Malware Analysis Report

2025-03-15 06:30

Sample ID 240125-hjtdhsbaan
Target 74016813115c8ac3fb3485e3a102cd13
SHA256 0ff0475d18a4f004829bcf088f0210aec1d5d56fc46fffc20eb7d20a5ca6d709
Tags
rat upx warzonerat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ff0475d18a4f004829bcf088f0210aec1d5d56fc46fffc20eb7d20a5ca6d709

Threat Level: Known bad

The file 74016813115c8ac3fb3485e3a102cd13 was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat infostealer persistence

WarzoneRat, AveMaria

Warzone RAT payload

Warzonerat family

Warzone RAT payload

Executes dropped EXE

Loads dropped DLL

Drops startup file

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 06:46

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 06:46

Reported

2024-01-25 06:49

Platform

win7-20231215-en

Max time kernel

102s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2256 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2012 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 3052 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 3052 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 3052 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 3052 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 564 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 564 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 564 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 564 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 684 wrote to memory of 1116 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

"C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

N/A

Files

memory/2256-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2012-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2256-4-0x00000000003A0000-0x00000000003E6000-memory.dmp

memory/2012-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-26-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2012-31-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-34-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-38-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2256-37-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2012-39-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2012-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-42-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2012-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-44-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-46-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-47-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-48-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-49-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2012-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-51-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2012-52-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2012-54-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2012-56-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3052-58-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2012-61-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3052-60-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3052-68-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3052-64-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1648-74-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2012-63-0x0000000007000000-0x0000000007046000-memory.dmp

memory/3052-84-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2012-88-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1648-89-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2012-94-0x0000000007000000-0x0000000007012000-memory.dmp

memory/2012-91-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\explorer.exe

MD5 8ed88c5ac85833ce317fbff050a70050
SHA1 47bc13702dd2146d6beacb9bde2d269f0096b8ac
SHA256 55f434b7ea0b1aa4bda199b51ecfca7e279cfade15ae6500dc85a6e2f019023a
SHA512 558e79e49ad0b0112dc65adba2d918a672ebbae372394d4220478e739d69cd7089a62e24fb334c82d0090b0d1f5889127a8592d64fb1c80dd9b7fa5e820e21a1

memory/684-103-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3052-104-0x0000000002C90000-0x0000000002CD6000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 deb496be149ae8f1265e1ca3f4900f0d
SHA1 f84bb47c9810deeb5c2ac5bc932edb73a8088ffb
SHA256 60f08097740012cea06c7242d4230b4078546ac0b8d9b0e4d0ef6e477fba5dde
SHA512 317069a174c18a568b8cb168e1e6791931c048b0f9e71e3a97ceeea06dc1fa18a3121ddd107edc0f403352f1191ab0e762ad1e03914c330311dab654dcf202e7

C:\Windows\system\explorer.exe

MD5 0278380a3899b98ef8c87419e77e3ba2
SHA1 4bb10de39d26f699035970f84f1d58383f6b6fa9
SHA256 227151ffbf1203bd20308ab5050a387466830e078796639734fd674d34998aee
SHA512 0289c236cd263528b5dceebeb089672ef2fb10428c76604374e642d94d06bae69640e9ec320bb43d51ed5ff1e8225ffd6d5454c49e38bff514a6f5e7a6994801

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

\Windows\system\explorer.exe

MD5 b914c04c0de28fe0090d112e0bd2c017
SHA1 22ba2323a3bdfd3e8b2182fb9088d614d6e604d5
SHA256 d588c6ed565a4fd6bf434514dfe0a002897fe2e951733692f50489943b9cb64a
SHA512 8be5eb8b8508a6636f510b3462cc1b765c506a581ddac28373f4bc08455a6d369cb6b70e7e1035664b37b9f1ae959f6876a6840745024a40b0601ef332182248

memory/3052-97-0x0000000002C90000-0x0000000002CD6000-memory.dmp

\Windows\system\explorer.exe

MD5 750d053cd291c12a259d3b8a3901d373
SHA1 f1901ea351f18ed997a3f321725c0495883ff737
SHA256 9e47134d6f41e1e6fcfc2a0c2c5ed9f81bc8fd07348a38341ad042c2539debca
SHA512 1b8c0d2c4e88c2641b66b45e638f47fab848047ed1d2eb924e49bb580fce363da082bbc2562062871c5063e06db2c54bd617d3b9e56dce5908dc56ac0b99ddb1

memory/1116-136-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\explorer.exe

MD5 940ca36be59f0cf64ca21de44e9dd62f
SHA1 571676847d51204706e1b5e3b4d5d2e21c15f2ba
SHA256 2081b3d8ef560fcec0f267b12f71415a094e36909f94df2270add3e553d76bcb
SHA512 0d9b3ad66178f2dc2a202acf054cf61023a04b044bdbece1b749d009f6d75afb011ef65f4eae57b9e4a4569308001981e8b465764cdd5d06595e2dd13f91223e

memory/3052-141-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1116-151-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 16bd25a3c6d3025ab13249e2c61d981b
SHA1 342fa28f45ff0c4f7c58441bff92d9ef6930ad36
SHA256 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764
SHA512 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 d5cb86a95a26bceba3042aa4f5735989
SHA1 667f67a8c29e131188aa67a1a50c90929afaa96d
SHA256 a3afce6be30974eb7aa4688b42fed7afed108e764fb03cd7647b557084c767e1
SHA512 ef058811b5aefdd1ffa34f0f714d26688d2d7eda2a99fc60612c12c5487f80eeb77b0f1f3c1f9c5516d35a684922a63f2138fafd56f69f6241a49c78432e6917

C:\Windows\system\explorer.exe

MD5 03293eb9ea90740978bfda4e08e611d4
SHA1 14b832f017968b30232999a062a0930b8e980e29
SHA256 73f7316ccd13e07d4bc07faa54c8b3bbf84323ed047357f15fdef3dd5e5e5646
SHA512 680c9bd3696e3b8e43ed86cd9a5803e1babd86948eb75d02836c9486fdd2748c4d9555bfb57e1cfd6f11a1ceba1067e67965e0f866f1df78e1bf17f1c9c36f32

memory/1552-185-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1116-189-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b1cfcfe7758ef3cbb30ec9577531d6ca
SHA1 6f178c4f640080b595cf399e0ee9da18a18b0f61
SHA256 b8dff482a43aeef007e84ca7f14e2faa2087305ef0e37886d0cd5569a5aa6141
SHA512 e5cb6125c248e6ce34550dff5f9989ead311cdbb40b9cf5480ba115a5e4e1a4b68242301b68fbd66cd2a7aa6c236b50bb022510718c8fe4e68b25882caa49145

