warzonerat | 7f25805707be6779ea1ef6619eb0a4741e824db3a6d2eb0a984348f86a21e577

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a337d08121b84b6c6857f2f47c58aba0N.exe
Size

2.9MB
MD5

a337d08121b84b6c6857f2f47c58aba0
SHA1

f3dde23f349ef5343873254e905546a713e36a21
SHA256

7f25805707be6779ea1ef6619eb0a4741e824db3a6d2eb0a984348f86a21e577
SHA512

57fe5e9b7e9559dc7a8a3938d39cabaa49dcf73371abd29fdafacf1a8fea0db9c8d48c765a5a0ce1960e39673a8ebc86ccf4252e088f1be38f8771c1348a1c02
SSDEEP

24576:bTO7AsmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHj:bTO7Asmw4gxeOw46fUbNecCCFbNec8

Score

10^/10

warzonerat evasion infostealer persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000018ba5-87.dat	warzonerat
behavioral1/files/0x0006000000018718-164.dat	warzonerat
behavioral1/files/0x0008000000018bb8-181.dat	warzonerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 46 IoCs

pid	Process
1504	explorer.exe
824	explorer.exe
1052	explorer.exe
920	spoolsv.exe
2324	spoolsv.exe
1592	spoolsv.exe
1948	spoolsv.exe
2136	spoolsv.exe
2832	spoolsv.exe
2224	spoolsv.exe
608	spoolsv.exe
3000	spoolsv.exe
1492	spoolsv.exe
2112	spoolsv.exe
1320	spoolsv.exe
1120	spoolsv.exe
2152	spoolsv.exe
2256	spoolsv.exe
1256	spoolsv.exe
1940	spoolsv.exe
2308	spoolsv.exe
776	spoolsv.exe
2992	spoolsv.exe
2856	spoolsv.exe
2996	spoolsv.exe
1728	spoolsv.exe
408	spoolsv.exe
548	spoolsv.exe
2596	spoolsv.exe
1044	spoolsv.exe
1660	spoolsv.exe
2740	spoolsv.exe
1328	spoolsv.exe
1548	spoolsv.exe
1200	spoolsv.exe
2960	spoolsv.exe
2980	spoolsv.exe
2388	spoolsv.exe
572	spoolsv.exe
952	spoolsv.exe
1140	spoolsv.exe
1448	spoolsv.exe
1856	spoolsv.exe
2244	spoolsv.exe
2720	spoolsv.exe
2776	spoolsv.exe

Loads dropped DLL 64 IoCs

pid	Process
2500	a337d08121b84b6c6857f2f47c58aba0N.exe
2500	a337d08121b84b6c6857f2f47c58aba0N.exe
1052	explorer.exe
1052	explorer.exe
920	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1592	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2136	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2224	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
3000	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2112	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1120	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2256	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1940	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
776	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2856	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1728	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
548	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1044	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2740	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1548	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2960	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
2388	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
952	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1448	spoolsv.exe
1052	explorer.exe
1052	explorer.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a337d08121b84b6c6857f2f47c58aba0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 27 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 2528 set thread context of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 set thread context of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 1504 set thread context of 824	1504	explorer.exe	39
PID 824 set thread context of 1052	824	explorer.exe	40
PID 824 set thread context of 336	824	explorer.exe	41
PID 920 set thread context of 2324	920	spoolsv.exe	45
PID 1592 set thread context of 1948	1592	spoolsv.exe	48
PID 2136 set thread context of 2832	2136	spoolsv.exe	52
PID 2224 set thread context of 608	2224	spoolsv.exe	56
PID 3000 set thread context of 1492	3000	spoolsv.exe	59
PID 2112 set thread context of 1320	2112	spoolsv.exe	63
PID 1120 set thread context of 2152	1120	spoolsv.exe	67
PID 2256 set thread context of 1256	2256	spoolsv.exe	71
PID 1940 set thread context of 2308	1940	spoolsv.exe	75
PID 776 set thread context of 2992	776	spoolsv.exe	79
PID 2856 set thread context of 2996	2856	spoolsv.exe	83
PID 1728 set thread context of 408	1728	spoolsv.exe	87
PID 548 set thread context of 2596	548	spoolsv.exe	91
PID 1044 set thread context of 1660	1044	spoolsv.exe	95
PID 2740 set thread context of 1328	2740	spoolsv.exe	99
PID 1548 set thread context of 1200	1548	spoolsv.exe	103
PID 2960 set thread context of 2980	2960	spoolsv.exe	107
PID 2388 set thread context of 572	2388	spoolsv.exe	111
PID 952 set thread context of 1140	952	spoolsv.exe	115
PID 1448 set thread context of 1856	1448	spoolsv.exe	119
PID 2244 set thread context of 2720	2244	spoolsv.exe	123

