warzonerat | 232fa0ccf0d7101b181f4b5d8d3ff8922add3201a9ec0775bd7a3dc92c83593d

Analysis

max time kernel
150s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
07-06-2021 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f8fc47b239020267d15dbe3341300556e49045fa.exe
Size

2.9MB
MD5

c5e28bfedb16297faa7457ceb5227cee
SHA1

f8fc47b239020267d15dbe3341300556e49045fa
SHA256

8733e10a589c028f8a2ccffc49d38b1293664e097401bee7053c4ec84f0565fa
SHA512

41c5b2c253f9901ff734aa3fa184ded36e11c3652a3f0eaa87e40c509be61bf320de06c62e26f017533c64f82abbca48e6ca51576544135341da7832be4d6506

Score

10^/10

warzonerat xmrig evasion infostealer miner persistence rat

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Warzone RAT Payload 28 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\System\explorer.exe	warzonerat
\??\c:\windows\system\explorer.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Users\Admin\AppData\Local\Temp\Disk.sys	warzonerat
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe	warzonerat
C:\Windows\System\explorer.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
\??\c:\windows\system\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat
C:\Windows\System\spoolsv.exe	warzonerat

Executes dropped EXE 26 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1168	explorer.exe
1744	explorer.exe
744	explorer.exe
3164	spoolsv.exe
2180	spoolsv.exe
2844	spoolsv.exe
2128	spoolsv.exe
416	spoolsv.exe
3332	spoolsv.exe
3168	spoolsv.exe
1240	spoolsv.exe
2200	spoolsv.exe
2112	spoolsv.exe
2308	spoolsv.exe
4076	spoolsv.exe
1232	spoolsv.exe
3864	spoolsv.exe
3960	spoolsv.exe
3948	spoolsv.exe
2176	spoolsv.exe
3292	spoolsv.exe
3852	spoolsv.exe
2100	spoolsv.exe
1200	spoolsv.exe
3476	spoolsv.exe
2092	spoolsv.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 4 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	f8fc47b239020267d15dbe3341300556e49045fa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 2112 set thread context of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 set thread context of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 1168 set thread context of 1744	1168	explorer.exe	explorer.exe
PID 1744 set thread context of 744	1744	explorer.exe	explorer.exe
PID 1744 set thread context of 2740	1744	explorer.exe	diskperf.exe
PID 3164 set thread context of 2180	3164	spoolsv.exe	spoolsv.exe
PID 2844 set thread context of 2128	2844	spoolsv.exe	spoolsv.exe
PID 416 set thread context of 3332	416	spoolsv.exe	spoolsv.exe
PID 3168 set thread context of 1240	3168	spoolsv.exe	spoolsv.exe
PID 2200 set thread context of 2112	2200	spoolsv.exe	spoolsv.exe
PID 2308 set thread context of 4076	2308	spoolsv.exe	spoolsv.exe
PID 1232 set thread context of 3864	1232	spoolsv.exe	spoolsv.exe
PID 3960 set thread context of 3948	3960	spoolsv.exe	spoolsv.exe
PID 2176 set thread context of 3292	2176	spoolsv.exe	spoolsv.exe
PID 3852 set thread context of 2100	3852	spoolsv.exe	spoolsv.exe
PID 1200 set thread context of 3476	1200	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 16 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exef8fc47b239020267d15dbe3341300556e49045fa.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe

description	ioc	process
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\spoolsv.exe	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2112	f8fc47b239020267d15dbe3341300556e49045fa.exe
2112	f8fc47b239020267d15dbe3341300556e49045fa.exe
2100	f8fc47b239020267d15dbe3341300556e49045fa.exe
2100	f8fc47b239020267d15dbe3341300556e49045fa.exe
1168	explorer.exe
1168	explorer.exe
3164	spoolsv.exe
3164	spoolsv.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
744	explorer.exe
2844	spoolsv.exe
2844	spoolsv.exe
744	explorer.exe
744	explorer.exe
416	spoolsv.exe
416	spoolsv.exe
744	explorer.exe
744	explorer.exe
3168	spoolsv.exe
3168	spoolsv.exe
744	explorer.exe
744	explorer.exe
2200	spoolsv.exe
2200	spoolsv.exe
744	explorer.exe
744	explorer.exe
2308	spoolsv.exe
2308	spoolsv.exe
744	explorer.exe
744	explorer.exe
1232	spoolsv.exe
1232	spoolsv.exe
744	explorer.exe
744	explorer.exe
3960	spoolsv.exe
3960	spoolsv.exe
744	explorer.exe
744	explorer.exe
2176	spoolsv.exe
2176	spoolsv.exe
744	explorer.exe
744	explorer.exe
3852	spoolsv.exe
3852	spoolsv.exe
744	explorer.exe
744	explorer.exe
1200	spoolsv.exe
1200	spoolsv.exe
744	explorer.exe
744	explorer.exe
2092	spoolsv.exe
2092	spoolsv.exe

