warzonerat | a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7

Analysis

max time kernel
119s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
Size

2.9MB
MD5

b61e622e55ae95e1ab465cc5ae06b470
SHA1

d33f6d8f8dd3d1fd2da4cb0c5fbf28e4de1a9d79
SHA256

a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7
SHA512

e05e73c92d887f56112b373abb7d032f50d16dc2e02934e40a498114bcbfda9e5409052a9062173f897945ea9aeeffd9c0b37218c84de0721bfef7a966dffd33
SSDEEP

24576:ATU7AAmZZcVKfIxTiEVc847flVC6faaQDbGV6eH81k6IbGD2JTu0GoZQDbGV6eHx:ATU7AAmw4gxeOw46fUbNecCCFbNeca

Score

10^/10

warzonerat discovery infostealer persistence rat upx

Malware Config

Signatures

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 25 IoCs

rat

resource	yara_rule
behavioral2/files/0x0009000000023cdb-35.dat	warzonerat
behavioral2/files/0x000d0000000234f8-76.dat	warzonerat
behavioral2/files/0x000d0000000234f8-75.dat	warzonerat
behavioral2/files/0x0008000000023cd9-59.dat	warzonerat
behavioral2/files/0x0008000000023cd8-57.dat	warzonerat
behavioral2/files/0x0009000000023cdb-56.dat	warzonerat
behavioral2/files/0x000d0000000234f8-80.dat	warzonerat
behavioral2/files/0x000d0000000234f8-91.dat	warzonerat
behavioral2/files/0x000d0000000234f8-95.dat	warzonerat
behavioral2/files/0x000d0000000234f8-103.dat	warzonerat
behavioral2/files/0x000d0000000234f8-116.dat	warzonerat
behavioral2/files/0x000d0000000234f8-108.dat	warzonerat
behavioral2/files/0x000d0000000234f8-129.dat	warzonerat
behavioral2/files/0x000d0000000234f8-133.dat	warzonerat
behavioral2/files/0x000d0000000234f8-154.dat	warzonerat
behavioral2/files/0x000d0000000234f8-158.dat	warzonerat
behavioral2/files/0x000d0000000234f8-166.dat	warzonerat
behavioral2/files/0x000d0000000234f8-170.dat	warzonerat
behavioral2/files/0x000d0000000234f8-179.dat	warzonerat
behavioral2/files/0x000d0000000234f8-183.dat	warzonerat
behavioral2/files/0x000d0000000234f8-193.dat	warzonerat
behavioral2/files/0x000d0000000234f8-197.dat	warzonerat
behavioral2/files/0x000d0000000234f8-212.dat	warzonerat
behavioral2/files/0x000d0000000234f8-226.dat	warzonerat
behavioral2/files/0x000d0000000234f8-282.dat	warzonerat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4420	explorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe"	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 3940 set thread context of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2128-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2128-11-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x0009000000023cdb-35.dat	upx
behavioral2/memory/4420-47-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-76.dat	upx
behavioral2/files/0x000d0000000234f8-75.dat	upx
behavioral2/files/0x0008000000023cd9-59.dat	upx
behavioral2/files/0x0008000000023cd8-57.dat	upx
behavioral2/files/0x0009000000023cdb-56.dat	upx
behavioral2/files/0x000d0000000234f8-80.dat	upx
behavioral2/files/0x000d0000000234f8-91.dat	upx
behavioral2/memory/4328-88-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-95.dat	upx
behavioral2/memory/4088-102-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3544-104-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-103.dat	upx
behavioral2/files/0x000d0000000234f8-116.dat	upx
behavioral2/files/0x000d0000000234f8-108.dat	upx
behavioral2/files/0x000d0000000234f8-129.dat	upx
behavioral2/memory/348-128-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-133.dat	upx
behavioral2/memory/4528-141-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1852-153-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-154.dat	upx
behavioral2/files/0x000d0000000234f8-158.dat	upx
behavioral2/memory/4884-165-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-166.dat	upx
behavioral2/files/0x000d0000000234f8-170.dat	upx
behavioral2/memory/3048-178-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-179.dat	upx
behavioral2/files/0x000d0000000234f8-183.dat	upx
behavioral2/files/0x000d0000000234f8-193.dat	upx
behavioral2/memory/3012-191-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-197.dat	upx
behavioral2/memory/3540-206-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4192-208-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-212.dat	upx
behavioral2/memory/4252-222-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-226.dat	upx
behavioral2/memory/4252-235-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/5048-249-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/428-263-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4704-276-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-278.dat	upx
behavioral2/memory/2928-291-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x000d0000000234f8-282.dat	upx
behavioral2/files/0x000d0000000234f8-296.dat	upx
behavioral2/memory/408-305-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3452-320-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/452-334-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/3396-346-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1792-358-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1724-370-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/640-383-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2612-381-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4324-395-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/4460-407-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1128-419-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2940-432-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/2848-444-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\explorer.exe	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
4420	explorer.exe
4420	explorer.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3924	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	83
PID 2128 wrote to memory of 3924	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	83
PID 2128 wrote to memory of 3924	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	83
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 2128 wrote to memory of 3940	2128	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	85
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 5112	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	102
PID 3940 wrote to memory of 1196	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	103
PID 3940 wrote to memory of 1196	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	103
PID 3940 wrote to memory of 1196	3940	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	103
PID 5112 wrote to memory of 4420	5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	104
PID 5112 wrote to memory of 4420	5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	104
PID 5112 wrote to memory of 4420	5112	a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe	104
PID 4420 wrote to memory of 4680	4420	explorer.exe	105
PID 4420 wrote to memory of 4680	4420	explorer.exe	105
PID 4420 wrote to memory of 4680	4420	explorer.exe	105

