warzonerat | 006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
Size

8.2MB
MD5

fc023d88a1bd179e0fe52bd15728bc47
SHA1

0237d102150c2056b50eb9555a6dc25a53dd993e
SHA256

006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d
SHA512

32b3bef07d89046419ccb51cf0c332a3df9a18adb623d31c80dce40180ad2f1717588a6a21e306347f1e438586138bb506aa84ef8957ed186b446320d2b9e9f6
SSDEEP

49152:7C0bNechC0bNechC0bNecIC0bNechC0bNechC0bNecA:V8e8e8f8e8e8T

Score

10^/10

warzonerat aspackv2 evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 40 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
C:\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\svchost.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat
\Windows\system\spoolsv.exe	warzonerat

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

ASPack v2.12-2.42 40 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\??\c:\windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\svchost.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242
\Windows\system\spoolsv.exe	aspack_v212_v242

Executes dropped EXE 7 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid process

3016 explorer.exe
1980 explorer.exe
2328 spoolsv.exe
1620 spoolsv.exe
3008 spoolsv.exe
1292 spoolsv.exe
980 spoolsv.exe

pid	process
3016	explorer.exe
1980	explorer.exe
2328	spoolsv.exe
1620	spoolsv.exe
3008	spoolsv.exe
1292	spoolsv.exe
980	spoolsv.exe

Loads dropped DLL 33 IoCs

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
2276	WerFault.exe
1980	explorer.exe
1980	explorer.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
848	WerFault.exe
1980	explorer.exe
1980	explorer.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1532	WerFault.exe
1980	explorer.exe
1980	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2244 set thread context of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 set thread context of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 3016 set thread context of 1980	3016	explorer.exe	explorer.exe
PID 3016 set thread context of 2248	3016	explorer.exe	diskperf.exe

Drops file in Windows directory 3 IoCs

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid pid_target process

2276 1620 WerFault.exe
848 3008 WerFault.exe
1532 1292 WerFault.exe
1304 980 WerFault.exe
2344 2400 WerFault.exe spoolsv.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exe

pid process

2452 fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
1980 explorer.exe
1980 explorer.exe
1980 explorer.exe
1980 explorer.exe
1980 explorer.exe

pid	pid_target	process
2276	1620	WerFault.exe
848	3008	WerFault.exe
1532	1292	WerFault.exe
1304	980	WerFault.exe
2344	2400	WerFault.exe	spoolsv.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exe

pid	process
2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe
1980	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exefc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2452	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
PID 2244 wrote to memory of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 2244 wrote to memory of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 2244 wrote to memory of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 2244 wrote to memory of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 2244 wrote to memory of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 2244 wrote to memory of 2428	2244	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	diskperf.exe
PID 2452 wrote to memory of 3016	2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	explorer.exe
PID 2452 wrote to memory of 3016	2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	explorer.exe
PID 2452 wrote to memory of 3016	2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	explorer.exe
PID 2452 wrote to memory of 3016	2452	fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 1980	3016	explorer.exe	explorer.exe
PID 3016 wrote to memory of 2248	3016	explorer.exe	diskperf.exe
PID 3016 wrote to memory of 2248	3016	explorer.exe	diskperf.exe
PID 3016 wrote to memory of 2248	3016	explorer.exe	diskperf.exe
PID 3016 wrote to memory of 2248	3016	explorer.exe	diskperf.exe
PID 3016 wrote to memory of 2248	3016	explorer.exe	diskperf.exe
PID 3016 wrote to memory of 2248	3016	explorer.exe	diskperf.exe
PID 1980 wrote to memory of 2328	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 2328	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 2328	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 2328	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1620	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1620	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1620	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1620	1980	explorer.exe	spoolsv.exe
PID 1620 wrote to memory of 2276	1620	spoolsv.exe	WerFault.exe
PID 1620 wrote to memory of 2276	1620	spoolsv.exe	WerFault.exe
PID 1620 wrote to memory of 2276	1620	spoolsv.exe	WerFault.exe
PID 1620 wrote to memory of 2276	1620	spoolsv.exe	WerFault.exe
PID 1980 wrote to memory of 3008	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 3008	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 3008	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 3008	1980	explorer.exe	spoolsv.exe
PID 3008 wrote to memory of 848	3008	spoolsv.exe	WerFault.exe
PID 3008 wrote to memory of 848	3008	spoolsv.exe	WerFault.exe
PID 3008 wrote to memory of 848	3008	spoolsv.exe	WerFault.exe
PID 3008 wrote to memory of 848	3008	spoolsv.exe	WerFault.exe
PID 1980 wrote to memory of 1292	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1292	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1292	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 1292	1980	explorer.exe	spoolsv.exe
PID 1292 wrote to memory of 1532	1292	spoolsv.exe	WerFault.exe
PID 1292 wrote to memory of 1532	1292	spoolsv.exe	WerFault.exe
PID 1292 wrote to memory of 1532	1292	spoolsv.exe	WerFault.exe
PID 1292 wrote to memory of 1532	1292	spoolsv.exe	WerFault.exe
PID 1980 wrote to memory of 980	1980	explorer.exe	spoolsv.exe
PID 1980 wrote to memory of 980	1980	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc023d88a1bd179e0fe52bd15728bc47_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3016

