116e7a06eec53d16b732420e425e5538daf0f853528b948876174ddf9ae86187d5fab311c0d6746ed7d93d05288e90be4602bcd79bb694424c8 |
\??\c:\windows\system\explorer.exe
| MD5 | 5ab874f417dc0f32ccb1e36af212ecef |
| SHA1 | d8b01d645f6184b118c65055d488533708855323 |
| SHA256 | 1ff218f19e91eec79f554034fe7e6cfad1fa8e27b83a43448d0a921833829264 |
| SHA512 | f5ef7dfe8103cda3ff0228bfb861d2f87e663fbee0a0432beb65b6568f0c54dc1925f2b515d106975d658dae918eb2863b15ca8f748427f5a1d2a07dd3ebf9d4 |
memory/4384-35-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3036-37-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\System\explorer.exe
| MD5 | fe3ae34997ae8bc00441a6a6c7ab103b |
| SHA1 | 330211a198e55d946ed11fb298505a0dfe3f4c07 |
| SHA256 | 3536f51aab6f661465aa4cf89eb1a9b6eb99b9c8913709f6053cc38d8f86f057 |
| SHA512 | acdd4f296f3e86771d74d494d9a59457a4f37e944267718496db4a4b0c9ea897afb5927a7522c4233338df5643f11bc75ddca99ae0a3553a4b030972e09cfb13 |
memory/4460-42-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4460-44-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4460-46-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4384-45-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4460-47-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4460-49-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4460-50-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4460-51-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4460-52-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4460-53-0x0000000007650000-0x0000000007651000-memory.dmp
memory/4460-54-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4460-56-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4460-57-0x0000000007650000-0x0000000007651000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 78efb896613ce766e381764b27ddbb79 |
| SHA1 | 28511368e32715ac2965fb915f2072d415343513 |
| SHA256 | 2701e15a0677871f2e599843eb8c12c0cb2e3cc5809d99164861c2c4d7e89389 |
| SHA512 | 1da84eb60d698e0dde1b8eef088f931ce3cbd0d02fea5fbe3db80d5a697e38fe573a494ec6f66e215e37023da1d2e271c53aa7ec1f84ca00bd68722e108184b2 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | c4b92dcf6bb6b0bf6b57ea3434826697 |
| SHA1 | 09cbc5483a90d70610b82c968037dc31d1cfff6c |
| SHA256 | 8bd8e599bf34062dc1b3570e2e573d6f8cfb1db1c5c92786a1a113b10f549f92 |
| SHA512 | 13c117b1225e063c3e94c175ece6ea46db653222455cad4d5bb15e897cd5472a0d871fdfcb445350c97864d7db491958667922109b1809d8376046696b71d540 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 5567c75f35e48c2937e8a29c98a70f55 |
| SHA1 | f4d75b9d6d3d78b377cccef977d2edcc8bc4faa1 |
| SHA256 | 260719ad6fd8056db272b144e32344b00660ef5d9cd55636348dd6b3788d90f6 |
| SHA512 | ae58869f7d3d29874f1396a4d8b1b4e2935bc57de8732746754cd3284a77d85f256ba234e482ace816157c90d0ec00165126f6ab25456270684ffca172707776 |
memory/1116-66-0x0000000000400000-0x000000000043E000-memory.dmp
memory/8-68-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4460-72-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4460-77-0x0000000000400000-0x0000000000628000-memory.dmp
memory/8-76-0x0000000000400000-0x0000000000412000-memory.dmp
memory/8-74-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e9e8b3f26966e6e19a896552cb50317c |
| SHA1 | 1312c9c6e45caa910d6d83e1eb06377f69f9d644 |
| SHA256 | 185a43a5017c7de3d1e9c0c9b77537f4891fccc3b9a2571a6212388426712945 |
| SHA512 | 0eb6ed3480f488da80554161c87c20258d320278d7b308e44f712023a8055b9531967f50641130e3af0b9bbf98e7510ad37ef13857cc4d50f5f439338ae42f33 |
\??\c:\windows\system\spoolsv.exe
| MD5 | 47b9125546859250648699a2e8649ec5 |
| SHA1 | 197af0f99dd2a9d8b35999fb79e77efc91e2acf2 |
| SHA256 | 34704b7c3ccd21f80d4c9e77875dac1a25f601eebb8140045ee241f8a78d6475 |
| SHA512 | b4b161b6b279dab3b0d1ed0d069733a69b1ff9249e352ccb725c08ef64d1618a20a64fdec445d7b712425081fb6c39d66ec5320fffb7ccc4adfe6480dd8003ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