C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
"C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:3924
- C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
  C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
    C:\Users\Admin\AppData\Local\Temp\a3f614ead16605f933b0e5c576ae5d708498d453cce9c5c23ece89baf167ddd7N.exe
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - \??\c:\windows\system\explorer.exe
      c:\windows\system\explorer.exe
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
    - - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        5⤵
        
        PID:3120
      - \??\c:\windows\system\explorer.exe
        
        c:\windows\system\explorer.exe
        6⤵
        
        PID:3520
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4284
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3856
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4348
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2940
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4312
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4280
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1912
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:5036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3252
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4208
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:5072
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2568
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4964
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3132
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1736
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2664
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3004
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2108
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2576
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2136
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2008
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2804
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3488
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3124
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:552
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3428
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2556
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1608
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:3864
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1396
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3392
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1372
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4536
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1180
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1144
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:4636
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:4796
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3720
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:5044
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3972
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:792
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3960
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1192
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2772
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:408
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2616
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1892
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3024
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:852
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2020
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3516
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:3596
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:380
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2240
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:244
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1848
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:2016
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1184
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2468
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:2036
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe
        8⤵
        
        PID:1924
        
        \??\c:\windows\system\spoolsv.exe
        
        c:\windows\system\spoolsv.exe SE
        7⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
        8⤵
        
        PID:1892
      - C:\Windows\SysWOW64\diskperf.exe
        
        "C:\Windows\SysWOW64\diskperf.exe"
        6⤵
        
        PID:5104
- - C:\Windows\SysWOW64\diskperf.exe
    "C:\Windows\SysWOW64\diskperf.exe"
    3⤵
    PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

Filesize
2.4MB

MD5
a5285e2d856f24717085c23dafb87b8f

SHA1
dcc2d91700f82c800c594872c3318c8542e8356e

SHA256
c37444279a69c1b98f3c30a0c3b72ad51639c5849e6e71e11a562d36ca01d583

SHA512
c70df24a474b8a05728bf7d0278992675d7b57ce1e7096e73fb33c216777264181059097fcc4d3846dce5edec381a59f08e7846f46f7aa54159011dd9fb53e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disk.sys

Filesize
2.6MB

MD5
9ec4e25e5783ee0979b2078966be73c0

SHA1
d9365bf3025396b5cc398ebc64b6effcda087fba

SHA256
b9d5bf25b17de99a24cfe258699a3286833767809e929c3ced381551a7b2e4c8

SHA512
37567b7ac98e11f81c02686571999097ef1780a24be6ab3d0386faa772dea3ebce198b12886436ae9b91178be7928463e9274aa46dbf9f07b611e6633b95cb45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
93B

MD5
8445bfa5a278e2f068300c604a78394b

SHA1
9fb4eef5ec2606bd151f77fdaa219853d4aa0c65

SHA256
5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c

SHA512
8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

Filesize
92B

MD5
13222a4bb413aaa8b92aa5b4f81d2760

SHA1
268a48f2fe84ed49bbdc1873a8009db8c7cba66a

SHA256
d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d

SHA512
eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

Download Submit
C:\Windows\System\explorer.exe

Filesize
2.7MB

MD5
29c02b253e64ffceeafc12d3a1a7519e

SHA1
1a9a21fffd0927d93b519fbf17466e7284592102

SHA256
524dfced77a436e12c9240df4cab01c9491ff2bc2301516d7e6e0dbd4d9a1270

SHA512
1875e4ef607ad7babe020e4e959d3467fe4d6e9e72f1327dcf866a01933a2817efff95906f253a8422a1f04bc2b5812666674bd04f6e0bad3b7f5d90d78469d8