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
PID:2336

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
PID:2664

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2112

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:2276

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:848

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1292 -s 36
6⤵
- Loads dropped DLL
- Program crash
PID:1532

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 36
6⤵
- Program crash
PID:1304

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 36
6⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:2248

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:2428

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
Filesize
8.2MB

MD5
fc023d88a1bd179e0fe52bd15728bc47

SHA1
0237d102150c2056b50eb9555a6dc25a53dd993e

SHA256
006238b4055897309454555b2bf335843f09c9a106e5535ce5e9ded7cdb4a13d

SHA512
32b3bef07d89046419ccb51cf0c332a3df9a18adb623d31c80dce40180ad2f1717588a6a21e306347f1e438586138bb506aa84ef8957ed186b446320d2b9e9f6

Download Submit
C:\Windows\system\explorer.exe
Filesize
8.2MB

MD5
ea32aa722bd385282fc04374e89be224

SHA1
e21e0b54016c000d74d8c958e3c12439f0cf3a8d

SHA256
eb642981ef5da4975b03523bdd693942b73b9167fb8aecf847c01e80fca44c36

SHA512
ae96110a30bdf770070181d78ca787f673c13e126d9c8280b0d5ce6f286ac39d96f6be9301d3c286e19947c4229906373ed43a4d2a70667b67063d1af47eb031

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
7.4MB

MD5
933c7090edd190c5696ed39667ddeb84

SHA1
a5b4c918ee4256b21b1afcd8104f81b5102dd081

SHA256
08f99ad989576e38ed66fed00d7eca9ed1badc6d24e37fde3f68726cb325b548

SHA512
5f77f9b5df46676ecc1786270f218fc523cabb7dece15a5997c31e1e888da6d1a276297855396a599d52cad6f63c2646d9b4714af50a81b47123aa85d2a8fc8a

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
4.6MB

MD5
4734234853df5bb2c3bc178b33e4a429

SHA1
33a3b9d4b05edb35213730f26e14d914a0b9092f

SHA256
921508bbbecab1c655657e725192131e6197a1990844809e6c23654a3a27a9d5

SHA512
f6cc65693a1bf006f0b9ecd6e32fd2adc2af675b9ca0b09c2d43501f9c119131ade598ed3bf10eb61ee2f6c98092f4c2ab8988f389dde28bffe03c667d8fb84c

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
3.4MB

MD5
1c56d4a631066ffcb996fb9adc63b8c3

SHA1
2eaa1ec7d742b9c0c1598753391d9a93a91da06d

SHA256
1b5ad4223f7100f575e3444050b11ab5c66256a82cce416d4b5a120f1e6d8ed9

SHA512
ba5ed00ebdc78d89ec373daf610798e78c184abe2ea1747e2debf69ea953a07a4b355142271f995e209e6fbb744fd21f9668ffc91e8e77d14fda20f6f90881e0