C:\Windows\System\spoolsv.exe
| MD5 | 2ddf6df817160984e047117d0375347f |
| SHA1 | 11f608ef7e7133e40188df577b54111c9f95cb06 |
| SHA256 | dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21 |
| SHA512 | 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215 |
memory/3240-88-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1728-90-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1728-91-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1728-92-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 9047901f6be1841c6be69b587f9a9bef |
| SHA1 | 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc |
| SHA256 | 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f |
| SHA512 | 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b |
memory/1728-97-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1728-95-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3644-99-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1728-98-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1728-103-0x0000000007390000-0x0000000007391000-memory.dmp
memory/2104-108-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2104-107-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2104-109-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b5b4236914b8f315dea48740ef641a1d |
| SHA1 | 3caf195ad42d9710dc6684e63f67938428027d06 |
| SHA256 | 6a9a5d664864f599c869f0b326ce46a7eaf0c30e926096a402a549fcb96563f7 |
| SHA512 | bb7076912ffa5f83d2953c509285e08ce157284f2a3cf2ccc9ffff655a1d3d818e4564b60e9f7074f12c685db69a023a7f31f6bc96bba2a984f79ef82b91bc09 |
memory/2104-111-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2104-112-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2104-113-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2964-114-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1116-115-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2104-116-0x0000000007390000-0x0000000007391000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 6b3159725f8ded76b9d763714c81fec4 |
| SHA1 | acac0941e662fb6d380f170d641a7c877817b8b1 |
| SHA256 | 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0 |
| SHA512 | 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8 |
C:\Windows\System\spoolsv.exe
| MD5 | 16bd25a3c6d3025ab13249e2c61d981b |
| SHA1 | 342fa28f45ff0c4f7c58441bff92d9ef6930ad36 |
| SHA256 | 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764 |
| SHA512 | 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059 |
memory/4240-123-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1728-126-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4240-124-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | fcb24441fd64fe17f85a4387f8cab4da |
| SHA1 | 907eae02a8da423afe25325bbb65e0e214be47a8 |
| SHA256 | a7f35cae5fbc5eb5f7b944455ce0fe15b01cc42f330c1e27942aad93e0625150 |
| SHA512 | 563e17f0793f0b418425c42dba57197ecd924d7813109234477c6d1fcb0ccb77653f50086db7e1f0061c0a0e325f90428f2a7bb1e303e90a88e604356a9c7d93 |
memory/860-130-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 2bd81f8ec10438c465af48a55f7dcb5b |
| SHA1 | a0f9aea762966ee0addf8a37f9bbb484b13eed1f |
| SHA256 | 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5 |
| SHA512 | 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea |
memory/4764-136-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4724-137-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4240-138-0x0000000007190000-0x0000000007191000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 676299d2055c11b6d60ba263a4d4af4c |
| SHA1 | bfb8ba3ca1f4385980d30d2825896564e87e3691 |
| SHA256 | 14b3e869246c9deec26621331155b406b6481c8d1125a15cc62bb6f6d338eb50 |
| SHA512 | 67abd076159da03c7812a4cc5b40e3379c4b233e33baad4461de05ad3e9d4cbd05e197f71353bb506de550545feea9245e234caf56f87391aaf6d69b57df4f16 |
C:\Windows\System\spoolsv.exe