\??\c:\windows\system\spoolsv.exe

MD5 91227c1e77058f7fcc02ebef6dfa23b0
SHA1 a3a58cc714b18dafed264b40e5e5808ea1310425
SHA256 98aa6383aed38f1edce117f2b8c7715dd0f4bc67c1348a272da39305ae6f38c0
SHA512 73b60b294c0461ee9e6a23123fb8c92f2bcc26b043353f5c730265e64f77e114beaaa923488f867191666d59aac8d25a90e7897ea965b77371341deb4eba38c8

memory/2476-199-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2300-197-0x0000000002700000-0x0000000002746000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 35fbc5b4ddded53285259e8e770a921e
SHA1 d1454876ab351a0a1b6f9a6af59c605add8b8e1c
SHA256 f4a234abc3be9d713caff0e8bc821c076affa772ac9a8f53069726185c85e480
SHA512 6ecee69f5140669993e953bf9b6f68af81a52af0519153117f0cb637278a1879df840441c50bbc47c4aed32544e93b5712b0601940bea57d497e5bcecb9563d2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

\Windows\system\spoolsv.exe

MD5 427d1c69a7e47f7f997600e41679e2c3
SHA1 39625b2cb4bea74a4ef27725a7cef1021ee58bd1
SHA256 bf7c0e1dcfdb6196cf5446329d6841be3ecc1a2bbef9dd5342236c04e453c45e
SHA512 a1c9f91569b2bdf529f40635bdd51d260c14510a7fdf10fb2639c3e0ddf6eafe694142a398a455b347ca4b988a7d6ce0282e727e1df48894795cbac1cc853e6f

\Windows\system\spoolsv.exe

MD5 fbf2c0f2fa4c5b97df6a04f911cde173
SHA1 4613c3247d663149e8703f8dd008ad091dc80842
SHA256 a9517c71f4fa07711047607a48e296fb4169497d11ce923807506f76145982cd
SHA512 daf8037209455af7f15b57d34e57eaf4a7e1c910466d7dc164b0bda2166879e66aa3d1e0914fd556fdf50e5c8ec35e181ae7735466fa07c5a87247b17dac37e8

C:\Windows\system\spoolsv.exe

MD5 12d918a62024e73ec9b049f36d98b4a1
SHA1 0f25806aed76e8f25605f63b5ba90cb1e8cf34db
SHA256 8784c2cf4de95c7bf691ff0a19606d44a4ac3c52754fa61f144c4ee71995978d
SHA512 75baabf9711b0852d1fc5ae93da18664c4620dcd7999f715edba3bd6938797af893c2f348d431e52f53897d2e87f8747a9606c6bb6e11b9a44f43fe4e09642c0

memory/2300-238-0x0000000002700000-0x0000000002746000-memory.dmp

memory/2300-239-0x0000000002700000-0x0000000002746000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 8289612da1fd8b1b5ad419f7292d0908
SHA1 2480d9bc311b66c4b279817416999dcd30f66827
SHA256 2b521e7314370c531a5762fbb45b278cc03a8e25ace71eddf0efdb58f047ee37
SHA512 2f00d235f8a8f6dd8896d42c71d518dd5c80fcdde3e1ebb7efb207a8466fe8af971574ce8a86d6288d7269624840272f4ec1a8ccf15e1aabb02df4e7e2095cfe

\Windows\system\spoolsv.exe

MD5 0b9bb441465511ec2e7d6d600291c34f
SHA1 763976db22942b85199383df4c07f20d04732b01
SHA256 e7177c27320652bb6048dd74c516422afd8cf3011ee2b2483aa96d6e923b7e14
SHA512 bba206d78fa4d4919bf45eb90abdf75d188a7409c79090fa11f4c427cefb83a05ee86e9c4280168640288bfeac5cf9ecd7e5182c68423bfd0264837cad7c8106

\Windows\system\spoolsv.exe

MD5 7baf1e49db8b0f28160d0af39abf7d76
SHA1 51cbec541d4d918fe45d30879bb1442ffd485a1a
SHA256 778c701fd94962d7a675cd2447628ca6d8ddd13364f595ca674fe97ca6465cd3
SHA512 c8a6deaa2a5fbef61e0ed60c9ca8cbcc814dfe5deac91c3f802bfcddd33a837b8e78e0e4f2bfb5c0de6b84b77c608e89093cd1c6c1cb4808af4010a78cfa4e41

memory/1296-242-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 8f822cd404b28b4b244647059a336582
SHA1 c7b16fd9df47ef7f1ffb267d217d5ea4db60f8f5
SHA256 06c04fbf4d674f4bb3db109cbe223710cc37632d3534f303bc1a2b1364306a7c
SHA512 2ba65bcb40d9b6ee122097bcce128da82139593fda5e6d8839b81a6ab2f22eb5a7341b19670d84a99e1dc7815733a218f64e57cba205312299d7654794f3ec91

memory/2520-257-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 33e779a711a36d1abb611466e296d79a
SHA1 3b1badfb032ce381cd69ec1e4b31b8081c3f697b
SHA256 c9a0ce4a15205c8b4b35bac9709829f3b285f2b7507b23d6346f031ee6e05816
SHA512 9dc8081007cc33af0c66ade9c01067296bffc7d8ec8bb41ba20c172fb4b290316e27182f9dcf1e9a8731c94a5871f39febdff91fc675d85d6708437757d6e279

memory/2300-294-0x0000000002700000-0x0000000002746000-memory.dmp

memory/2300-292-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 8540f4d60bb1665dc7d408800f8c2ca6
SHA1 c19ea79b9d278dc8e3fd2aab2345d1eb4e1c5628
SHA256 56e46f17a38b71870825bef3d976ce0bc58aadeb37edfe662a430b69f4728540
SHA512 d9309ad9311a0de4c7fc4ded65d24653eb4c58bac0225622a3ff79329c30b60ad960998ee132b9de8df7bfedb45630e78374135510188edf92b54ec36ac90b7f