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
2.9MB

MD5
f25210466aed0f4ffee22a9c764fc0dd

SHA1
fe7adb8de8f37e54d29b4e3ae5e0c148c3950348

SHA256
613cdf400faf3242e680e2c812d35721d12a0a16f5e7178b50c37e3facef927b

SHA512
3ce854ee9c2c9b8474fd299ad790b2c366309b5594e203adb015914d4d1a0eb81d60d68bd710adb77340611be6f7bc1020dd27d14548f81b336c1ced0313c429

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
1.6MB

MD5
f13d945fc143f9e56f2dd7fb8f0c22db

SHA1
b6a2212fec6edbed6365a04314fe8a691202ff14

SHA256
d8ce6ffe52757da485e271f787bb472c8c2cd86d237ac2d9d14d2f18b6f3a05b

SHA512
cbb8d52e99d5b489d2628b23ad5f0463e2cee60ff3719a4df844b0388afb67cc247ec9ea703341dcbd4b67e4254963cff7bfe33e2122b0b79b7bebb145fb90c2

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
1.9MB

MD5
1830d2d7f591f068cfd66ca58f388937

SHA1
d15c069d06a6757e9606482a55fc21f732ecb792

SHA256
4857e2c9b78ae8157cd5d2e2141ae3cd0f5d6e5ab189f4f272e851d2be05550f

SHA512
79dce227e6308d2daf72610faa1be2e50298754b1efdc635656e4cc4e062d825c55b1bb37f98148ed24fc777096b98419b368865ab24fc0099143ee484d515da

Download Submit
C:\Windows\system\spoolsv.exe
Filesize
7.1MB

MD5
3cdf893d37ddee91bca730d9867449cc

SHA1
7fca62f44077f1a9da13c44167aeebdba0799d59

SHA256
059d71647e98b0a752833662385107b88dc4b85b6a22256ea39f9151e520b2e8

SHA512
c58c63f4018118f42bb26824abe7b01c89b51dd5bb41a97fdbdd33cf48e2f02b8babcd120e1c44b59c495d6a9d5eef5a0ddbeb44fe0d38d18395eebf49fb3a26

Download Submit
\??\c:\windows\system\spoolsv.exe
Filesize
2.1MB

MD5
45eee4932b7a43bca1e24193c2a627d8

SHA1
3962bd58e272c4b826df31c275c4618d6857b578

SHA256
77db0f6d41d00d3ce61b6813e4d00c701581bc8ee319c5fece447c239bfa8a21

SHA512
4410454103fd9888e494ce54f295afda80835a9b0a31fcb8ac8253d84cb8fd46768108540867486d9e1baa5f82b11f3c8afe2ffba3bf7afe29f197e26f8c78af

Download Submit
\Windows\system\spoolsv.exe
Filesize
7.1MB

MD5
2cb25d41764f4e81cf13f0bacf6ccbab

SHA1
91b3c3524f59b84d3721d8a6b6b624d92be8b2c1

SHA256
a7b31ccf6c7a1769df590efde49391a65a102b6ec063cc73e051d8b8fbc0d848

SHA512
769f7f7c859fb4ed626a3986ef56a56f9a4403ad84f13005632c19c0d0b3460c6f5fdac62cae75c45dc473452056f00912eb51261911307df21d78967c2fb678

Download Submit
\Windows\system\spoolsv.exe
Filesize
7.6MB

MD5
8e3f6020807dc87d1c021a535e9f068c

SHA1
3b3381e687c784367f556983bccdbd14fdc13327

SHA256
a529b7a3ceabf686e67471f146a6ddfd278e19ca96e0b27b30c9ff0852fbe1c8

SHA512
a33bed3c3e07be93455e1b8411b31c3cade34955bd2d23bd5908eb164a17d686b05b45136296238b1faf77b8f26adfa81de261338c715d3a4a83198e230514c9

Download Submit
\Windows\system\spoolsv.exe
Filesize
6.7MB

MD5
2a24a9d210533ef7bd57964edb699d9b

SHA1
c3385a9ca1e8e1ab90c81e423152bf3e6d22f297

SHA256
b4a7c7b3d89963f01264f51b6ef61d7d3e56ec7989b990609333d0a2e064a671

SHA512
2532bdd2be3302eb57805cdef94985c7c5273d82af5349aafeb1cc3caf15c3ab1f2bdff0029b0fd22177426b0028136b3206fa8af138e458faddee0c87de5df9