Suspicious use of SetWindowsHookEx 34 IoCs

Processes:

pid	process
2112	f8fc47b239020267d15dbe3341300556e49045fa.exe
2112	f8fc47b239020267d15dbe3341300556e49045fa.exe
2100	f8fc47b239020267d15dbe3341300556e49045fa.exe
2100	f8fc47b239020267d15dbe3341300556e49045fa.exe
1168	explorer.exe
1168	explorer.exe
744	explorer.exe
744	explorer.exe
3164	spoolsv.exe
3164	spoolsv.exe
744	explorer.exe
744	explorer.exe
2844	spoolsv.exe
2844	spoolsv.exe
416	spoolsv.exe
416	spoolsv.exe
3168	spoolsv.exe
3168	spoolsv.exe
2200	spoolsv.exe
2200	spoolsv.exe
2308	spoolsv.exe
2308	spoolsv.exe
1232	spoolsv.exe
1232	spoolsv.exe
3960	spoolsv.exe
3960	spoolsv.exe
2176	spoolsv.exe
2176	spoolsv.exe
3852	spoolsv.exe
3852	spoolsv.exe
1200	spoolsv.exe
1200	spoolsv.exe
2092	spoolsv.exe
2092	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exef8fc47b239020267d15dbe3341300556e49045fa.exeexplorer.exe

description	pid	process	target process
PID 2112 wrote to memory of 836	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 2112 wrote to memory of 836	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 2112 wrote to memory of 836	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	cmd.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2112 wrote to memory of 2644	2112	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 2100	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	f8fc47b239020267d15dbe3341300556e49045fa.exe
PID 2644 wrote to memory of 3852	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 2644 wrote to memory of 3852	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 2644 wrote to memory of 3852	2644	f8fc47b239020267d15dbe3341300556e49045fa.exe	diskperf.exe
PID 2100 wrote to memory of 1168	2100	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 2100 wrote to memory of 1168	2100	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 2100 wrote to memory of 1168	2100	f8fc47b239020267d15dbe3341300556e49045fa.exe	explorer.exe
PID 1168 wrote to memory of 1272	1168	explorer.exe	cmd.exe
PID 1168 wrote to memory of 1272	1168	explorer.exe	cmd.exe
PID 1168 wrote to memory of 1272	1168	explorer.exe	cmd.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe
PID 1168 wrote to memory of 1744	1168	explorer.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
"C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  PID:836
- C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
  C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
    C:\Users\Admin\AppData\Local\Temp\f8fc47b239020267d15dbe3341300556e49045fa.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        Drops startup file
        
        PID:1272
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        
        PID:1744
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:744
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3908
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2344
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2128
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2780
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3332
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:1240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2112
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2456
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:4076
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:836
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3784
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3948
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3988
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3292
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3884
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:2100
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1360
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        Executes dropped EXE
        
        PID:3476
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        Drops startup file
        
        PID:3376
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3780
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:2740
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:3852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5
c5e28bfedb16297faa7457ceb5227cee

SHA1
f8fc47b239020267d15dbe3341300556e49045fa

SHA256
8733e10a589c028f8a2ccffc49d38b1293664e097401bee7053c4ec84f0565fa

SHA512
41c5b2c253f9901ff734aa3fa184ded36e11c3652a3f0eaa87e40c509be61bf320de06c62e26f017533c64f82abbca48e6ca51576544135341da7832be4d6506

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5
9f25d0f37ba81f490ce56b131056b48c

SHA1
97f16297ef26b64f823bb39e8063943ad39d0d26

SHA256
9e5849334a6d76e8d6d7824eb8bbdae17fa397fcfddef4aab41806db42836d7e

SHA512
b5cab929c224612055919686ba617e0b41500032e1ffc56309074f0415a950e3657b9144ad45a9cb95e204895bfd4cd6e776d7ac213abb4a1820629b94e044f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

MD5
9f25d0f37ba81f490ce56b131056b48c

SHA1
97f16297ef26b64f823bb39e8063943ad39d0d26

SHA256
9e5849334a6d76e8d6d7824eb8bbdae17fa397fcfddef4aab41806db42836d7e

SHA512
b5cab929c224612055919686ba617e0b41500032e1ffc56309074f0415a950e3657b9144ad45a9cb95e204895bfd4cd6e776d7ac213abb4a1820629b94e044f5

Download Submit
C:\Windows\System\explorer.exe

MD5
9f25d0f37ba81f490ce56b131056b48c

SHA1
97f16297ef26b64f823bb39e8063943ad39d0d26

SHA256
9e5849334a6d76e8d6d7824eb8bbdae17fa397fcfddef4aab41806db42836d7e

SHA512
b5cab929c224612055919686ba617e0b41500032e1ffc56309074f0415a950e3657b9144ad45a9cb95e204895bfd4cd6e776d7ac213abb4a1820629b94e044f5

Download Submit
C:\Windows\System\explorer.exe

MD5
9f25d0f37ba81f490ce56b131056b48c

SHA1
97f16297ef26b64f823bb39e8063943ad39d0d26

SHA256
9e5849334a6d76e8d6d7824eb8bbdae17fa397fcfddef4aab41806db42836d7e

SHA512
b5cab929c224612055919686ba617e0b41500032e1ffc56309074f0415a950e3657b9144ad45a9cb95e204895bfd4cd6e776d7ac213abb4a1820629b94e044f5

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
C:\Windows\System\spoolsv.exe

MD5
c9fb813fbab16a0589fd1429a8e3d075

SHA1
ae2a9af5583bdc0f30d32a0911d65ada711fb175

SHA256
155c6a694d877367a88db091a6abdc53cc22bd40b6994e9bbf2a31dd2e3c6a23

SHA512
b753faf88c58f5eed3c2743b2f606f0b29b5f861bd21a498a6f71b9db26c0ad58c5e7e1053e988a610717606154613c13ca6255ff4bfa9da1e2b355b5c13be4a

Download Submit
C:\Windows\System\spoolsv.exe

MD5
2c7235f84f7f15da1ff365d76523700f

SHA1
e7cfa801da09b518abb55c2f79de6473cfdc4e3e

SHA256
d8781f2e3684ddf35bf46779589fef6c020f6fe0f55290dce57e387c062d5f5c

SHA512
56341db37c1c8b526cd6f189399d6691590e00f9514ee7da454018b6d5fef4cdbfb214174a64837e7d8c194af37ecc167a5c502ac91dd7be62abbfe25f385f09

Download Submit
\??\c:\windows\system\explorer.exe

MD5
9f25d0f37ba81f490ce56b131056b48c

SHA1
97f16297ef26b64f823bb39e8063943ad39d0d26

SHA256
9e5849334a6d76e8d6d7824eb8bbdae17fa397fcfddef4aab41806db42836d7e

SHA512
b5cab929c224612055919686ba617e0b41500032e1ffc56309074f0415a950e3657b9144ad45a9cb95e204895bfd4cd6e776d7ac213abb4a1820629b94e044f5

Download Submit
\??\c:\windows\system\spoolsv.exe

MD5
3fc841d7e512dedb9bbeebc07cefa492

SHA1
feca466cbef5e1e9609bdc36e1ea629c4b9f8c16

SHA256
53eb459414f2ab656ca0752323b2265899181c9f839554b4a6b470dfeaba7f2d

SHA512
0295adcd209fdf9d3585cdd9e6262665a3cb5f18b27eccded99c871cd1035eefac0cfa5c11b7b55ec2f341b65a18a0f9403c479a911f8d9fd582dc42ebd8a950

Download Submit
memory/416-177-0x0000000000000000-mapping.dmp

Download
memory/744-144-0x0000000000403670-mapping.dmp

Download
memory/836-228-0x0000000000000000-mapping.dmp

Download
memory/836-114-0x0000000000000000-mapping.dmp

Download
memory/852-192-0x0000000000000000-mapping.dmp

Download
memory/1168-128-0x0000000000000000-mapping.dmp

Download
memory/1200-268-0x0000000000000000-mapping.dmp

Download
memory/1232-225-0x0000000000000000-mapping.dmp

Download
memory/1240-220-0x0000000006FD0000-0x000000000707E000-memory.dmp

Filesize
696KB

Download
memory/1240-197-0x00000000004E7001-mapping.dmp

Download
memory/1272-131-0x0000000000000000-mapping.dmp

Download
memory/1360-270-0x0000000000000000-mapping.dmp

Download
memory/1568-204-0x0000000000000000-mapping.dmp

Download
memory/1744-140-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1744-139-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1744-138-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1744-141-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/1744-137-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1744-142-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/1744-135-0x00000000004E7001-mapping.dmp

Download
memory/2092-278-0x0000000000000000-mapping.dmp

Download
memory/2100-272-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/2100-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-266-0x00000000004E7001-mapping.dmp

Download
memory/2100-124-0x0000000000403670-mapping.dmp

Download
memory/2112-211-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2112-209-0x00000000004E7001-mapping.dmp

Download
memory/2112-213-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2112-219-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2112-226-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2112-232-0x00000000070B0000-0x00000000070B1000-memory.dmp

Filesize
4KB

Download
memory/2128-174-0x00000000004E7001-mapping.dmp

Download
memory/2128-195-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2128-181-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2128-176-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2176-249-0x0000000000000000-mapping.dmp

Download
memory/2180-163-0x00000000004E7001-mapping.dmp

Download
memory/2180-173-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2180-165-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2180-171-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2180-166-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2180-182-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2200-201-0x0000000000000000-mapping.dmp

Download
memory/2308-212-0x0000000000000000-mapping.dmp

Download
memory/2344-169-0x0000000000000000-mapping.dmp

Download
memory/2456-217-0x0000000000000000-mapping.dmp

Download
memory/2644-120-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2644-118-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2644-119-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2644-117-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/2644-121-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2644-122-0x00000000070E0000-0x000000000722A000-memory.dmp

Filesize
1.3MB

Download
memory/2644-116-0x00000000004E7001-mapping.dmp

Download
memory/2644-115-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/2740-150-0x0000000000411000-mapping.dmp

Download
memory/2740-148-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2740-159-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2780-180-0x0000000000000000-mapping.dmp

Download
memory/2844-167-0x0000000000000000-mapping.dmp

Download
memory/3164-155-0x0000000000000000-mapping.dmp

Download
memory/3168-189-0x0000000000000000-mapping.dmp

Download
memory/3292-257-0x00000000004E7001-mapping.dmp

Download
memory/3292-275-0x0000000006FD0000-0x000000000711A000-memory.dmp

Filesize
1.3MB

Download
memory/3332-190-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3332-200-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3332-196-0x0000000000400000-0x0000000006FD0000-memory.dmp

Filesize
107.8MB

Download
memory/3332-187-0x0000000000400000-0x0000000001990000-memory.dmp

Filesize
21.6MB

Download
memory/3332-185-0x00000000004E7001-mapping.dmp

Download
memory/3332-208-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3376-281-0x0000000000000000-mapping.dmp

Download
memory/3476-280-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/3476-274-0x00000000004E7001-mapping.dmp

Download
memory/3784-241-0x0000000000000000-mapping.dmp

Download
memory/3852-260-0x0000000000000000-mapping.dmp

Download
memory/3864-256-0x0000000006FD0000-0x000000000711A000-memory.dmp

Filesize
1.3MB

Download
memory/3864-233-0x00000000004E7001-mapping.dmp

Download
memory/3884-263-0x0000000000000000-mapping.dmp

Download
memory/3908-160-0x0000000000000000-mapping.dmp

Download
memory/3948-273-0x0000000006FD0000-0x000000000711A000-memory.dmp

Filesize
1.3MB

Download
memory/3948-245-0x00000000004E7001-mapping.dmp

Download
memory/3960-238-0x0000000000000000-mapping.dmp

Download
memory/3988-252-0x0000000000000000-mapping.dmp

Download
memory/4076-221-0x00000000004E7001-mapping.dmp

Download
memory/4076-244-0x00000000071D0000-0x00000000071D1000-memory.dmp

Filesize
4KB

Download