\Windows\system\spoolsv.exe

MD5 bb5744a785a89b623f2a5349d14332e1
SHA1 5f56b222234a80675e1bb6404c5b5a35eff2b805
SHA256 18f26dfd415f91ff6580bff3dd9df3b94cf85376505c6664c0a9ebe5afb6d58c
SHA512 b2a3b3d022dcacd34d22fe3293b48a10817bd8bee37b54b2f4c98f8bcdfcf1468a3f39372518111f4f75cd2ad96dfe6ed1b638b3ff8273f3cf5c2240f760fcbc

memory/2300-295-0x0000000002700000-0x0000000002746000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 989a519beccdfd1f7b51b4b796c9b7f4
SHA1 37a892df2e05e4e86ce63082d1504ae5a51114dd
SHA256 4062105dd9e4354f0b2912cd49f2ea4b657638dd6d70c72b7829a7083302796c
SHA512 c0e4d1d2f67a4b1a4d328966a1cd66036d9a43f640b9b1c4fdd2680c520f999774ab995c6915cad77249bbaba397a0a837d9aea9040ee8b81e4e1536b98cc6b3

memory/300-297-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 0991e891074266015b997a5068b40acf
SHA1 458fb129a15d96a377befceb8210a8552cfe34ef
SHA256 96104ab940256a447be6ef7ab4702f712253bc1eda2443ef2022f2ed4a7892be
SHA512 22fa313721729bd56d3c533cfe85a5c75b22fefc79eeffb2d2cc64fd46faadfbf97dc597995ffe457b6721929627c95fc98cf58cdbdbd1d6440acbe2c2799390

memory/2712-313-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 597a9ca7e41183d3c888ba9ea99dfe4c
SHA1 304492049eaf3e7caf4a3bcf88c1c3d0dc6cbd6a
SHA256 d1789dda96ff2de78b7aa94e1f3ce6bb1df77e9edea05eab2f65c566dc5bf8a9
SHA512 f4ca71a28f57188c0f709bf9d2f1846cdc1e59b11ea435cae50f5b702b70d295322348012669d67e9fd85714e5c6faf7aeb7260422bb62115d0fd6c07af15bdd

memory/2300-350-0x0000000002700000-0x0000000002746000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b2291d1dc3ae4c88a7b18e47bf34e89c
SHA1 f2be0f276281de3aae6cc645d218dc4b5dadcfcf
SHA256 d7e43539f83b0ba76443f06c757a5c0a332a3a41e665aeed0702910cad584fa8
SHA512 0741373625a966645b2615712fae044a567d1f618b132f8181545c48f795aa1312bcda544ab084348b6f922df7050ec3edd6df6f664eb3d308cf9294aae76bcc

memory/1200-356-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 391bc0564255cd908509de7a8150f65b
SHA1 dbbab1cdd5a1d6e6ea5c4902a5a4cf796eccceb7
SHA256 ef51e4efc54de0e8fc2a2c96d0703980b599a129eb7d8ccbf1b63c31ca7259e5
SHA512 dc833f0777d0d171b32d1819236d95c9f8a7bc7d24c62748ab8cfc26567ecaa21132ce667635c305787437175d09724814540c277cf6a5f3aed88bbf7ee1fdd0

memory/1216-358-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4aadbee8359f860bf9a194e12d6f76ad
SHA1 50c6b854fa319d2b2e43838054894ef7d9c0abe2
SHA256 b64d4752fef822dea338df11a366b7a0135b5d39517786fe74d98afc031ab1e7
SHA512 0239ee7903b188d677717a74809910bdfac865acfbcea98cfb8a43029c3622fd04f29f25cb96a3408526bf52b568e9983850f7272a2ec1f3a5010a219dbf6c38

memory/2300-362-0x0000000002700000-0x0000000002746000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e31d86350750f078bcb8c4a4a3e2c981
SHA1 c394a90394218726d18c0799e277ef2bb9c0ae97
SHA256 5b961c988733d4259c48a4d9dfd05f474f418cef57699e71fc5068c15fe555ec
SHA512 461686b06605077b3b8f706ff938313235b7d26128d6c8cbc65db3700137c7e9c714a102ecda5fdbadd637fe5f072461a4220467c76e41b24e1eff2b03893a0b

memory/1216-369-0x0000000001D20000-0x0000000001D66000-memory.dmp

memory/1200-379-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 82cd66319ad875bdff13567958ab49a3
SHA1 e33df78a2c42bd2816dc21edabfd86a5eccc322a
SHA256 3a0c0ff6b03139ce4e424be02e8de44343fba05b4d6a66063cf7ca8fbc7a61fa
SHA512 1b4bfe76826ca73a25d6e160714ba01bbc50247c0756ef2bcf2dbb198c65ce7c5cddb9f40666dfb3c2b70af086c81ec73e16e149a7fb812438cc7ffb5f3bde69

memory/2300-404-0x0000000002700000-0x0000000002746000-memory.dmp

memory/1516-407-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 1b197045c6476b0344b1f407b99d351d
SHA1 3e8e892fdadad67732a24d4091ded1fd268bee06
SHA256 09538f9302564e1640b566bd56ca1688b68c539029d9c93d28f4b4594de388b7
SHA512 9e52671c6910b48f57164a0ac5864f9dc27f1d51e76fceaeba733e81a0061383eb824c6821c6f2d3af4f7c0a358d2fba4c195513a633d8ac0cd3778db6fe2038

\Windows\system\spoolsv.exe

MD5 995e493c55160973b8da336fd4220e36
SHA1 62576c8ac8df24d4b20bcf77d67424a24795c5b1
SHA256 9979c48844060cbc8cd22fe423104d55c313f4ab7c7fc06f0df1f0bdb2832f7a
SHA512 b0e7828157c65069712c0dfb72b39c35962f8c1af4a0c29496e2aad0782eff64c12a5fa2a65b8425808f6e23705b84df679f3423dabf83df3ea29c9ba9dc3229

\Windows\system\spoolsv.exe

MD5 eeecdffcfab1f14c143bdecc2cbcb215
SHA1 26311cd277d1d401e2da2c85bedba92d447a3d14
SHA256 9894f5d4a94aabd48bf5ddcad452fbef86c1afecda5690be552f2fa079cf0eb2
SHA512 e0dbce8d42226932ff1fd66a397a7f5e5e8e64628bc282f6ee0b56141aa5081ee93fd6452797ba25813638ef2c2d92fe0afaec787ed779f3bf45d0766fd7355f

\Windows\system\spoolsv.exe

MD5 803033e94a1752e5cb44b59a50d82a47
SHA1 ba0d9d50c660e8f2bbd10311d50ac54300cd02bb
SHA256 b5c363863b08c48bc519b3a6e73b8cfd7b0c50958addf0224f33bfc5c554de73
SHA512 5ddba67dce191ca276e3bc1ffab534899455861417d9208daba12b340c669246a10e53ff7fb9dd27a8c9eeaed7c3ec7b91f1a4388abc5dcbc97162005d3746fd

memory/1516-424-0x0000000000450000-0x0000000000496000-memory.dmp

memory/2892-426-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 352288e4534bd9bba43fc71593dd92e0
SHA1 806517946de0cbc19b205fb240844fca51e9729c
SHA256 52e3f61bbd2671d1917341f871a2ed789575791b5bbea648be9335bd5c4d98c3
SHA512 8f907e46b164f4c6c3207253561692d3c9cdd6eabf86921b214c5e318380a54c773f16d267e63871ec26ce312bafebd25fbc1020a114fb58a5ae081257be2bd7