Download Submit
\Windows\system\spoolsv.exe
Filesize
6.8MB

MD5
9b9983645bec0a9599dc7ab07eca707e

SHA1
51a992ee5e96c18b3ffdb9cbea51cf431f4d9713

SHA256
c56afb3539528284fb97a43edf9cccb1f2e905b496e4b5d4e52d8bf4e2f14af0

SHA512
36384c552f515ada5257c17a5c897b72a3a0d75c04dd42e79e125bc0a698cd22b58da1b855843373d507c82be40d5d824b8551e0a80188cbd4c6829bcc58d8f9

Download Submit
\Windows\system\spoolsv.exe
Filesize
6.9MB

MD5
6003d3ea51cfbda7e61385cca1bab3a6

SHA1
002950ff8c559b1593331e69a1d1a44f93a12cf1

SHA256
9c36c114ce217f38e5d8bbfc59d7e157b3ccc8c1d50983e722e91911b1ca6c0b

SHA512
d681dfb8380274aaa8103787e7d40c26aa27d1028b3a0650826e004b2d70b4ac401d01884d85164e68afdacc3df2b8138b9060ad760a875076934d873a1eecbe

Download Submit
\Windows\system\spoolsv.exe
Filesize
7.2MB

MD5
4012d263ef92c5881d0abfc3f06a86bd

SHA1
2410c2111a88f446bb6cf3cfd48bd22493c08f43

SHA256
6094e882d5ca77381ffa35892856126aee9dc5b34e7a0ea0a4c65ffde0dcecbb

SHA512
4eda592db187265c64eb44f9b3c660781ee142d2f735a5b35b7a4d5713a68fb1cf91a2dc527bbdb17b33935038eb11c0008703b3e454b7986424f4cb1fbde50c

Download Submit
\Windows\system\spoolsv.exe
Filesize
6.1MB

MD5
13f8b6a318383c73349ad4acaef1c37b

SHA1
70c954d06f453bf40efa09553604f5cbdf194f88

SHA256
7e0c19ecfd95a0ecdeea30712cb1c32539c7bf8397ff02af69f4fe0027055546

SHA512
67587ed5a0c5fd90b058079cd097385753859eb7afe1c2276c38adc3b7b16c9b4336f19cfc58e93e748273ececbe361047f94e3866c98b2eff46cce164fcb0c2

Download Submit
\Windows\system\spoolsv.exe
Filesize
7.0MB

MD5
1070097faa12a39fc2bf641333ceadcd

SHA1
0274d58cb6f0ca47fb7be4d86630e1f5b42b329e

SHA256
65dc598aca7c2519275b4cc8cdafe7f585892a6d00c90b73cd963b4ab4dca6cc

SHA512
1adbe009f644212c35be769589929630d989b97139d0873bf61820b961e8c53674c37b5be9e2c402120bd18c5f432f3b2691b09157010255b414da20ad8ecae6

Download Submit
\Windows\system\spoolsv.exe
Filesize
5.1MB

MD5
f5ca97d246bcda258d4460b94e9bd559

SHA1
ace92b0b7703125e598aa9cd9bb1a719da5ec343

SHA256
7afda2dfc8d230f3d4c4405f3f50c464dc0b7377a832e1fe01a76b8979ff5da8

SHA512
9e2423a5dc414ce0c4d7112011440b1f19afed656b973ad8deb9bf123f7739ff0bce0a4c16c955c2eaf32df790e1f8c615f66a4d450c506703229433a0595650

Download Submit
\Windows\system\spoolsv.exe
Filesize
4.3MB

MD5
0de5f37fd1e34a18d013bf7fa3723e58

SHA1
571552fb69eb1d212275ce805b8a4e528650664c

SHA256
24c55074101aa2d318c0cfdd681b73a119b0d0c497a4495ce09b1b0e44789db5

SHA512
7b368dfe0b3449c04427bf1012620dc4c3e4f58d3112fefef94fbe82c7e4b81e8dd9d48b3a9f1233efc059bd932325c42da916eab4d6585062df4021b71706cc