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.3MB

MD5
41502f8d48776fd409f070cb78e1ae5b

SHA1
f7ef1c523a94312dd56b262eab370c72d02d0ee3

SHA256
eaf7d45678559d29796854361053eae67bb2a7d6efb61da764297350b01716ac

SHA512
ad573f145dabc7ea9554f9f39ddea0e27577c1a16698cfaba1eafbf45443d6858d9270f2ccfd26111e712d1ecd50c0a5882bc52f531444e237715a66bebef040

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.8MB

MD5
835e7ce3749bde4be38624d85185e91c

SHA1
f70c135033ee6e11ccb39557e9292a688cdcd2d5

SHA256
4d2a6663bd1376439a4b1f3dc69dc77a2df7ab3489ab14fc947124ae857dcb57

SHA512
c1db489d25509907fd4d684ed9fb2ec2e8cc61d09ec9a6e29852d4f57f5adce56ba2997497fdca82734a45cf345c2bac23a7ccca18e623f4b6fb1d25b1e8114f

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
b069dc7410eef2db4e9dfe44e460e4fe

SHA1
63790be8bfff2de293c6a48bbd782ccdcfa3aa22

SHA256
e7ed9dcb883bbec23423df56d3b428f595a5608ebb08c60ea3655638ac11b5ba

SHA512
96305f441e723ec8df36eaddf67598f1a8579fb0d64bd8d28bd9dae1d645a7995d4d5705dbc3409dcd2763cd49423f571c2d56050a4d7e0e494c515ed7e8aa50

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.5MB

MD5
2ebd14159ec2fe5132161fb286b2268a

SHA1
b2f384e3c7b6d5d77718cc967ec91f81c6ac47e4

SHA256
2c2682b30c6fd9402e70977fe225fb2bc373600f42249db14224e5a36f23cd23

SHA512
cbfdd421b7b3d0c6e42aba030cd4e24676264ab16b7cd9efe75726050ad68034276897bb2fa159231b12a5cd215e2ab94073317764c834fefad2c561730a9a48

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.9MB

MD5
9727848e64e3b86deab75568e91f530a

SHA1
135b53d2b5d41ea02d626f1144863763be733420

SHA256
6d0112a143e0e473a8bed5a70298732517e8ce4aa501988a3ebe467195f284de

SHA512
013b64ae6fe4211718e8f014038c1f8399c509d904b73b14ffbd6113473b7b279b3dfbefe2eb07f8ba2203a798372a18182d62f3f5231cf0d2565397cc34fcd0

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.8MB

MD5
62a512f2fd20332f2b1604b433ec3e45

SHA1
92ad0707d5e0ed1d0758334a2970cd5bd28f99e8

SHA256
79b3b7f0966531629078244b022501552e786892e87ffc3e1d0c1cf1543abecd

SHA512
d8e910afff126dab1e7a378d212e80736383cc8388769612556b6727dd9b8af6258233a19d3ee306e1daacb962d3457bf76ae01965eb92a67ce5d941ab929a7b

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.9MB

MD5
d02bfb3e03f0b6c372b7ccfded492dcf

SHA1
0f26ee9e38f8a4d87b563e5af23f87ddfafea33a

SHA256
72c951f2902dc00aca569c1009d6750be43357b18f242135e654251a32148bf1

SHA512
753b255ea02f59966f4c4718c985e0b4077a1d41bf1f2de79334cfa0b64f5c18f6a265b835c54514dcecd3c36a3759943d09d7d6a6f4de8b6232143e41a4cf3e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.8MB

MD5
53215e1878d23327bb3bcf3a62aa209b

SHA1
9b9057e8e5f13ee0dcb4ea18f1e57b2705c89430

SHA256
8ae029f4f0eab265346043195180dccd21b8067a0db1f3a4a4c2c4a768257874

SHA512
b74ab88c57f4a8b1bcf9c868c6078e3f3fc9c3b48ce742788afe4f6d6b205591080efe0995d4f9b160e2def894c32b53b6eb06b673c8d420767172396847baf3

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.9MB

MD5
c9f5f4f93ea62bc91803e760b248bda8

SHA1
d2e3bfd3488c3de338b88140230784c73be55446

SHA256
003eb57648801873e251f8b7ebe0bf74a78c1a7c12454823e140f4384c5cca64

SHA512
b1d286f467d0445b7c7d241172507906be16c140ea80a30a8faaf20bdd9f00c614cfcbae8e64b4c685b493e3d917efb8b227fabb3d2883fbc786a36929879947