| MD5 | 75b15df8a4e8144c0bfd6e4f74ea8653 |
| SHA1 | a62267625cd2190836ce4a01ea1905dc4ba1c2d1 |
| SHA256 | 14d1077ecb62f61c2476c04bd2046cbcfb105ad586e14b964fb7822c0d51d84b |
| SHA512 | d01d6de8674a1c6fad8a9fed6686cbf925f78484f5f1d8f2504070f41f02355309ace577aa247df2336f31bed0d00674be8e8bf272fa3a5b9a121f86f0a3a458 |
memory/2400-154-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4068-158-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e15b0cb57b0d1ed9f55a822fce9d4730 |
| SHA1 | 864e950130f94c3334ebd890d26fb3cef06eb9cd |
| SHA256 | 6a9484bc37e17638ec03070b13f8e70bc0fe7032ce321fb7bdb5fccd357be1c8 |
| SHA512 | 3374a81652a171714e8e994cbf7ea407e55fd64e54fccf850e673c010891b63247d56be75c2a13a4b25d5f6181eaa23fdf3b676c9d6d0be6b4e59c131d2638ec |
memory/412-167-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 67a965e20c4f6f7875a0bd59cef3f072 |
| SHA1 | 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002 |
| SHA256 | ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe |
| SHA512 | 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c |
C:\Windows\System\spoolsv.exe
| MD5 | 1da9b42e228d5f1dd1d6918de8475852 |
| SHA1 | 4481b9e0d6c481383f27102327f9f537a6a232ab |
| SHA256 | d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad |
| SHA512 | caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022 |
memory/4336-179-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 16926b3dd12c0fc69561d4a3b336fcbd |
| SHA1 | d225b3495dc9782b161ef79ef7dd2c4f12ce71b5 |
| SHA256 | 8e2b326f6ee3287b9d7f413c227ab4dfb4bf08e7add4971db38ba245737be3fa |
| SHA512 | 989253c5d480c67b532ed9c09f1d162486fc36391b059ade2b75ee08aecd5eebc403f9e98666f184bd6b1e683fcd6ee489b34c8991ad7ab89000c2fbe1c60deb |
memory/2892-182-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | ebaa137a72aa80bf6fef8c7f3d08f527 |
| SHA1 | 9c45e02846432ea3fdb5aa159fcdb983955e60a6 |
| SHA256 | 06304c9a76103c7c0e0e98ba453c9736b1da41a82a8f3c108d5d2dccd3996380 |
| SHA512 | 2f345f8b05a1d311b5c9f8e670004a0bc0e7bb0f8ba5c28b60e83b04c46e2a339f0b4f9a896d12497f5636408ed2094bbe235e6f45b5a70f46f7f574b0a8bc72 |
memory/4724-191-0x00000000074A0000-0x00000000074A1000-memory.dmp
memory/4336-192-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4336-195-0x0000000007140000-0x0000000007141000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 775d6d5aae14fb9eae069c5a3effe1f5 |
| SHA1 | 1210f1f2c16edad8ee5a7a1103af896b84e85570 |
| SHA256 | 51e84df2ad91700dc109d733224fd2d2f8015d06608f3122126bb167c96b3164 |
| SHA512 | 0b83219e6e15e4585d9a5141ad1efe5950cfd71bd5e2103212e8fa1ca78ba7d256cdacb6eba0b49d1937c097ee909c3335f4ea771418d60d20d095d0e9a86cad |
memory/640-198-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 30a91c091c2f9fd6dc1af98b9e4f64e8 |
| SHA1 | 12644033256a60fae6d301d02a43c48cb2dd3fe8 |
| SHA256 | f6b9839a8d4fa1e835d2281e046b43cd3ae4b09cf4900e5c898b5460ec8ee87b |
| SHA512 | dc4a1c8df45b5e1b55364caab99a54e6448010ac4c66ddc08cdb66006c5f32eb64e29560c7765acbe45a97dce3d889c6b3cf65d413ec7793245a680910c64d19 |
memory/2104-202-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1388-210-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 47772e1e36e2b44987b5b2de3b16faf1 |
| SHA1 | 380d4fac049041c8a4d268c6fb88357030cc11bb |
| SHA256 | 81a8d99bf2aebc7382063bcd83e650ae1042884af2355b4d68ba1346dc7cbd9e |
| SHA512 | 7060629449452413ed94511c54d4f052d062392ecbf2fb53f2158ecef7f24b9587fa70cc6e4bcbb8b39d2fbd370b7e1b98ccc48f50acbe782a1d2b6c356ef408 |
memory/2616-216-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 06148545616a466c522f72813b54b0ea |
| SHA1 | c7c4e41673ed02bd9130113d3cce62d7f691fa0f |
| SHA256 | cd1d7bef947f97f28389867f67b656fa43ec7a22573a6181c20d955fcf5325b2 |
| SHA512 | 982b3e244437ab4fa443cd7075f2efc8d95109aa835f866ab4577348306bacbdbb3cb84c47f40fe3c370f687a067974c08787cf89e6a0de27064d9f36d615c94 |
memory/1328-222-0x0000000000400000-0x0000000001990000-memory.dmp