C:\Windows\system\spoolsv.exe

MD5 73b71df7c9dd649b6c0fb4ea36f334fd
SHA1 1a2924002221de73cb9a2baee10ab324b015e3b8
SHA256 f80bb53581a4151088d0df961eb93b7b450db199c1f4d9a0aad0810209939ba9
SHA512 4b055c70fdfb41a9fefde14d4948a5ba64ab09b693d728db9733aaf00f1d5af36d9c6f0e656e1177a69f4d790844514018155a60343d664528f8e256b44e8bfe

\Windows\system\spoolsv.exe

MD5 847cb0cf43f31c860a0b8adb7c425bc3
SHA1 7e9a142988a55007011e40c63254b2533c670509
SHA256 6eb972aae90b4c882432947f949365cf17e7fae32fcdf53940c1487b94965a5e
SHA512 582ac8dd977a6a7d3c00ef1169820a15b307b48027d45e29bae938b1fcc968756e872342098dd6205e3d53cee53fb028acf04697345d10a6bbd4ddc4683ef08c

memory/2376-458-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 587d7444b79c9723dce76d0ab93c99d2
SHA1 c6678f23baa544aa64ac1aa3a98cf545cc15ecfa
SHA256 a392340769d595519b7f13a24e54be77585f0698f1fb5172fbbdd8857e3c7f85
SHA512 5059b542bc472c60ec080bd4cb54392b411ae36113a4fb520e2012efac39968e418878abb5044cd87df5554416b5de87bf935c03fb2f39d1fae0dc2be1ccc2be

memory/1200-461-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2300-465-0x0000000002700000-0x0000000002746000-memory.dmp

memory/1844-466-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 897c075fa50c7a9c1c2c766bf3cbd35a
SHA1 efe230565ab1cfabfc38ad004cf722a0d33b97b5
SHA256 f173bc5dc8e959bd97a717256b994e2277ea024c5b61137f57e125a777b25c07
SHA512 e149ada2a81b6e98f1dc37b7a7c6fc51d797ac9bacad9ce007bc6cd24e5d3fa4fe225554f39ab7d3c76d935ef9ea57b8a2b097d28aae3cb6385e027bf560b6da

memory/2300-480-0x0000000002700000-0x0000000002746000-memory.dmp

memory/2376-483-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 cd6873ab26e3e1233a17cbaf6c9de2c9
SHA1 c4bc51c3c9295b83312f3284ffde93458a3778a3
SHA256 64d0f0708bedc8692a0ecd769e3a887f47d355d62e11ab523ec8ac5b345bf38f
SHA512 22fa4f18ed966ab1c6240ca5e026262b0ffd267147a31d1141f36ed3b6b75f1b756f4d47b563b7acab84517a4044485abbfaad5c8ab94b61c3b1c124681d6e3c

memory/2300-522-0x0000000002700000-0x0000000002746000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 c809b7cefd0e1770cd41d450de497452
SHA1 17e7cc934adaa4f75ad477cf36b220d2d8924db9
SHA256 0fa72675594c55d680fdd6f7b086a82c0ed9b6a17249460fd803767fd0888b1d
SHA512 09dc3384af3b7adc53ed0b56da295cc78076a9d8b72c049d5d71a0e2c76da46fa99a58cc6da9a13945dc263ca41d1edcacd539e8fa38a6a3ca7a61015ce93a0d

memory/2300-520-0x0000000002700000-0x0000000002746000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c929b7707e53c117f765f0cab69bd370
SHA1 c1b5c6634d5657c442b794d4dea0eddd620fc49d
SHA256 ba2fcd16d57b2bf7743031c244019827cc2b4fe163a4b6727b72575141092ae0
SHA512 21829e08db2c964ab38ed554b25f9d82ad5a9c44b3ac65446a30cbd4539cb775f825381e128fcc91babb8e64b5c9ba8d3bbaa873020b2a0a573946d957dc13ff

\Windows\system\spoolsv.exe

MD5 bdbd2a391a39e19517c796e0ef2de122
SHA1 9a2f7b9ffe0ca4802c7d2c7d1653a3383d870534
SHA256 c6371578f90ad6347eb5de338ed242ea8fd3e624757a4832524adc53bb29c109
SHA512 459106bbeb370afcbdc54da0abf7b16d697606068a95250fbea6ebcb517baa73f88bcf6f6c28671d91a97d0970e257f24e384143cdccf79289d3de21e4bd2f86

memory/1212-525-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1708-531-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d24e34236047cf5618110cf35ea94dbd
SHA1 113a9cdb375e6f78295723456859ff48d1958f10
SHA256 7c6be192d7ef7ee0103be774135c03fed67acdee435916ce35404c4163d080ce
SHA512 a7bd2ae4f34d9e80af8d1970f47352aa2ee86096baba16a502af8dd249ab4461bc55b3cf2216531d2bc36dad2549d3eb943781c0528f7a28a60fc16e4b05353c

memory/2300-535-0x0000000002700000-0x0000000002746000-memory.dmp

memory/1708-541-0x00000000003B0000-0x00000000003F6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 2e79ceade87b404b2adcc378d9596625
SHA1 4a961b85a557a316652ed62ba71ea28d647c0faa
SHA256 515b96f299d3599fb77cac3879891dc07867e6483dde38dcb130b9bb4d0e9051
SHA512 49a6df6aa05bd060f6c91aa3d114af52c09a1f534d737da3f85982b0dedc17c70f7041a78e16eaf02f026ed8dee486b2dc0b0017727f45857dc00972544eadfc

\Windows\system\spoolsv.exe

MD5 26f658e08a9ebad3dfdd788c04810b59
SHA1 82a416596c37ad3bc45e6077c8779afd847a856c
SHA256 7c19f6cf048a105e59cd929365c26b7f7106730c09ada9e072340238fed48fde
SHA512 673676f949591fffa2527419695d2d607a1e7902c58cfc9c2aef2477a6cdfc62bb0a5be4440b5577a6f149246c1255b270600af0c21492b73d29b48da6a37c9a