Download Submit
\Windows\system\spoolsv.exe
Filesize
4.1MB

MD5
98171e03f0c92601edb16a4db00d1a63

SHA1
1a65f1bad14dd44ef52cd33d7d9e00585913d905

SHA256
f77d8da2a7621d968aa0d391f6c3a279dc8751db429b16f27f8ab71c4cb0e4eb

SHA512
933a60e1b5a5b95da0882a3f348746c341662fc95432aafe8713eec1c20fb94161ad34b0ac2bea598133451167320db3535d614c904b0ab1d189803a444ddf96

Download Submit
\Windows\system\spoolsv.exe
Filesize
4.7MB

MD5
490d8238c5ac051efa24f5e81c82a88e

SHA1
cd4517ab4892d204506fbcb886e1b559508322e6

SHA256
ffb566410236c4bdbcd67c1225fdf90e9e70ebd0704770562a6edab05b8b919c

SHA512
3becada8af54b820b7aff12a9c82506fdd2884e4b12efc605be8a82ac813d87be6ba98020f466d5ef493dfbc6f540f0359ffb22324993870b74cb0de16868215

Download Submit
\Windows\system\spoolsv.exe
Filesize
3.9MB

MD5
01cf48a25643cee7497d7609d45addf1

SHA1
df4c03a689cfa6ec299d5bb86763dc6f25905cce

SHA256
030d195bcea6347ce12758f11640d9193ef18083f34801ff792c2c47f731fc62

SHA512
d0408110d3098c7857adbeabd6bd1e549c74467346d8ae1f5aa1eef65bed7d6565aa5e607f925209d01e8f463e548afb9a978578ac15b690503f678211632238

Download Submit
\Windows\system\spoolsv.exe
Filesize
4.4MB

MD5
dd95434af2d0eb38b2d8925af73aa2f7

SHA1
5da1b7a1333605698ec410cb2f2031668ffae45a

SHA256
5dd7d09634dccbebe5e0903c50623020e4a25063e346d8d89cc3b97ac0e9edbf

SHA512
85b27df2d80c326916c03d22fde7aadbbbd21c8ac7439003d6a49e8d38feadebe102c36b0e4dc7e8891480080fbd1dc0157304f79540249b6779fedf9434cc85

Download Submit
\Windows\system\spoolsv.exe
Filesize
4.1MB

MD5
587a65d146089ecc69441b031a46a452

SHA1
d6150b6edf4da6ac577eca9ae956ef51284ac99c

SHA256
3c537156249d8fced6bf45fc2f4ecc931ac0d19518abf16988d00716d28dc071

SHA512
b94aa4ade532d4001441cc2ffce1f29bb0f1e6a4e24c0c7a7296dc99395c70ed526440085166e0c14f872f38661a4c354647fb58a05d8b12d2e5b4e18e193251

Download Submit
\Windows\system\spoolsv.exe
Filesize
4.6MB

MD5
88143dbfb9983385d6bbfcf5ec062d50

SHA1
638fe4ba6f08647b800557e7ea05dfefcfe67a5d

SHA256
64414dfdf7a71f4b24d9578a0b9bd0220f80716d9d991f6d06b83de5eca509f3

SHA512
f1da969a708ac1661787c57bd314a67e39a68cb34b600059189bac05d4c3ce573413f0baad80d2a319bd78b59796bb9e9993ad303f33bfcf4ac6cc31644be8b4

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.1MB

MD5
09de68e1fc21c3fe26ad11208fd37ed9

SHA1
cd25f0f54a4d02daa6fde902f46ec377711d9133

SHA256
8c3076b042958ad3be9a87f678f21e03379fe58ae6179fca6d3a851e56297a88

SHA512
38f007aba37ba83c996702a3d87144de55c2832d3b0ab74ae1b5cd5e00a0eb05fb7fd45d84ec2fb61550db5de733b64e5e42927e86d8e7920f82fe6ef15c52fc