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.2MB

MD5
69781dd2543fdf58d405ad90a51ac5c9

SHA1
928d0ddc74eb09874a70c29de92cc23d71a7908d

SHA256
a5bbf2e0624e8656faecf98f0a2dfe9215355995c05d9464b01ccea24259badf

SHA512
abe9eaadccfc4b87eadd404418ba91aa863b74ef145acc12f0a847b48541773e3171551cecb5816c47c28683c3b8161740a8160aa708f6bb8ce4d9687cee5c30

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.4MB

MD5
fdcdcaf404ad6980eff954abcd3386aa

SHA1
8a51c2e613746599450918b47a9e7a9be28d6ce4

SHA256
7c2ddad78646783c2b3e5f0c6ec9aa039d1df103a7000750b272ba0e65db656c

SHA512
5813321cf5e4e81ee043fa374af19932fc3bc1b5fdae510710e05515b388ed7893c4b305a9558bad918479ade0bc9eb11898ced7457771c976da67768a96cb5c

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.6MB

MD5
9f6c52dcf2252a59be2bb091bbfe6381

SHA1
f312d0af9927dde22e31ca48f2ee1d7df8c337b2

SHA256
4c2fe46792ffa831ab2855a4b8efa7d376f0d94be0da931bdd54b27b3e0e4a02

SHA512
59558434b0ae832a23d434c8f9f67b8cba3b24218e7f35f7fc4d5fe6c127f6ec95321dd0b70a0b2b6d1abe0f974706b131418acaafc9b1f5d60ea175deb2cd16

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.4MB

MD5
017be96a31b151ed27a2db963ca5295d

SHA1
2c1f4cf8986802b463b0b08dceb3dc0f915fd0aa

SHA256
0035290a6ca2ecb46fc0a3ad867a8ef0635f2564223b3c201762f3a2f398ba9d

SHA512
64763f8be8097ecdcf363b1146ad90214a073a55b3b443e7aead44e5ab56d9010b10e46aa39244044cb4758d515acd55cf53b542fb83c02a210cc3ac66a27fc9

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.9MB

MD5
92c9e5dbc977d9cb5a362a56c6760b4d

SHA1
8f3c08d673bfe363b4a568eb3af8c6351d735118

SHA256
65919c63499ae2b2b0db5aace5dd853cdc749fd9c3c539a73e823c121f2373ba

SHA512
59f86518de34c3c413da19f867c32315a3736523d2480368e7a5d59e39ca1fcf5f89f46b771b58ad1a59f560fba68f85b064904c15228c705cd8054b4832824e

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.9MB

MD5
4fda0173d1bddb006c5e5dc2a762f6b5

SHA1
175a34a5c2e1b2fb8f3c189238632898e44a0372

SHA256
1e0bf0b233903be4a30c4dae9d06f8755ca0ea7936058b31693a43ef0ba8d4e3

SHA512
72abc41dfc01e9cae250e8df9fc308070d559ed318ee4170e1dfee7848a154c7dc490341a982fe761d950ca877d155542dcadb7961f2ec35d741747763d6bd44

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.1MB

MD5
fdc077c918460149e386cf9a96667fef

SHA1
6534fd08f991d47c1aa44d1f041ac3928e4077e4

SHA256
da9b00287e09cbc56109828c7cfd94536fc7edc242946f265700d5ab6aef2ee7

SHA512
c45afc200aaf19dd71bace80c8000e3f5a4014b6d4d575b82499124d65817b34e23457b5245c3065c0f1ada920f3e3c363b3be13aa74e384f0ccc1f8a1d65c1f

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
1.4MB

MD5
50a557665c5bb4fa372fadbeba73303e

SHA1
df2eddc14a72381cc26c83268faa2f1806a58457

SHA256
26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e

SHA512
59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
923KB

MD5
60038d4e965ca1fc985f5b45f3689ee7

SHA1
772cc95bff90bdab4be15a16a31e662a03f522f8

SHA256
365bc145009df91d6b33d262a8592b2f276d90fcfa0f85b14d4d152fa2dd18f2

SHA512
ffedc0d3aab8e6a7440747623f9abaf2f2d6d206d0b7e52dc9792108cceb75d98db9aab5a439b7ec3278306a89fd83654268d030a5c0f6c2e2962d5861474546

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.4MB

MD5
1ca342bce7a66d6c065f3ce28be2fe4e

SHA1
89878550ac8a3500ee134b37652cd3620e452a11

SHA256
4a2682432314634066e9694c8d73fb3c43c26744127caeffbcb0342fda186fc2

SHA512
908d6e65a9a5ba317e6583ba42d97051da6cb22af63389ab298d890593ed536703de9396b8d6442b177744cebcd258ebef1cb4fb87485ca4a03342f4928c714a

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.4MB

MD5
8f6569f6cd9b7e4af020097c47b22b22

SHA1
1d46c2b010a03dc54f6fecb5dcd59de402a54502

SHA256
b33c4cc8700658d48c66cb1d8dc1570a1c8e393751d9deb02d4150b686436a8b

SHA512
37bd9e26795158aa15d98bea76d4092ed0b51418e8304302df46ce25b34651d0f86e60bcd8fc0e3b903ee8042e0a8ea85c8c1176da68cdedc9ce2335a70bcfa5

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.5MB

MD5
4101444a05680b0a84779729f8fdd96c

SHA1
6a72291118c1cbc4855d59e6041d5601e0a12169

SHA256
b0575e7cf194e7b2b6f14f1ff1c705db97f8ecaa001bcc0a12a8f3a07afd7df4

SHA512
462ca78efb511c82065dc62ff0a3cec9c02fbad7ab3f08610f4f4a895dcd32ccd9dbde302569e5a0bda1a7b5578de76701f9eeea8ce3cf5227cb4f004e251aca

Download Submit
C:\Windows\System\spoolsv.exe

Filesize
2.6MB

MD5
1623e06aaee46dc5687b89d7500d8d76

SHA1
1345b945768153fb7566bb45f375de8d89c5986b

SHA256
75508bba04f46ec34d3207d763c3d8910d8ccea7ed68b14368e3eb93af90a5d2

SHA512
57a540e993185d854be30428394c277fd7028766cf7dd47487ff7a0733cd6a3a93dc32b497834e918cdf0c60dd00a7e84108a8550d5e3177da7ddd0d6fbcc4a0

Download Submit
\??\c:\windows\system\explorer.exe

Filesize
2.9MB

MD5
e4b7fac65639423f87665f6584d0a5ba

SHA1
e93a3c6d6b6b0376362d64777689ac1e30ba6040

SHA256
695229e5e2e7a9db9328d14242514b8a2aeeb73d169853ad5e4f4774fa903ce3

SHA512
99bd3a7524296f24b196b3abdf98c32e79b36d0fac1c0d18a02ced85d4b66bacb53786d0382e00d6ff0e041390f670588e2784c5227e181d0991feac1e466126

Download Submit
\??\c:\windows\system\spoolsv.exe

Filesize
2.9MB

MD5
5f63b604d0704a87d8727caf24ff3716

SHA1
a6e743937f82fb6de2bc9d095dcb8edaae283e65

SHA256
639109972175c63d40571279c3aee5a7efb8952ae2a3b2023deacc3b779465cb

SHA512
acae145ce4e07b52247199d63d2ff0ee3a1f15b77445c797512c0622f38979bdc03ccc37a5927c5fd06921e8d148cba71e991865f6f345901a62add56bc8b90b

Download Submit
memory/348-128-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/408-305-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/408-417-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/428-263-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/452-334-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/640-383-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1128-419-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1144-340-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1192-406-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1608-290-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1724-370-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1792-358-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1848-430-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/1852-153-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1852-304-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2108-220-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2128-11-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2128-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2136-234-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2612-381-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2664-205-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2804-248-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/2848-444-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2928-291-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2940-432-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3012-191-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3048-178-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3120-44-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3120-65-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3120-71-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3120-41-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3120-46-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3120-43-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3120-42-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3120-51-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3120-45-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3124-262-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3132-192-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3392-319-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3396-346-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3428-275-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3452-320-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3520-62-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3540-206-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3544-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3720-367-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3856-86-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3856-85-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3856-82-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3856-87-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3856-83-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3856-84-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3940-8-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3940-6-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3940-10-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3940-9-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-29-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-15-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-2-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3940-7-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3940-5-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/3940-4-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-12-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-3-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3940-13-0x00000000004E7000-0x0000000000513000-memory.dmp

Filesize
176KB

Download
memory/3960-394-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/3972-382-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4088-102-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4136-111-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4136-110-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4136-114-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4136-113-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4136-112-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4136-115-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4192-208-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4252-235-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4252-222-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4280-126-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4280-122-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4280-125-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4280-127-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4280-124-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4280-123-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4324-395-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4328-88-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4420-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4460-407-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4468-140-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4528-141-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4536-331-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4636-355-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/4704-276-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4884-165-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/4964-176-0x0000000000400000-0x0000000000628000-memory.dmp

Filesize
2.2MB

Download
memory/5048-249-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/5104-63-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5104-67-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5112-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5112-50-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download