C:\Windows\system\spoolsv.exe

MD5 28f1ed5e10df3ff64da3a926807550bc
SHA1 1f2740de95530d62bc83289e29f07c5779f48de0
SHA256 5c0a8f6e85d931743074aff4929856e2deb0c0158563099551719b247ef49951
SHA512 8f9b62bcda75acdc5e1f1f4189939e2816b03c9ecb0d04106c8af6ef795bb04b6c1098416e1fd1175dd06ff0185dd0ca60282ea23261a6c33ae4779a0110979d

memory/2300-583-0x0000000002700000-0x0000000002746000-memory.dmp

memory/1212-584-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 9849db11146a6b917ebbcd6121745b56
SHA1 83cc6efc843bfbf22f4f777060d00bebb9305123
SHA256 979b6381707e5844b2ddbbf99ec57522d468e8b1c875d943af6c45cecec4e9ab
SHA512 d98d95b40f769b91a185743e2ba19914766db909877a5cec7843705fa031b414e81b7e06c7ac4e5083e2550d0b7e90a14cf8dd917b2b32d146b8c2d2230c2cae

memory/916-587-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2412-589-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 8d0c8f1049aab3eab33bcb9760879011
SHA1 378fb05d8511bb83ca98637aaaa1597e4729c7f3
SHA256 17ea4d6f9e08f4b500688d49167021c9589ff3746982f2b5b9b2677a0a2fd713
SHA512 37ee47f8e44377e53de6dbb3fad7a4e41c66ebfe8d94a999764ae1cfab66732902e56988d6a07eb48e07c10d76d6cecff57223990c11fc29f55b81aa0bfd528b

memory/2412-602-0x0000000001D10000-0x0000000001D56000-memory.dmp

memory/916-606-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 3a94652eb8376be1710bd4c7eecc6403
SHA1 2d07c6d66604512905c095085fcebef1ed229f69
SHA256 5bc26a295eb3998c658ce1bfd74fa3f2901ad8848d91abf2c6b93ba9166d3ee6
SHA512 2074b2e4519b823bf4c9779e9134b4e65358e30abb6873c96c7bedca10eb5df9ff3971c6baf33ced397e7f6206b9cd1983aac8d5fda08e6ac300aa90a0758d05

\Windows\system\spoolsv.exe

MD5 6d28830dc8bd2d9b0102d3d67dc4111a
SHA1 45a16174066d540d5e96184ee923ea13a1a3c85d
SHA256 80eec76ae710cdb769f9f0a84d2adcf7f040c069d0205c48c066a9c60151aa4e
SHA512 393debbb79acf820d9ab97d4fcaca804c6174353c89adfb7500f5253f72a9b2bf528ec719ec5caec297995fda3f3dd5b445aff7d118ec5a7e9ca9285c590eae0

C:\Windows\system\spoolsv.exe

MD5 35764250b5f578db926d9cd9ca2ad4fd
SHA1 620c95810f10e398790e625c08eaf1f2191543ef
SHA256 25ec6e90e7c0831b05e82d73266d4a16b8b218f79d4884e51999a62ac92d7ecc
SHA512 641efa699a1497290944fd88321bca1939584441709ae293751ed96efa98454cd1e75e69524508904f039b19413ab392de5b0951ea97a6183bd68e1f853355ae

C:\Windows\system\spoolsv.exe

MD5 4418981ef61f7365b5b5f2d84719ce13
SHA1 0e954b35ea82816b837242047364435cb78f9fff
SHA256 94f6c5451028682fe83aea13f2f8d57ec458c95715980f1e799c46669e41bd2c
SHA512 4daa6e4fb0a79bc2d579bb74adb080e95f2728545b5cc6f21218b95f572eb714581250ffa3ce990f5e840f4a0c9630f238ffb6a754dc626e88460890ee8254c7

memory/3064-638-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1212-637-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2300-648-0x0000000002700000-0x0000000002746000-memory.dmp

\Windows\system\spoolsv.exe

MD5 f134e702b72d020fbc65e909e1500d55
SHA1 64d8bdc353c5b98d6915a418543e5fbca07f67e0
SHA256 278e272292cf6c59851c393a53aa8509ba87ac1c6318d40f0f2f8eaeee18d8b1
SHA512 bdd13577dcb4c2928dc43208ba980f7388858fb00ba642afc52f56b32d1e41b3451eaef3061b4d2e0765028dbcc7e3aaa3bcd87fd5c674cfec824c09ac843bef

C:\Windows\system\spoolsv.exe

MD5 615ddb6d076562715be474864002bf14
SHA1 b002346ac82efe9d9ff0fb9ba43b87b5e943f696
SHA256 d38d5a30eb84672044aacf211b04ab9c4048039292d83054eec5d04f95809290
SHA512 61a8599a3ba8d22c3f307331d6c196f8d3c840509f0f88bdd1e5e2c4925475040c72d268a3e87ea5a88f711c158a5aed16df432de1a6ba1d1b829a685306c234

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 06:46

Reported

2024-01-25 06:49

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2300 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
PID 2672 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2672 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2672 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2672 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 2672 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe C:\Windows\SysWOW64\diskperf.exe
PID 4160 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 4160 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 4160 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 1372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe
PID 2636 wrote to memory of 3212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

"C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3844 -ip 3844

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 560

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 944 -ip 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 548

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/2300-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2300-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2672-7-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2672-6-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2672-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2672-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2672-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2672-3-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2672-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2672-11-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2672-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2672-13-0x0000000007390000-0x0000000007391000-memory.dmp

memory/2672-14-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2672-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2672-17-0x0000000007390000-0x0000000007391000-memory.dmp

memory/4828-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4828-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2672-34-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2672-30-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4828-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4160-24-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 f50a855a021ed71a4d7fa7e0eed4befe
SHA1 8d251e8c56cee1ebf7695f43763c8f301d9e9803
SHA256 d936ac80bc73a247dc9c31945f60ffa2aeb53a36ccdb0ce1ce3ec6e22c6d986c
SHA512 b5243cb4261a58a4ec2172fa80212b7e72a3bc4c61a45cbd75d5663d29fc786634ab49c1045396f631010bfd7cd6f6e4f1bcb64e772f43a197611650b041beab

\??\c:\windows\system\explorer.exe

MD5 da730311a775fd62b36d810f66ce8e66
SHA1 a718bf08730cba03c768b54ca021ea291fc91250
SHA256 17332f9b89665aedb37873100072ab232d4ae05ac9541eaf167600ffcc2b58de
SHA512 e32f4d4fc4f6d56ae4b93b182bca2980501c9f9a76e2b05973efb1f38981b18972eb6681b1db4d33374dfcd14985e599d3d98e5adb8e02ec242f0ecfed761b93