Drops file in Windows directory 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	a337d08121b84b6c6857f2f47c58aba0N.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1756	a337d08121b84b6c6857f2f47c58aba0N.exe
2500	a337d08121b84b6c6857f2f47c58aba0N.exe
1504	explorer.exe
920	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1592	spoolsv.exe
1052	explorer.exe
2136	spoolsv.exe
1052	explorer.exe
2224	spoolsv.exe
1052	explorer.exe
3000	spoolsv.exe
1052	explorer.exe
2112	spoolsv.exe
1052	explorer.exe
1120	spoolsv.exe
1052	explorer.exe
2256	spoolsv.exe
1052	explorer.exe
1940	spoolsv.exe
1052	explorer.exe
776	spoolsv.exe
1052	explorer.exe
2856	spoolsv.exe
1052	explorer.exe
1728	spoolsv.exe
1052	explorer.exe
548	spoolsv.exe
1052	explorer.exe
1044	spoolsv.exe
1052	explorer.exe
2740	spoolsv.exe
1052	explorer.exe
1548	spoolsv.exe
1052	explorer.exe
2960	spoolsv.exe
1052	explorer.exe
2388	spoolsv.exe
1052	explorer.exe
952	spoolsv.exe
1052	explorer.exe
1448	spoolsv.exe
1052	explorer.exe
2244	spoolsv.exe
1052	explorer.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
1756	a337d08121b84b6c6857f2f47c58aba0N.exe
1756	a337d08121b84b6c6857f2f47c58aba0N.exe
2500	a337d08121b84b6c6857f2f47c58aba0N.exe
2500	a337d08121b84b6c6857f2f47c58aba0N.exe
1504	explorer.exe
1504	explorer.exe
1052	explorer.exe
1052	explorer.exe
920	spoolsv.exe
920	spoolsv.exe
1052	explorer.exe
1052	explorer.exe
1592	spoolsv.exe
1592	spoolsv.exe
2136	spoolsv.exe
2136	spoolsv.exe
2224	spoolsv.exe
2224	spoolsv.exe
3000	spoolsv.exe
3000	spoolsv.exe
2112	spoolsv.exe
2112	spoolsv.exe
1120	spoolsv.exe
1120	spoolsv.exe
2256	spoolsv.exe
2256	spoolsv.exe
1940	spoolsv.exe
1940	spoolsv.exe
776	spoolsv.exe
776	spoolsv.exe
2856	spoolsv.exe
2856	spoolsv.exe
1728	spoolsv.exe
1728	spoolsv.exe
548	spoolsv.exe
548	spoolsv.exe
1044	spoolsv.exe
1044	spoolsv.exe
2740	spoolsv.exe
2740	spoolsv.exe
1548	spoolsv.exe
1548	spoolsv.exe
2960	spoolsv.exe
2960	spoolsv.exe
2388	spoolsv.exe
2388	spoolsv.exe
952	spoolsv.exe
952	spoolsv.exe
1448	spoolsv.exe
1448	spoolsv.exe
2244	spoolsv.exe
2244	spoolsv.exe
2776	spoolsv.exe
2776	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2340	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	30
PID 1756 wrote to memory of 2340	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	30
PID 1756 wrote to memory of 2340	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	30
PID 1756 wrote to memory of 2340	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	30
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 1756 wrote to memory of 2528	1756	a337d08121b84b6c6857f2f47c58aba0N.exe	32
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2500	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	34
PID 2528 wrote to memory of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 2528 wrote to memory of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 2528 wrote to memory of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 2528 wrote to memory of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 2528 wrote to memory of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 2528 wrote to memory of 2988	2528	a337d08121b84b6c6857f2f47c58aba0N.exe	35
PID 2500 wrote to memory of 1504	2500	a337d08121b84b6c6857f2f47c58aba0N.exe	36
PID 2500 wrote to memory of 1504	2500	a337d08121b84b6c6857f2f47c58aba0N.exe	36
PID 2500 wrote to memory of 1504	2500	a337d08121b84b6c6857f2f47c58aba0N.exe	36
PID 2500 wrote to memory of 1504	2500	a337d08121b84b6c6857f2f47c58aba0N.exe	36
PID 1504 wrote to memory of 2956	1504	explorer.exe	37
PID 1504 wrote to memory of 2956	1504	explorer.exe	37
PID 1504 wrote to memory of 2956	1504	explorer.exe	37
PID 1504 wrote to memory of 2956	1504	explorer.exe	37
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39
PID 1504 wrote to memory of 824	1504	explorer.exe	39