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.2MB

MD5
95b6ff2fb13391158c7f8e96c26af820

SHA1
c036259f512bf2020f36b369efeaf47332fcabfe

SHA256
588e5117e3e98c29cba835e4422bde6a7c280f9c5797ea83bfc7326b5fc17a37

SHA512
feb326c3bf362fc740410b300c1226a8a2ab05015f653954b715f08dcf91e418626e8877698665a6cacc455a13a45ee8f2633b1438741ac7249f9614d09e31d1

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.6MB

MD5
3576704d4116066092ca4c6cd0381753

SHA1
8490b9fe04ff64d4e9df64aad3bee1d10dc7dc5f

SHA256
783e510ade99f8f888977fb86c8114d46f8d72613a62b8da662ca1da80dd3ef9

SHA512
dd6d0b1652e75d56c57b0f84eda7dda51aadbab1cb3224db4536024be6acac773a17eb4d72dd42c488b298039e682e1be67521653a547188b1599c1d38dae3f0

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.8MB

MD5
0ef4b0336835b20e5d6f76dad925a6f9

SHA1
50d888cb6c4878aac863bc66d8fba4716f7ab1c9

SHA256
00efdd1e1f95b33e0a93cc0fe1718e42ec60037fb5d3a413ce6cf1ba7a85525c

SHA512
c4575c1601dee032684da3268b40df79091534808f9350ebbe7c52c16c3bdbd8777e79143da502a185c56d914d50a255f21d236203209310c69fb0ecd3f7cd36

Download Submit
\Windows\system\spoolsv.exe
Filesize
3.1MB

MD5
33aa86b27ab9123e9fbc61ef7c4bf949

SHA1
c3ef794787ef89c1db76c9141086d04a8be94b5b

SHA256
28844b5a56d3b4a29fea7ccfacad3ea941cae4bfa79c53c8cda471fc22d6c461

SHA512
9871204eae0e3391e1fe47a619f0dab3cfe07a26dd2b2e74629d43543d118561688ee3ce887b145e346fc86c0c055a54faa28c40201433b86e91b0faf7c0e728

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.9MB

MD5
9e013c2c683b0c16c73e05df6a9fe06c

SHA1
ad1cae6a6ecb5e06a74790b249223c98f478cfc4

SHA256
598e8c6855883acee3bf13ca16b38b3f27fb85becaabc9b0453c1de873517dea

SHA512
34bb6f78df3ba2c3cf98b4b37316d7517cacba1dffe991f3cb35917e4953ffdd24d145789bd2e831e5158e1e99957f85d28974203344971a2f15d54a3ba11aa9

Download Submit
\Windows\system\spoolsv.exe
Filesize
2.4MB

MD5
2856991df776b5da88e4f455d7a100e2

SHA1
a0584fed70375b1f4045d89cd14de7d24cb0330b

SHA256
e94ec1b0b96e48cb6c1bc905e70cfecc749cfaab8796071dc9bed50a6a5e7995

SHA512
bb00a9634808d84e0dd5429d9536a95645ccf1b8bb0550f22d37225f07bb5be64e65ddf435e526fe06d92efc185a577eb64f20c9532a3095dfc39b9889a312e4

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.6MB

MD5
1f06cc50398dbb589a977f5ae6c4a10c

SHA1
1edb14c8add50a2cdf07e2a4efd2345e435ef41d

SHA256
d30e3b0e3b48442f5561804ae5ae4af33143c3189d8ab1cbb2372267084aa017

SHA512
d55ee7bbb5834b47d1781c8eadabfe71001bbf3c332e50df7daa593b3390b7234a268a29224eeefcb47c1bccb7e028ad14e999327e66da172e28729efffb4479

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.4MB

MD5
bc67eabdc67a31c285f62de95d2e506d

SHA1
932423d4e64640d3a0433f826d863a50da65a5de

SHA256
55739be04a6c9328f7b48595d8dabe7148a7dea71a9424fc4977667f3352bfcc

SHA512
57a6f9dd0d3c2c084e8d7a162cd948a8320838979114ac9a1cdec12525a4b637161ac9c4f6eb2ff6b0d64e762ab26c60cc5b6482ec5525ac9c377904df1d410b