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 439736c5ea4af1218b657abcb60a6b68
SHA1 473b0bf47005b40433cfae4977fde5a9eb66c53f
SHA256 cf91cd33678ec145cc9af48cc998c8e7a68de26e80933aba117fa32a7b4d526e
SHA512 d1a85358a8dafeb040a34edb30ce39095b52105bd99c30787b3b0b30e76e35f5243c78a753ce95b2487039b35386c6fd8c9f6c8b9ca7c95372e5bc97a8820f87

memory/4160-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2636-45-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\explorer.exe

MD5 8faac164aee8bb31a313c699bd861f0a
SHA1 2a878953285deee873570de1376089cb28af1d4b
SHA256 6c070d98f01c81b4421eebd154deafe186786b6c34bffb140c02109a3d7dadb0
SHA512 4cf1ff80b3d5d1632c01a9815aec6af9b4f67b64b44180c8d5c282e5d7587a18208f9d10a6e3e8f3acee02883c018c6e88d5f268431d0cedc2e948d0c50c8a6a

memory/4160-46-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3212-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3212-55-0x0000000008DC0000-0x0000000008DC1000-memory.dmp

memory/3212-56-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3212-58-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 5409186198e750e6829f723380c92f22
SHA1 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c
SHA256 ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440
SHA512 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 f48f5a71b594c6242a337ff93d43a9f7
SHA1 af4b79769364004c6e04674782e0a6d225355557
SHA256 70e1426f11cb6ece49bdeea55122ecda94519e53e84157653318374e7e3a850a
SHA512 9b8faf573ef6dc5a3d7692d18d57d6a9dfca9c92148f4ca44e3e0286c54f30f67cac80eb12c677c644bb27dbc27fa0f96096747b11d91c48003e48354d5ab05a

memory/3212-74-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3888-75-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3212-72-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\explorer.exe

MD5 deadae0747ec96f040056251d80bf627
SHA1 f0e6bb66685f4b22063c569f27526ac474138ca4
SHA256 755b3c78753a9566ff142376308f64f3688444d3b7b7df6620d36135a59e3a6c
SHA512 ac33dbee190bdf52d5658cd1cb19138c12fcc0e9a5ea88d6c5f830bfe225a47dfc6a5358010f982d5f35e3574ce182f5f27151e3c62073b6e62f120c2665a749

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

\??\c:\windows\system\spoolsv.exe

MD5 2cc8fd4295e43752d3df8edabfe91203
SHA1 ec29525d3035d7523add2b11685c4a0b91592415
SHA256 dc498d2fa2a2a00e7901b9b69262374c5a7e472a4bcafb432f103b69c675167f
SHA512 88728c0b55d00c56418f449a9866e464c7892fceec4d3a8b59462f3e85c8bea816b9824c54fb30374b77ab4e1f70a4a96b3741727b18f7ef90360b4176977e9e

C:\Windows\System\spoolsv.exe

MD5 80dedea39bd681d0d3539bf43e26f172
SHA1 007cb8b209acb41f04122148ea752b0b3bc0236c
SHA256 f063e5a51af41d5bcacf8d17c317d83fa30eb46fea8dcd10dd745bff6601c7f4
SHA512 d9ec74f91da0884f3c6089b011cb035af5bedc0333008c403a59fbd464d680298b7f05a7015e2078fae2faaa56ad7f8bf37edb7d8c88e492a94cba2f3bdb78da

C:\Windows\System\spoolsv.exe

MD5 0abfc1329e4534985e86833d3de1d4f3
SHA1 bf5113acf82165dc26ce0a25c19390b31d8e393d
SHA256 f905d8215a35bfdd982884ed9933b33dcd32f23f8a0cdb770c520c280fb05f22
SHA512 e8f5984f7ec914c5f322ec57bf92eb7c4a665ac411fb97de67fad1a98f4078eadb79a52fc63c8cb9979eeeb2d2259a1c398dc0b6a22ee8adc18d1533b8dd4e3b

memory/1984-95-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2720-98-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1984-97-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1984-102-0x00000000070E0000-0x00000000070E1000-memory.dmp

memory/1984-99-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1984-96-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1984-94-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4668-91-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 fcbe5b6c2f65efed71096b3e07dbc36d
SHA1 ba9dc019d2d7e3998f39dde62598610f8147548c
SHA256 090bcddc04f1d3490952c9ee1e4dbae3e902750af7e48a6df2c684df2d4ea094
SHA512 f44a224e75f3252f5b7b6331e28d74bb01c70afd8a34e5bed582890b9c401a68de2941801d7e77c1d46e883e333b0f83cbaf52acf44c96a6d2e9322b5cc68b69

C:\Windows\System\spoolsv.exe

MD5 d632d2ba5b4c62131ec78645a8b7d08c
SHA1 16f0c0737fd26dd1e8bd24009b5b17a9cff804f1
SHA256 b83f19837608a8b90f46a5530ae40e773281dbc8c380de66684f10ba7b91d615
SHA512 8585b7fe77419174aa3a7cd645033632117d7726d9b26a3d3576518d5ba24e723eb0f60888a1af197cc3d2a32559153905698c49c37c8d3872449153245a1153

C:\Windows\System\spoolsv.exe

MD5 314d7d1f81988154c713cd371d992720
SHA1 4af8829ddb00afadf38bb4df986b096a7c489fcb
SHA256 3954060d5e54f3f70ef5444e6f6b0cd541238b783e5084cc4ce53310e04e9e5a
SHA512 1a0889335748c6d4a4772c3613c63367f01e8e88052adbd8687edcc2b7dc754228ecef655bf3776ee0d04426913c59d17f1443d13c6eb6dc469206a6b2b9cebf

memory/984-109-0x0000000000400000-0x0000000001400000-memory.dmp

memory/984-111-0x0000000000400000-0x0000000001400000-memory.dmp

memory/984-112-0x0000000000400000-0x0000000000628000-memory.dmp

memory/984-110-0x0000000000400000-0x0000000001400000-memory.dmp

memory/984-113-0x0000000000400000-0x0000000001400000-memory.dmp

memory/984-114-0x0000000008D90000-0x0000000008D91000-memory.dmp

memory/2148-117-0x0000000000400000-0x0000000000446000-memory.dmp

memory/984-107-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 31d4fcdfb0ba885171a77870d1d0fd7b
SHA1 f499ac62797f51cf996ef9936b7edc2078e9fa6d
SHA256 884589c60036fd244cd5de36370accf6205b6a4c4cb08f87a5967ddc2b2a980b
SHA512 892b9deabee33810309fcf61f7c41437f9cd0adc12c6563eef3e75e147e83ea3317a87d7483bf5f1c3c3aa6754d029b3cca69e8ac65f2e4a53d1347c9d0e1cc0

memory/4128-123-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 80391d3c164b00e2bad7a54f2108f7b8
SHA1 c0a5649233a71d3fce4411bed3137a55c9ba09c2
SHA256 059526c7a1fd389ec4e6692f14de78f98fecf4c0b67134e0df975fda68a70964
SHA512 80ba69d7194904375a4a7a1faddb2101a87a82345d5b1057a5e341d0a96e9e76aebfa06b84f01dd0eaaec6668b532fffb51b5bd256a3d1aa637b9005d4bc6cf2

memory/4128-126-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4128-128-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4128-124-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4128-132-0x0000000008C40000-0x0000000008C41000-memory.dmp

memory/5048-133-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1588-122-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 965bf81f279a2c6f605308de4d516a99
SHA1 fe0f2b0df24047448b8fcf20f1796a1762a466ab
SHA256 0ca80a7da77e04b33bb35646c2a38b910b8061c3efa37d988a1907449bc96b1b
SHA512 c3e56427668edb908b9e13d0d0311b9da67090b1e29bab14ce680e818a98581d7c47adbbd4c9c167cb211f0e25f0d2e194e5a9f73528bd9457b962b9b59a7c72

memory/448-138-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4884-141-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 31e763469d06bb198ab16555ee7f6300
SHA1 6cc381f6e386207b870c75908ca551a4b2ab390a
SHA256 9b3f8a278444964c43fe4758465aeed85c1a343ccf904c7152d45c461652bfa1
SHA512 249ee842ad9835cde1bba2e6b743f76d9bf546e8f38464f4cd4283acbac5a619f0a5d6b25a7da246b17bd79e2e8094101f936dc448fd9343309cbc83cc36a590

memory/1984-144-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/448-149-0x0000000007070000-0x0000000007071000-memory.dmp

memory/4780-159-0x0000000000400000-0x0000000001400000-memory.dmp

memory/984-157-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 8c80240783daf37573109a3d95ac5161
SHA1 b5dafbc96c0a387f774303236561a8c4b5bac7d3
SHA256 1433e4eefd20fcdf9372d1b2ed97be73e7d177a84801d0478e2f0b2ed7daca4e
SHA512 92d12503c0b48cd9a446fc983382d118bf35859f14fa4f73fc516b01edb8148fa02e0d85cec54cc23dc722667f43638a7d16f20ded227f9d62d5e19f99d179e4

memory/4780-161-0x0000000000400000-0x0000000000628000-memory.dmp

memory/744-163-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4780-166-0x0000000007150000-0x0000000007151000-memory.dmp

memory/4128-167-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2c9cfc6402038647b105216a8d2b3268
SHA1 34d5500ab4a4cae469de96b5ccf5de436832856b
SHA256 0c3c45216a51bef3b1f905fd956cfcfd0b67a701573366b535625d0e074c14e5
SHA512 c785dbdd6f6f44a41a63a8f58c5b641dc0dea86ace1af6ddb1c37b7fda17bce250724cad1375c3c7414d67de84b09aa29cf9899ab393cd2dc6a424a3ffae37a5

C:\Windows\System\spoolsv.exe

MD5 3c966776257488392cb291f53775fb24
SHA1 a8c1c2db9335fedf8cad12278a8179ad8ed56062
SHA256 6667025d1bd7ebbbb0e7a9d8b6f329b1711623560a9f5e7bfd87dca208c8f642
SHA512 1e6edee66491218c07bd455c66b7698034fcbed6e88d35f583d3879d836029353de62402dcf8300966a7cb4c1c9961e41d432666b3c63be3dad3166ed4ad533d

memory/2564-178-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4184-181-0x0000000007160000-0x0000000007161000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 3a8d72bc8ea226a792003b56e0dd57b4
SHA1 9fe8a671bde60bb02b3cb32ce773e0a5291b1b78
SHA256 86fc630a849178b701abca3d632895ac787e7f76fb644368ea923347646da29d
SHA512 0635598f9bac3d5d83b126203ac3d377ec353f1041d4966e36c26511675193c59a9f8ad404acbd6455159a220743dbf9cd035325471ce6d88dadf030ad03fd51

C:\Windows\System\spoolsv.exe

MD5 1a774d2e467348ffe1349b535177f17d
SHA1 237bc3fc8efb699eb4d2b3ccc2f7dde2480affe9
SHA256 353d74f8b88e748c0d5ba0add055687cb602af5ca464c488cacfc50fa168c306
SHA512 dd8e8ebb6a043e813f2674b2e249e87b9b1c6b6ee36b3bc27f727433e70f152d58495c1e70920da4bd0c05645634cd92fe278b9bffdd80c8758aa106e060b970

memory/448-190-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4868-192-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4868-194-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4868-198-0x00000000074A0000-0x00000000074A1000-memory.dmp

memory/2548-197-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f68c77de9d8f15ccd208b8c45b97dcd6
SHA1 06fca2268cb3838bcb7d86a96a872ab384febf6f
SHA256 5d056de995387301501e582fd89af37307777e532f87cc93b4d51211cf54ae41
SHA512 c46dd884bf5e5604fbfca4e71d2fe3ae82ac619b030cc82281b36cd65d4bb365a1c605c95a4be68f56d4116c281d9e14e9947ba06772352fb1732c56e8593534

C:\Windows\System\spoolsv.exe

MD5 069d9fa04fc82a6638ba0e47cc4b2df8
SHA1 60f0d0ab4348483490ecde390b53d37a91c39e3b
SHA256 d0b84c11c08de6c844ac09fb59539553e92dd38b472a52b8fbecb6c149b55862
SHA512 a0117ea6c73cdfdf3c6c85ba66b22d555e376214bd52ce7a1c9f26d48e81fc35e9d82f3061cca8f074d61d37ef2f317a01e46f6cdc54ca896cbe1317a517a167

memory/3632-208-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2432-209-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4780-206-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2432-212-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2432-215-0x0000000007290000-0x0000000007291000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 4114e44b0d5c92341278665be0d6f14b
SHA1 73af7a52f44dddfbceb83a6824e48c590191f9d2
SHA256 d14c955af1c4216375dbff67e2bc60b782d8c760ba3d254beedd87e1fb5fccad
SHA512 29e55890587e3e83127b629baecb6226b3b594f86b0f8bb04b4ac1128e3e1b789ca0e27cd54a2b5774e9e8629b1c94d67f33de4d6525ae7ba2bdc76af9c9b3ac

memory/4184-223-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2c62fe1f8dc064b9a3c22fbab39d7678
SHA1 512265da70bdfeca25191f4451bceb6e63f3cbaa
SHA256 edbffeedb0cb2f84fa955c60958fc4dc7d34b0beceec89c33c36a6e3b2381e42
SHA512 5956e724c6f4e720cb4c5d90641cc6d4dc3c25273cfa98dfa78aebe660ad9199c30dcee62304c0a2a539e3d80618815e782ab2b42702f44e5dd6c8c74221388b

memory/4684-231-0x0000000000400000-0x0000000000446000-memory.dmp

memory/368-228-0x0000000000400000-0x0000000000628000-memory.dmp

memory/368-232-0x0000000007180000-0x0000000007181000-memory.dmp

memory/1896-241-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 fa51737617611dc52d1faf6281b41e4c
SHA1 207bddb35ba2312c3a368400aaee699c9c496763
SHA256 b4958b9a38eaccdaecd0e7b6648e6137d60b97d5628baba1294e08a68d504c1e
SHA512 abbc95b6c915c35e6b1c13ab2bf132541566db91ab25ef69559771519cb995c2da6620012b57e0d9e2e371acd191d387d4210751a362e55c409605202ab0c78c

memory/1896-245-0x0000000000400000-0x0000000001400000-memory.dmp

memory/384-248-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1896-249-0x0000000007290000-0x0000000007291000-memory.dmp

memory/4868-250-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c5c21825ec481def9b2f371ae0b7963f
SHA1 615bc192b5828f3530d5b2ec27f41e55d102a90f
SHA256 6aa68012751ab500e8e2a576c6fc406f015bfbcffff98d4e77605bf6c44b48b5
SHA512 177017818131b345153c1532bddf95e2e1bd94f769671f28f19291f53c129f0882c5590eb58a9fa530d77230e9eb31250b14c8a6ae226aaeaf81b8005eed79cd

memory/4712-257-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4712-261-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3776-264-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2432-265-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4712-266-0x0000000007490000-0x0000000007491000-memory.dmp

memory/2780-274-0x0000000000400000-0x0000000001990000-memory.dmp

memory/3796-276-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2780-289-0x0000000007190000-0x0000000007191000-memory.dmp

memory/368-292-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 69de80eb0a3eff85dd4d24b9b75f7f40
SHA1 2cae9c6f2e713736f37c1d03684020e9858d47f3
SHA256 2a5fcb20871e02fc9dc9454bd619c72f02e9c24639f1b5736e883098b084898a
SHA512 12df058cb69412af5f68f625ad193b7a16838fc365061ef5395781b7eac2234b020dd9fc99696379fc5d5e83e6d3603fc9fa6420309a2df6a91c6c0977a1d540

memory/4844-297-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 16ad17a6a68f241f8f170c981e446fba
SHA1 9a3776ada0905002d4d25e7b978419bb01a2e02f
SHA256 725f9067b1792575ccd9ed674fe2da5e9b43ca2bb4507aab100519b9f2d097cb
SHA512 6d9f1678e5d8873fe9894e97bd36b7384349c530a648ba2b686fb952d9fea62c3e59d14abac6f279aac3385699e4b8d25c13160cdf9b385980dfdcbf0b7663fa

C:\Windows\System\spoolsv.exe

MD5 7367d79145b3f676e6284d528cf82db4
SHA1 8f413df8346f8eff008fcf266f45ae8aa11c19ab
SHA256 017cceb691963ccd4fbc83fbf19fdb0602b9f3c653219e03cf9939f4aed88036
SHA512 4c550c1fe79d597a80537e0b2802a0e50b0f90b0790088bf6f0273244a4d98b58605bc7eb8ce32ca4afbae1ba5ce59867aff8041abe5189094a4a566ce9c7b1a

C:\Windows\System\spoolsv.exe

MD5 4690864a59c6f6afb2c25995d084f079
SHA1 5a3fbc6f87ece26003efdd97bfefaad9ceb427d5
SHA256 96f2a7ea16c7c2720253554e1714eae2eda69f374a7709fded250e52768d24d1
SHA512 12885983650057893981aa2aa2bbca31901f8a2047b4956bd8240c7b6c84eddc4cf290e6a516925dc8811708402fcb4da5245a146e2aaa2d65f254769e5469b1

C:\Windows\System\spoolsv.exe

MD5 91b604111e0206dd8003ac8e24dda219
SHA1 9f46bdb632dc7b2496df0a3b7a8e8221f8dd7371
SHA256 2252400aeef18d37695179d5cf5b8820680a156288c624ff60d8655ca2c99f81
SHA512 b7269c148a562ea515df63b8660e138572eb145b89941bd698b49e8004710ea37f2fae323d552629540833e1a56c1b6493992db3119d3d6d81d83909621ceb5a

C:\Windows\System\spoolsv.exe

MD5 41a9b63c79f92b7327cbe22a1ec2c12a
SHA1 a48f7b439d5a056897effad1e3391a81dc409e31
SHA256 d38e3f9d2e322a0b2a9c3c01262a6c6dbdf939eeb5441f9cc2a2d62bc3735ab6
SHA512 9aff2578b4d4ab23fdc901873796293d15616a0e84f2169c4f0d680f814435292487821cfee0ba707344edf681dcf7d1db473fb1f644041ba7543cddbe1c35f5

C:\Windows\System\spoolsv.exe

MD5 5d9ab5c9ac2394dd7b95f7eba16ee164
SHA1 7fa5fc23786c70994c6bb8a199859da778cb2c4b
SHA256 26f5a15d24df9359981671073329bdfa00bda25b26ff30078b3ac983f6289aa0
SHA512 0d77058ddaf69512e24679d019c578c53fdedc5b85570c34e718694e2efd1eafc45dc21501129f7cf6f18e3a12aacd750285b6df46f207ff0e1b5aaff4ada745

C:\Windows\System\spoolsv.exe

MD5 4e2a1bc8a5ef264c68559be0a449f8d0
SHA1 0e8f65ab20acb19903220958bb24c3f9d0cafe31
SHA256 868dd4ae983f13e7686ddc9d0e1a8701c9acee3e5e8b91e3e473b6170807428f
SHA512 2f04cb74e18aac8f5b840835708eac56c0306c73db2a3c046b4249dc72d597dc7751226011c00d99a300b256566b379d0fa6e5790a94e51b361cf2e4cb87aa51

C:\Windows\System\spoolsv.exe

MD5 2df2199d25a411b1fd0892b6df026cd1
SHA1 2314322902f3142857e5d6d0e6874aca91c5f30c
SHA256 15de119767c1158d39cdc1731d0ed8fa367b60da34f4d8f0d0fe617b246cae8f
SHA512 91a80255539a9324bfc8bf7e48bf492099d887d2710415228b84212d4bcc77ffb780180fcf4601378a167ab491f3b802786f564a0e5e7f31155593bea273de49