C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe
"C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe
  C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe
    C:\Users\Admin\AppData\Local\Temp\a337d08121b84b6c6857f2f47c58aba0N.exe
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:2956
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:824
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Modifies visiblity of hidden/system files in Explorer
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2412
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2324
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1588
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2276
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2832
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2672
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2544
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1492
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1320
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2152
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:592
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1256
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2188
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2308
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1508
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2992
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2944
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2996
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1560
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1928
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:1280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1660
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2820
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1328
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2632
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1200
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2980
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1816
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:572
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1368
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1140
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2320
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1856
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:2004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2664
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:336
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.9MB

MD5
a337d08121b84b6c6857f2f47c58aba0

SHA1
f3dde23f349ef5343873254e905546a713e36a21

SHA256
7f25805707be6779ea1ef6619eb0a4741e824db3a6d2eb0a984348f86a21e577

SHA512
57fe5e9b7e9559dc7a8a3938d39cabaa49dcf73371abd29fdafacf1a8fea0db9c8d48c765a5a0ce1960e39673a8ebc86ccf4252e088f1be38f8771c1348a1c02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Windows\system\explorer.exe

Filesize
2.9MB

MD5
19a6e9dc1d0a8dfadf9245320c44c29d

SHA1
c15868d647eba1b14edd4dd10004346c82f6f6c5

SHA256
44c344cc3f759df4e1e62596bb36fb98f11aafd318fcdc3def44660e1dda622f

SHA512
8433f7a6fe68aef75987411fbcb04ffc8ec57ae82564b1be536ebd8556da313d65ba75b7002d64d569d99ded4ab4b4bff8ab20d4668630a1773c7e8bacc04375

Download Submit
\Windows\system\spoolsv.exe

Filesize
2.9MB

MD5
6806fb8df284b1caa9d4de2f02de4819

SHA1
8e0084c89f216569c2b6766b8567ef902d6dc350

SHA256
603b56c6ea04347550e2e7c813a7596b33a2b14c527073e5980982edd1d22930

SHA512
4ffb076d69e966d7ce5b7ff2962fb367e9c0d9dbe3ac268a22293ba87b88a70544371d09616983424217bf5d4df5a1f03c03da5015a265b410aa48f641340c78

Download Submit
memory/572-1075-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/608-393-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/824-174-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/824-140-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1140-1121-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1200-983-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1256-600-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1320-494-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1328-935-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1492-443-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1660-887-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1856-1169-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1948-289-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2152-542-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2308-650-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2324-239-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2500-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-58-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-77-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-59-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-1-0x0000000000300000-0x0000000000400000-memory.dmp

Filesize
1024KB

Download
memory/2528-47-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2528-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-14-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-17-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-18-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-20-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-22-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-24-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-28-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-30-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-40-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-46-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-6-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-49-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/2528-35-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-37-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-39-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-44-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2528-50-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-48-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2528-45-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2596-840-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2832-341-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2980-1029-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2988-80-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2988-70-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2996-747-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download