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.6MB

MD5
5977cb99cac3518905f28f1435f09a3f

SHA1
519b3dba4444b4951e596aa4189b6d74a29f5282

SHA256
908131b315e80afab303849ce7fffb6342ae8764755467d552d92553ed30014a

SHA512
18adfc031e7eeb243d0b512ae2b3411ca58f72599e61942c33be8b41f78fd4561a2661bcfd2cb5d7b74bf49d55aadc0b4d9cde82d4776118644d672a23b52b1d

Download Submit
\Windows\system\spoolsv.exe
Filesize
1.4MB

MD5
19b7810a41d958e81014c9689c6cdbd8

SHA1
21955729a6b95b9ea6ab7e30be8ea52e685961f6

SHA256
6bed24df2fd64da5d626a54d33a421428e94de09d6177e919dd8c72200388410

SHA512
3369e47d71040f1dd0d7a103d7cc7d4099291b60bde9daa2d155ca6625c0e613426962e13ddb35e8343e84a41705daaa3741050e54dd132c32b7d4c6493ac3b7

Download Submit
\Windows\system\spoolsv.exe
Filesize
7.1MB

MD5
4d1a5c505cf72559c95bedcb95756530

SHA1
a321d23a41c270970859f0f23d22490822144bbe

SHA256
72b50a155452d68d2ec5b0e187cb6fb23b31d7bc7dd4f9e1f8781eea5d28bc27

SHA512
2444f0e481452da377305ae35fd758f3ad607be33b4a7c8cf406e062085488b2e67e2a215a0d34111e01921efa1b79a8ede7a14e6c4b9fe58ae9447ebeb3467c

Download Submit
\Windows\system\spoolsv.exe
Filesize
7.6MB

MD5
2ff7d3118b3de0fc0016637984ac07de

SHA1
11369c1339c27ff4b9db52bf9a16a7b87646fd49

SHA256
c44215717d519a8c26d71a8b8eaa2ec3733b0bbb36dded51a04aa386bd3eac11

SHA512
5d39eddeb4f3a3ee96a556e8abf23d34c5006e29c93842accf950c6f40dbcf4311d278a252d0ade2924c05c77012e44cb10d319f65b3eabeb8e7bc1a633a0197

Download Submit
\Windows\system\svchost.exe
Filesize
1.7MB

MD5
aff44c7d0dad962c4ad7fbf7cddaa967

SHA1
e2d017d7b764eb6b051bb34439d18f7576559883

SHA256
03c3933352e796c129cfe3663f27859539f04213ea981cb898f01c01b462f102

SHA512
0e8fe1709b67f0a3c9991273b390c96b8600ae83e8178904610654ed7507eae1172c66cb6dca59172a1d072544568ef9ab28aea069a64ba53f406f1f441dfaec

Download Submit
memory/1620-121-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/1980-173-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-113-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-114-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-153-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-187-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-243-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-161-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-154-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-142-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-140-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1980-180-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-99-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-234-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/1980-141-0x0000000002E00000-0x0000000002F14000-memory.dmp

Filesize
1.1MB

Download
memory/2112-225-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2244-35-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2244-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2244-11-0x0000000002EE0000-0x0000000002FF4000-memory.dmp

Filesize
1.1MB

Download
memory/2244-0-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2244-4-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2244-1-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2244-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2244-2-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2248-88-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2248-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2328-132-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2328-144-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2328-100-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2328-101-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2328-102-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2328-226-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/2336-235-0x0000000002DD0000-0x0000000002EE4000-memory.dmp

Filesize
1.1MB

Download
memory/2336-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-28-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2428-38-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2428-32-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2428-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2428-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2452-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-43-0x0000000002E70000-0x0000000002F84000-memory.dmp

Filesize
1.1MB

Download
memory/2452-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2664-238-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2664-237-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3016-52-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3016-51-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3016-50-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3016-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3016-49-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3016-85-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download
memory/3016-54-0x0000000000400000-0x0000000000514000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads