warzonerat | 1c8e832240d54e5072e00bd6fb57df4f741a9e9527f4a0c148c434c147796fc3

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10v20201028
submitted
14-12-2020 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5f14779fb1c47108ab2e8288cd56235.exe
Size

1.2MB
MD5

e5f14779fb1c47108ab2e8288cd56235
SHA1

943b96da1a9fb209ae01f25e12f4da98ef86b263
SHA256

1c8e832240d54e5072e00bd6fb57df4f741a9e9527f4a0c148c434c147796fc3
SHA512

b77f4f23887389944a66f71ac56e309e4186ed2bd0665babc1b5b5acf76a2b7b88154482b3b6cde374a63e877a3a84d91760da9039f2026aea13c63b6019f469

Score

10^/10

warzonerat xmrig aspackv2 evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 17 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\svchost.exe	warzonerat
\??\c:\windows\system\svchost.exe	warzonerat

ASPack v2.12-2.42 17 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	aspack_v212_v242
\??\c:\windows\system\explorer.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\Disk.sys	aspack_v212_v242
C:\Windows\System\explorer.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
\??\c:\windows\system\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\spoolsv.exe	aspack_v212_v242
C:\Windows\System\svchost.exe	aspack_v212_v242
\??\c:\windows\system\svchost.exe	aspack_v212_v242

Executes dropped EXE 12 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exesvchost.exe

pid	process
3504	explorer.exe
980	explorer.exe
1300	spoolsv.exe
3900	spoolsv.exe
2648	spoolsv.exe
1256	spoolsv.exe
2360	spoolsv.exe
3228	spoolsv.exe
2276	spoolsv.exe
1156	spoolsv.exe
3464	spoolsv.exe
744	svchost.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exespoolsv.exee5f14779fb1c47108ab2e8288cd56235.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	spoolsv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	e5f14779fb1c47108ab2e8288cd56235.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1144 set thread context of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 set thread context of 1984	1144	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 3504 set thread context of 980	3504	explorer.exe	explorer.exe
PID 3504 set thread context of 3224	3504	explorer.exe	diskperf.exe
PID 1300 set thread context of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 set thread context of 2264	1300	spoolsv.exe	diskperf.exe

Drops file in Windows directory 5 IoCs

Processes:

explorer.exespoolsv.exee5f14779fb1c47108ab2e8288cd56235.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	e5f14779fb1c47108ab2e8288cd56235.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3720	3900	WerFault.exe	spoolsv.exe
984	2648	WerFault.exe	spoolsv.exe
1744	1256	WerFault.exe	spoolsv.exe
2912	2360	WerFault.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
2012	e5f14779fb1c47108ab2e8288cd56235.exe
2012	e5f14779fb1c47108ab2e8288cd56235.exe
980	explorer.exe
980	explorer.exe
980	explorer.exe
980	explorer.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
3720	WerFault.exe
980	explorer.exe
980	explorer.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
984	WerFault.exe
980	explorer.exe
980	explorer.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
980	explorer.exe
980	explorer.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe
2912	WerFault.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeRestorePrivilege	3720	WerFault.exe
Token: SeBackupPrivilege	3720	WerFault.exe
Token: SeDebugPrivilege	3720	WerFault.exe
Token: SeDebugPrivilege	984	WerFault.exe
Token: SeDebugPrivilege	1744	WerFault.exe
Token: SeDebugPrivilege	2912	WerFault.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exeexplorer.exespoolsv.exe

pid	process
2012	e5f14779fb1c47108ab2e8288cd56235.exe
2012	e5f14779fb1c47108ab2e8288cd56235.exe
980	explorer.exe
980	explorer.exe
980	explorer.exe
980	explorer.exe
2276	spoolsv.exe
2276	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e5f14779fb1c47108ab2e8288cd56235.exee5f14779fb1c47108ab2e8288cd56235.exeexplorer.exeexplorer.exespoolsv.exe

description	pid	process	target process
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 2012	1144	e5f14779fb1c47108ab2e8288cd56235.exe	e5f14779fb1c47108ab2e8288cd56235.exe
PID 1144 wrote to memory of 1984	1144	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1144 wrote to memory of 1984	1144	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1144 wrote to memory of 1984	1144	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1144 wrote to memory of 1984	1144	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 1144 wrote to memory of 1984	1144	e5f14779fb1c47108ab2e8288cd56235.exe	diskperf.exe
PID 2012 wrote to memory of 3504	2012	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 2012 wrote to memory of 3504	2012	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 2012 wrote to memory of 3504	2012	e5f14779fb1c47108ab2e8288cd56235.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 980	3504	explorer.exe	explorer.exe
PID 3504 wrote to memory of 3224	3504	explorer.exe	diskperf.exe
PID 3504 wrote to memory of 3224	3504	explorer.exe	diskperf.exe
PID 3504 wrote to memory of 3224	3504	explorer.exe	diskperf.exe
PID 3504 wrote to memory of 3224	3504	explorer.exe	diskperf.exe
PID 3504 wrote to memory of 3224	3504	explorer.exe	diskperf.exe
PID 980 wrote to memory of 1300	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1300	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1300	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 3900	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 3900	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 3900	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 2648	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 2648	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 2648	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1256	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1256	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1256	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 2360	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 2360	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 2360	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 3228	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 3228	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 3228	980	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 1300 wrote to memory of 2276	1300	spoolsv.exe	spoolsv.exe
PID 980 wrote to memory of 1156	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1156	980	explorer.exe	spoolsv.exe
PID 980 wrote to memory of 1156	980	explorer.exe	spoolsv.exe
PID 1300 wrote to memory of 2264	1300	spoolsv.exe	diskperf.exe
PID 1300 wrote to memory of 2264	1300	spoolsv.exe	diskperf.exe
PID 1300 wrote to memory of 2264	1300	spoolsv.exe	diskperf.exe
PID 1300 wrote to memory of 2264	1300	spoolsv.exe	diskperf.exe
PID 1300 wrote to memory of 2264	1300	spoolsv.exe	diskperf.exe
PID 980 wrote to memory of 3464	980	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe
"C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe
"C:\Users\Admin\AppData\Local\Temp\e5f14779fb1c47108ab2e8288cd56235.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3504

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1300

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
6⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2276

\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
7⤵
- Executes dropped EXE
PID:744

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
6⤵
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 200
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3720

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2648 -s 200
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:984

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 200
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 200
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3228

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:1156

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
PID:3464

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
4⤵
PID:3224

C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
2⤵
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
MD5
e5f14779fb1c47108ab2e8288cd56235

SHA1
943b96da1a9fb209ae01f25e12f4da98ef86b263

SHA256
1c8e832240d54e5072e00bd6fb57df4f741a9e9527f4a0c148c434c147796fc3

SHA512
b77f4f23887389944a66f71ac56e309e4186ed2bd0665babc1b5b5acf76a2b7b88154482b3b6cde374a63e877a3a84d91760da9039f2026aea13c63b6019f469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys
MD5
4a92597d224566dc99ff89340f8d285f

SHA1
6eb82b28f9d4986360775387580a38917d20c55c

SHA256
89bc940472a5642cf3fd71f1aab474df5fdda2967e18bdee9df2ae637c5766d6

SHA512
e509812580fcb0360c52a68fc109d33bfd05cb91b1dfc3afeead0abb8b16ceb5fcc53465c53d32550d388e2b74ba635018026c3a2af30aa4e477ca0c7b504d1c

Download Submit
C:\Windows\System\explorer.exe
MD5
4a92597d224566dc99ff89340f8d285f

SHA1
6eb82b28f9d4986360775387580a38917d20c55c

SHA256
89bc940472a5642cf3fd71f1aab474df5fdda2967e18bdee9df2ae637c5766d6

SHA512
e509812580fcb0360c52a68fc109d33bfd05cb91b1dfc3afeead0abb8b16ceb5fcc53465c53d32550d388e2b74ba635018026c3a2af30aa4e477ca0c7b504d1c

Download Submit
C:\Windows\System\explorer.exe
MD5
4a92597d224566dc99ff89340f8d285f

SHA1
6eb82b28f9d4986360775387580a38917d20c55c

SHA256
89bc940472a5642cf3fd71f1aab474df5fdda2967e18bdee9df2ae637c5766d6

SHA512
e509812580fcb0360c52a68fc109d33bfd05cb91b1dfc3afeead0abb8b16ceb5fcc53465c53d32550d388e2b74ba635018026c3a2af30aa4e477ca0c7b504d1c

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
C:\Windows\System\svchost.exe
MD5
2b61871997738d6a76bbb838e806f3a4

SHA1
0944a75cb138384d19e022584c714b63261e24d7

SHA256
3eca76a33d0121146fc27de8ee499f2fb2afbe8c19453bbde6d04d4174c4ff25

SHA512
b19d4965fb72bb1ef1b832725c0a296127fd484492bec7ad3c427cfd9d8b443e7c03eaeab1ae36b60d9c08d51cbfd4cd558a2b33d5ba134ba323aaf8a5074e47

Download Submit
\??\c:\windows\system\explorer.exe
MD5
4a92597d224566dc99ff89340f8d285f

SHA1
6eb82b28f9d4986360775387580a38917d20c55c

SHA256
89bc940472a5642cf3fd71f1aab474df5fdda2967e18bdee9df2ae637c5766d6

SHA512
e509812580fcb0360c52a68fc109d33bfd05cb91b1dfc3afeead0abb8b16ceb5fcc53465c53d32550d388e2b74ba635018026c3a2af30aa4e477ca0c7b504d1c

Download Submit
\??\c:\windows\system\spoolsv.exe
MD5
d66e7846f46764036b6e917b5f604f69

SHA1
a37af7181b1b97040f276737b1f2d27d6e82df0c

SHA256
8b2717af10387d9b19314db58ff785c1cb8590e3aee8511cd1654201b6f5beba

SHA512
812b1e8d69af9556c74c08ea28dfaf312efa44c647d649c4b202b9ee37b7c68361b98b4db44fd4cf30473a321663530ad3749920c960593cdafd43feeb63b0c7

Download Submit
\??\c:\windows\system\svchost.exe
MD5
2b61871997738d6a76bbb838e806f3a4

SHA1
0944a75cb138384d19e022584c714b63261e24d7

SHA256
3eca76a33d0121146fc27de8ee499f2fb2afbe8c19453bbde6d04d4174c4ff25

SHA512
b19d4965fb72bb1ef1b832725c0a296127fd484492bec7ad3c427cfd9d8b443e7c03eaeab1ae36b60d9c08d51cbfd4cd558a2b33d5ba134ba323aaf8a5074e47

Download Submit
memory/744-121-0x0000000000000000-mapping.dmp

Download
memory/744-133-0x0000000000000000-mapping.dmp

Download
memory/744-118-0x0000000000000000-mapping.dmp

Download
memory/744-145-0x0000000000000000-mapping.dmp

Download
memory/744-115-0x0000000000000000-mapping.dmp

Download
memory/744-130-0x0000000000000000-mapping.dmp

Download
memory/744-127-0x0000000000000000-mapping.dmp

Download
memory/744-151-0x0000000000000000-mapping.dmp

Download
memory/744-124-0x0000000000000000-mapping.dmp

Download
memory/744-142-0x0000000000000000-mapping.dmp

Download
memory/744-139-0x0000000000000000-mapping.dmp

Download
memory/744-148-0x0000000000000000-mapping.dmp

Download
memory/744-136-0x0000000000000000-mapping.dmp

Download
memory/744-154-0x0000000000000000-mapping.dmp

Download
memory/744-157-0x0000000000000000-mapping.dmp

Download
memory/744-110-0x0000000000000000-mapping.dmp

Download
memory/744-160-0x0000000000000000-mapping.dmp

Download
memory/744-163-0x0000000000000000-mapping.dmp

Download
memory/744-166-0x0000000000000000-mapping.dmp

Download
memory/744-169-0x0000000000000000-mapping.dmp

Download
memory/744-172-0x0000000000000000-mapping.dmp

Download
memory/980-140-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-129-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-170-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-171-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-82-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-81-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-167-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-168-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-165-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-161-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-89-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-88-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-162-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-55-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-94-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-158-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-159-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-92-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-56-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-156-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-155-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-105-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-153-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-107-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-152-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-149-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-150-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-40-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-114-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-112-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-41-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-117-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-116-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-17-0x0000000000403670-mapping.dmp

Download
memory/980-120-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-119-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-147-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-123-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-122-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-144-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-125-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-126-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-143-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-128-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-141-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-34-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-131-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-132-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-33-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-134-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-135-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-31-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-137-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/980-138-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/980-32-0x0000000003B20000-0x0000000003B21000-memory.dmp

Filesize
4KB

Download
memory/984-46-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/984-44-0x0000000004540000-0x0000000004541000-memory.dmp

Filesize
4KB

Download
memory/1156-96-0x0000000000000000-mapping.dmp

Download
memory/1256-57-0x0000000000000000-mapping.dmp

Download
memory/1256-60-0x0000000000000000-mapping.dmp

Download
memory/1300-28-0x0000000000000000-mapping.dmp

Download
memory/1744-62-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/1744-59-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1984-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1984-6-0x0000000000411000-mapping.dmp

Download
memory/1984-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2012-11-0x0000000003380000-0x0000000003381000-memory.dmp

Filesize
4KB

Download
memory/2012-3-0x0000000000403670-mapping.dmp

Download
memory/2012-12-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/2012-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-101-0x0000000000411000-mapping.dmp

Download
memory/2276-95-0x0000000000403670-mapping.dmp

Download
memory/2360-86-0x0000000000000000-mapping.dmp

Download
memory/2360-83-0x0000000000000000-mapping.dmp

Download
memory/2648-45-0x0000000000000000-mapping.dmp

Download
memory/2648-42-0x0000000000000000-mapping.dmp

Download
memory/2912-87-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/3224-23-0x0000000000411000-mapping.dmp

Download
memory/3228-90-0x0000000000000000-mapping.dmp

Download
memory/3464-108-0x0000000000000000-mapping.dmp

Download
memory/3504-13-0x0000000000000000-mapping.dmp

Download
memory/3720-39-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/3720-37-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/3900-38-0x0000000000000000-mapping.dmp

Download
memory/3900-35-0x0000000000000000-mapping.dmp

Download