Analysis Overview
SHA256
0ff0475d18a4f004829bcf088f0210aec1d5d56fc46fffc20eb7d20a5ca6d709
Threat Level: Known bad
The file 74016813115c8ac3fb3485e3a102cd13 was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Warzonerat family
Warzone RAT payload
Executes dropped EXE
Loads dropped DLL
Drops startup file
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 06:46
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 06:46
Reported
2024-01-25 06:49
Platform
win7-20231215-en
Max time kernel
102s
Max time network
125s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2256 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe |
| PID 2012 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe |
| PID 2012 set thread context of 1648 | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 684 set thread context of 1116 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1116 set thread context of 2300 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1116 set thread context of 1552 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
"C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
Network
Files
memory/2256-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2012-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2256-4-0x00000000003A0000-0x00000000003E6000-memory.dmp
memory/2012-3-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-6-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-14-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-20-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-23-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-24-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-25-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-26-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-27-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2012-31-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-34-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-38-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2256-37-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2012-39-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2012-41-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-42-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2012-43-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-44-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-45-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-46-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-47-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-48-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-49-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2012-50-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-51-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2012-52-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2012-54-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2012-56-0x0000000000220000-0x0000000000221000-memory.dmp
memory/3052-58-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2012-61-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3052-60-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3052-68-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3052-64-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1648-74-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2012-63-0x0000000007000000-0x0000000007046000-memory.dmp
memory/3052-84-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2012-88-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1648-89-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2012-94-0x0000000007000000-0x0000000007012000-memory.dmp
memory/2012-91-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 8ed88c5ac85833ce317fbff050a70050 |
| SHA1 | 47bc13702dd2146d6beacb9bde2d269f0096b8ac |
| SHA256 | 55f434b7ea0b1aa4bda199b51ecfca7e279cfade15ae6500dc85a6e2f019023a |
| SHA512 | 558e79e49ad0b0112dc65adba2d918a672ebbae372394d4220478e739d69cd7089a62e24fb334c82d0090b0d1f5889127a8592d64fb1c80dd9b7fa5e820e21a1 |
memory/684-103-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3052-104-0x0000000002C90000-0x0000000002CD6000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | deb496be149ae8f1265e1ca3f4900f0d |
| SHA1 | f84bb47c9810deeb5c2ac5bc932edb73a8088ffb |
| SHA256 | 60f08097740012cea06c7242d4230b4078546ac0b8d9b0e4d0ef6e477fba5dde |
| SHA512 | 317069a174c18a568b8cb168e1e6791931c048b0f9e71e3a97ceeea06dc1fa18a3121ddd107edc0f403352f1191ab0e762ad1e03914c330311dab654dcf202e7 |
C:\Windows\system\explorer.exe
| MD5 | 0278380a3899b98ef8c87419e77e3ba2 |
| SHA1 | 4bb10de39d26f699035970f84f1d58383f6b6fa9 |
| SHA256 | 227151ffbf1203bd20308ab5050a387466830e078796639734fd674d34998aee |
| SHA512 | 0289c236cd263528b5dceebeb089672ef2fb10428c76604374e642d94d06bae69640e9ec320bb43d51ed5ff1e8225ffd6d5454c49e38bff514a6f5e7a6994801 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
\Windows\system\explorer.exe
| MD5 | b914c04c0de28fe0090d112e0bd2c017 |
| SHA1 | 22ba2323a3bdfd3e8b2182fb9088d614d6e604d5 |
| SHA256 | d588c6ed565a4fd6bf434514dfe0a002897fe2e951733692f50489943b9cb64a |
| SHA512 | 8be5eb8b8508a6636f510b3462cc1b765c506a581ddac28373f4bc08455a6d369cb6b70e7e1035664b37b9f1ae959f6876a6840745024a40b0601ef332182248 |
memory/3052-97-0x0000000002C90000-0x0000000002CD6000-memory.dmp
\Windows\system\explorer.exe
| MD5 | 750d053cd291c12a259d3b8a3901d373 |
| SHA1 | f1901ea351f18ed997a3f321725c0495883ff737 |
| SHA256 | 9e47134d6f41e1e6fcfc2a0c2c5ed9f81bc8fd07348a38341ad042c2539debca |
| SHA512 | 1b8c0d2c4e88c2641b66b45e638f47fab848047ed1d2eb924e49bb580fce363da082bbc2562062871c5063e06db2c54bd617d3b9e56dce5908dc56ac0b99ddb1 |
memory/1116-136-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 940ca36be59f0cf64ca21de44e9dd62f |
| SHA1 | 571676847d51204706e1b5e3b4d5d2e21c15f2ba |
| SHA256 | 2081b3d8ef560fcec0f267b12f71415a094e36909f94df2270add3e553d76bcb |
| SHA512 | 0d9b3ad66178f2dc2a202acf054cf61023a04b044bdbece1b749d009f6d75afb011ef65f4eae57b9e4a4569308001981e8b465764cdd5d06595e2dd13f91223e |
memory/3052-141-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1116-151-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 16bd25a3c6d3025ab13249e2c61d981b |
| SHA1 | 342fa28f45ff0c4f7c58441bff92d9ef6930ad36 |
| SHA256 | 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764 |
| SHA512 | 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | d5cb86a95a26bceba3042aa4f5735989 |
| SHA1 | 667f67a8c29e131188aa67a1a50c90929afaa96d |
| SHA256 | a3afce6be30974eb7aa4688b42fed7afed108e764fb03cd7647b557084c767e1 |
| SHA512 | ef058811b5aefdd1ffa34f0f714d26688d2d7eda2a99fc60612c12c5487f80eeb77b0f1f3c1f9c5516d35a684922a63f2138fafd56f69f6241a49c78432e6917 |
C:\Windows\system\explorer.exe
| MD5 | 03293eb9ea90740978bfda4e08e611d4 |
| SHA1 | 14b832f017968b30232999a062a0930b8e980e29 |
| SHA256 | 73f7316ccd13e07d4bc07faa54c8b3bbf84323ed047357f15fdef3dd5e5e5646 |
| SHA512 | 680c9bd3696e3b8e43ed86cd9a5803e1babd86948eb75d02836c9486fdd2748c4d9555bfb57e1cfd6f11a1ceba1067e67965e0f866f1df78e1bf17f1c9c36f32 |
memory/1552-185-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1116-189-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | b1cfcfe7758ef3cbb30ec9577531d6ca |
| SHA1 | 6f178c4f640080b595cf399e0ee9da18a18b0f61 |
| SHA256 | b8dff482a43aeef007e84ca7f14e2faa2087305ef0e37886d0cd5569a5aa6141 |
| SHA512 | e5cb6125c248e6ce34550dff5f9989ead311cdbb40b9cf5480ba115a5e4e1a4b68242301b68fbd66cd2a7aa6c236b50bb022510718c8fe4e68b25882caa49145 |
\??\c:\windows\system\spoolsv.exe
| MD5 | 91227c1e77058f7fcc02ebef6dfa23b0 |
| SHA1 | a3a58cc714b18dafed264b40e5e5808ea1310425 |
| SHA256 | 98aa6383aed38f1edce117f2b8c7715dd0f4bc67c1348a272da39305ae6f38c0 |
| SHA512 | 73b60b294c0461ee9e6a23123fb8c92f2bcc26b043353f5c730265e64f77e114beaaa923488f867191666d59aac8d25a90e7897ea965b77371341deb4eba38c8 |
memory/2476-199-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2300-197-0x0000000002700000-0x0000000002746000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 35fbc5b4ddded53285259e8e770a921e |
| SHA1 | d1454876ab351a0a1b6f9a6af59c605add8b8e1c |
| SHA256 | f4a234abc3be9d713caff0e8bc821c076affa772ac9a8f53069726185c85e480 |
| SHA512 | 6ecee69f5140669993e953bf9b6f68af81a52af0519153117f0cb637278a1879df840441c50bbc47c4aed32544e93b5712b0601940bea57d497e5bcecb9563d2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
\Windows\system\spoolsv.exe
| MD5 | 427d1c69a7e47f7f997600e41679e2c3 |
| SHA1 | 39625b2cb4bea74a4ef27725a7cef1021ee58bd1 |
| SHA256 | bf7c0e1dcfdb6196cf5446329d6841be3ecc1a2bbef9dd5342236c04e453c45e |
| SHA512 | a1c9f91569b2bdf529f40635bdd51d260c14510a7fdf10fb2639c3e0ddf6eafe694142a398a455b347ca4b988a7d6ce0282e727e1df48894795cbac1cc853e6f |
\Windows\system\spoolsv.exe
| MD5 | fbf2c0f2fa4c5b97df6a04f911cde173 |
| SHA1 | 4613c3247d663149e8703f8dd008ad091dc80842 |
| SHA256 | a9517c71f4fa07711047607a48e296fb4169497d11ce923807506f76145982cd |
| SHA512 | daf8037209455af7f15b57d34e57eaf4a7e1c910466d7dc164b0bda2166879e66aa3d1e0914fd556fdf50e5c8ec35e181ae7735466fa07c5a87247b17dac37e8 |
C:\Windows\system\spoolsv.exe
| MD5 | 12d918a62024e73ec9b049f36d98b4a1 |
| SHA1 | 0f25806aed76e8f25605f63b5ba90cb1e8cf34db |
| SHA256 | 8784c2cf4de95c7bf691ff0a19606d44a4ac3c52754fa61f144c4ee71995978d |
| SHA512 | 75baabf9711b0852d1fc5ae93da18664c4620dcd7999f715edba3bd6938797af893c2f348d431e52f53897d2e87f8747a9606c6bb6e11b9a44f43fe4e09642c0 |
memory/2300-238-0x0000000002700000-0x0000000002746000-memory.dmp
memory/2300-239-0x0000000002700000-0x0000000002746000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 8289612da1fd8b1b5ad419f7292d0908 |
| SHA1 | 2480d9bc311b66c4b279817416999dcd30f66827 |
| SHA256 | 2b521e7314370c531a5762fbb45b278cc03a8e25ace71eddf0efdb58f047ee37 |
| SHA512 | 2f00d235f8a8f6dd8896d42c71d518dd5c80fcdde3e1ebb7efb207a8466fe8af971574ce8a86d6288d7269624840272f4ec1a8ccf15e1aabb02df4e7e2095cfe |
\Windows\system\spoolsv.exe
| MD5 | 0b9bb441465511ec2e7d6d600291c34f |
| SHA1 | 763976db22942b85199383df4c07f20d04732b01 |
| SHA256 | e7177c27320652bb6048dd74c516422afd8cf3011ee2b2483aa96d6e923b7e14 |
| SHA512 | bba206d78fa4d4919bf45eb90abdf75d188a7409c79090fa11f4c427cefb83a05ee86e9c4280168640288bfeac5cf9ecd7e5182c68423bfd0264837cad7c8106 |
\Windows\system\spoolsv.exe
| MD5 | 7baf1e49db8b0f28160d0af39abf7d76 |
| SHA1 | 51cbec541d4d918fe45d30879bb1442ffd485a1a |
| SHA256 | 778c701fd94962d7a675cd2447628ca6d8ddd13364f595ca674fe97ca6465cd3 |
| SHA512 | c8a6deaa2a5fbef61e0ed60c9ca8cbcc814dfe5deac91c3f802bfcddd33a837b8e78e0e4f2bfb5c0de6b84b77c608e89093cd1c6c1cb4808af4010a78cfa4e41 |
memory/1296-242-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 8f822cd404b28b4b244647059a336582 |
| SHA1 | c7b16fd9df47ef7f1ffb267d217d5ea4db60f8f5 |
| SHA256 | 06c04fbf4d674f4bb3db109cbe223710cc37632d3534f303bc1a2b1364306a7c |
| SHA512 | 2ba65bcb40d9b6ee122097bcce128da82139593fda5e6d8839b81a6ab2f22eb5a7341b19670d84a99e1dc7815733a218f64e57cba205312299d7654794f3ec91 |
memory/2520-257-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 33e779a711a36d1abb611466e296d79a |
| SHA1 | 3b1badfb032ce381cd69ec1e4b31b8081c3f697b |
| SHA256 | c9a0ce4a15205c8b4b35bac9709829f3b285f2b7507b23d6346f031ee6e05816 |
| SHA512 | 9dc8081007cc33af0c66ade9c01067296bffc7d8ec8bb41ba20c172fb4b290316e27182f9dcf1e9a8731c94a5871f39febdff91fc675d85d6708437757d6e279 |
memory/2300-294-0x0000000002700000-0x0000000002746000-memory.dmp
memory/2300-292-0x0000000000400000-0x000000000043E000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 8540f4d60bb1665dc7d408800f8c2ca6 |
| SHA1 | c19ea79b9d278dc8e3fd2aab2345d1eb4e1c5628 |
| SHA256 | 56e46f17a38b71870825bef3d976ce0bc58aadeb37edfe662a430b69f4728540 |
| SHA512 | d9309ad9311a0de4c7fc4ded65d24653eb4c58bac0225622a3ff79329c30b60ad960998ee132b9de8df7bfedb45630e78374135510188edf92b54ec36ac90b7f |
\Windows\system\spoolsv.exe
| MD5 | bb5744a785a89b623f2a5349d14332e1 |
| SHA1 | 5f56b222234a80675e1bb6404c5b5a35eff2b805 |
| SHA256 | 18f26dfd415f91ff6580bff3dd9df3b94cf85376505c6664c0a9ebe5afb6d58c |
| SHA512 | b2a3b3d022dcacd34d22fe3293b48a10817bd8bee37b54b2f4c98f8bcdfcf1468a3f39372518111f4f75cd2ad96dfe6ed1b638b3ff8273f3cf5c2240f760fcbc |
memory/2300-295-0x0000000002700000-0x0000000002746000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 989a519beccdfd1f7b51b4b796c9b7f4 |
| SHA1 | 37a892df2e05e4e86ce63082d1504ae5a51114dd |
| SHA256 | 4062105dd9e4354f0b2912cd49f2ea4b657638dd6d70c72b7829a7083302796c |
| SHA512 | c0e4d1d2f67a4b1a4d328966a1cd66036d9a43f640b9b1c4fdd2680c520f999774ab995c6915cad77249bbaba397a0a837d9aea9040ee8b81e4e1536b98cc6b3 |
memory/300-297-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 0991e891074266015b997a5068b40acf |
| SHA1 | 458fb129a15d96a377befceb8210a8552cfe34ef |
| SHA256 | 96104ab940256a447be6ef7ab4702f712253bc1eda2443ef2022f2ed4a7892be |
| SHA512 | 22fa313721729bd56d3c533cfe85a5c75b22fefc79eeffb2d2cc64fd46faadfbf97dc597995ffe457b6721929627c95fc98cf58cdbdbd1d6440acbe2c2799390 |
memory/2712-313-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 597a9ca7e41183d3c888ba9ea99dfe4c |
| SHA1 | 304492049eaf3e7caf4a3bcf88c1c3d0dc6cbd6a |
| SHA256 | d1789dda96ff2de78b7aa94e1f3ce6bb1df77e9edea05eab2f65c566dc5bf8a9 |
| SHA512 | f4ca71a28f57188c0f709bf9d2f1846cdc1e59b11ea435cae50f5b702b70d295322348012669d67e9fd85714e5c6faf7aeb7260422bb62115d0fd6c07af15bdd |
memory/2300-350-0x0000000002700000-0x0000000002746000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | b2291d1dc3ae4c88a7b18e47bf34e89c |
| SHA1 | f2be0f276281de3aae6cc645d218dc4b5dadcfcf |
| SHA256 | d7e43539f83b0ba76443f06c757a5c0a332a3a41e665aeed0702910cad584fa8 |
| SHA512 | 0741373625a966645b2615712fae044a567d1f618b132f8181545c48f795aa1312bcda544ab084348b6f922df7050ec3edd6df6f664eb3d308cf9294aae76bcc |
memory/1200-356-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 391bc0564255cd908509de7a8150f65b |
| SHA1 | dbbab1cdd5a1d6e6ea5c4902a5a4cf796eccceb7 |
| SHA256 | ef51e4efc54de0e8fc2a2c96d0703980b599a129eb7d8ccbf1b63c31ca7259e5 |
| SHA512 | dc833f0777d0d171b32d1819236d95c9f8a7bc7d24c62748ab8cfc26567ecaa21132ce667635c305787437175d09724814540c277cf6a5f3aed88bbf7ee1fdd0 |
memory/1216-358-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 4aadbee8359f860bf9a194e12d6f76ad |
| SHA1 | 50c6b854fa319d2b2e43838054894ef7d9c0abe2 |
| SHA256 | b64d4752fef822dea338df11a366b7a0135b5d39517786fe74d98afc031ab1e7 |
| SHA512 | 0239ee7903b188d677717a74809910bdfac865acfbcea98cfb8a43029c3622fd04f29f25cb96a3408526bf52b568e9983850f7272a2ec1f3a5010a219dbf6c38 |
memory/2300-362-0x0000000002700000-0x0000000002746000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | e31d86350750f078bcb8c4a4a3e2c981 |
| SHA1 | c394a90394218726d18c0799e277ef2bb9c0ae97 |
| SHA256 | 5b961c988733d4259c48a4d9dfd05f474f418cef57699e71fc5068c15fe555ec |
| SHA512 | 461686b06605077b3b8f706ff938313235b7d26128d6c8cbc65db3700137c7e9c714a102ecda5fdbadd637fe5f072461a4220467c76e41b24e1eff2b03893a0b |
memory/1216-369-0x0000000001D20000-0x0000000001D66000-memory.dmp
memory/1200-379-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 82cd66319ad875bdff13567958ab49a3 |
| SHA1 | e33df78a2c42bd2816dc21edabfd86a5eccc322a |
| SHA256 | 3a0c0ff6b03139ce4e424be02e8de44343fba05b4d6a66063cf7ca8fbc7a61fa |
| SHA512 | 1b4bfe76826ca73a25d6e160714ba01bbc50247c0756ef2bcf2dbb198c65ce7c5cddb9f40666dfb3c2b70af086c81ec73e16e149a7fb812438cc7ffb5f3bde69 |
memory/2300-404-0x0000000002700000-0x0000000002746000-memory.dmp
memory/1516-407-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 1b197045c6476b0344b1f407b99d351d |
| SHA1 | 3e8e892fdadad67732a24d4091ded1fd268bee06 |
| SHA256 | 09538f9302564e1640b566bd56ca1688b68c539029d9c93d28f4b4594de388b7 |
| SHA512 | 9e52671c6910b48f57164a0ac5864f9dc27f1d51e76fceaeba733e81a0061383eb824c6821c6f2d3af4f7c0a358d2fba4c195513a633d8ac0cd3778db6fe2038 |
\Windows\system\spoolsv.exe
| MD5 | 995e493c55160973b8da336fd4220e36 |
| SHA1 | 62576c8ac8df24d4b20bcf77d67424a24795c5b1 |
| SHA256 | 9979c48844060cbc8cd22fe423104d55c313f4ab7c7fc06f0df1f0bdb2832f7a |
| SHA512 | b0e7828157c65069712c0dfb72b39c35962f8c1af4a0c29496e2aad0782eff64c12a5fa2a65b8425808f6e23705b84df679f3423dabf83df3ea29c9ba9dc3229 |
\Windows\system\spoolsv.exe
| MD5 | eeecdffcfab1f14c143bdecc2cbcb215 |
| SHA1 | 26311cd277d1d401e2da2c85bedba92d447a3d14 |
| SHA256 | 9894f5d4a94aabd48bf5ddcad452fbef86c1afecda5690be552f2fa079cf0eb2 |
| SHA512 | e0dbce8d42226932ff1fd66a397a7f5e5e8e64628bc282f6ee0b56141aa5081ee93fd6452797ba25813638ef2c2d92fe0afaec787ed779f3bf45d0766fd7355f |
\Windows\system\spoolsv.exe
| MD5 | 803033e94a1752e5cb44b59a50d82a47 |
| SHA1 | ba0d9d50c660e8f2bbd10311d50ac54300cd02bb |
| SHA256 | b5c363863b08c48bc519b3a6e73b8cfd7b0c50958addf0224f33bfc5c554de73 |
| SHA512 | 5ddba67dce191ca276e3bc1ffab534899455861417d9208daba12b340c669246a10e53ff7fb9dd27a8c9eeaed7c3ec7b91f1a4388abc5dcbc97162005d3746fd |
memory/1516-424-0x0000000000450000-0x0000000000496000-memory.dmp
memory/2892-426-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 352288e4534bd9bba43fc71593dd92e0 |
| SHA1 | 806517946de0cbc19b205fb240844fca51e9729c |
| SHA256 | 52e3f61bbd2671d1917341f871a2ed789575791b5bbea648be9335bd5c4d98c3 |
| SHA512 | 8f907e46b164f4c6c3207253561692d3c9cdd6eabf86921b214c5e318380a54c773f16d267e63871ec26ce312bafebd25fbc1020a114fb58a5ae081257be2bd7 |
C:\Windows\system\spoolsv.exe
| MD5 | 73b71df7c9dd649b6c0fb4ea36f334fd |
| SHA1 | 1a2924002221de73cb9a2baee10ab324b015e3b8 |
| SHA256 | f80bb53581a4151088d0df961eb93b7b450db199c1f4d9a0aad0810209939ba9 |
| SHA512 | 4b055c70fdfb41a9fefde14d4948a5ba64ab09b693d728db9733aaf00f1d5af36d9c6f0e656e1177a69f4d790844514018155a60343d664528f8e256b44e8bfe |
\Windows\system\spoolsv.exe
| MD5 | 847cb0cf43f31c860a0b8adb7c425bc3 |
| SHA1 | 7e9a142988a55007011e40c63254b2533c670509 |
| SHA256 | 6eb972aae90b4c882432947f949365cf17e7fae32fcdf53940c1487b94965a5e |
| SHA512 | 582ac8dd977a6a7d3c00ef1169820a15b307b48027d45e29bae938b1fcc968756e872342098dd6205e3d53cee53fb028acf04697345d10a6bbd4ddc4683ef08c |
memory/2376-458-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 587d7444b79c9723dce76d0ab93c99d2 |
| SHA1 | c6678f23baa544aa64ac1aa3a98cf545cc15ecfa |
| SHA256 | a392340769d595519b7f13a24e54be77585f0698f1fb5172fbbdd8857e3c7f85 |
| SHA512 | 5059b542bc472c60ec080bd4cb54392b411ae36113a4fb520e2012efac39968e418878abb5044cd87df5554416b5de87bf935c03fb2f39d1fae0dc2be1ccc2be |
memory/1200-461-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2300-465-0x0000000002700000-0x0000000002746000-memory.dmp
memory/1844-466-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 897c075fa50c7a9c1c2c766bf3cbd35a |
| SHA1 | efe230565ab1cfabfc38ad004cf722a0d33b97b5 |
| SHA256 | f173bc5dc8e959bd97a717256b994e2277ea024c5b61137f57e125a777b25c07 |
| SHA512 | e149ada2a81b6e98f1dc37b7a7c6fc51d797ac9bacad9ce007bc6cd24e5d3fa4fe225554f39ab7d3c76d935ef9ea57b8a2b097d28aae3cb6385e027bf560b6da |
memory/2300-480-0x0000000002700000-0x0000000002746000-memory.dmp
memory/2376-483-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | cd6873ab26e3e1233a17cbaf6c9de2c9 |
| SHA1 | c4bc51c3c9295b83312f3284ffde93458a3778a3 |
| SHA256 | 64d0f0708bedc8692a0ecd769e3a887f47d355d62e11ab523ec8ac5b345bf38f |
| SHA512 | 22fa4f18ed966ab1c6240ca5e026262b0ffd267147a31d1141f36ed3b6b75f1b756f4d47b563b7acab84517a4044485abbfaad5c8ab94b61c3b1c124681d6e3c |
memory/2300-522-0x0000000002700000-0x0000000002746000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | c809b7cefd0e1770cd41d450de497452 |
| SHA1 | 17e7cc934adaa4f75ad477cf36b220d2d8924db9 |
| SHA256 | 0fa72675594c55d680fdd6f7b086a82c0ed9b6a17249460fd803767fd0888b1d |
| SHA512 | 09dc3384af3b7adc53ed0b56da295cc78076a9d8b72c049d5d71a0e2c76da46fa99a58cc6da9a13945dc263ca41d1edcacd539e8fa38a6a3ca7a61015ce93a0d |
memory/2300-520-0x0000000002700000-0x0000000002746000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | c929b7707e53c117f765f0cab69bd370 |
| SHA1 | c1b5c6634d5657c442b794d4dea0eddd620fc49d |
| SHA256 | ba2fcd16d57b2bf7743031c244019827cc2b4fe163a4b6727b72575141092ae0 |
| SHA512 | 21829e08db2c964ab38ed554b25f9d82ad5a9c44b3ac65446a30cbd4539cb775f825381e128fcc91babb8e64b5c9ba8d3bbaa873020b2a0a573946d957dc13ff |
\Windows\system\spoolsv.exe
| MD5 | bdbd2a391a39e19517c796e0ef2de122 |
| SHA1 | 9a2f7b9ffe0ca4802c7d2c7d1653a3383d870534 |
| SHA256 | c6371578f90ad6347eb5de338ed242ea8fd3e624757a4832524adc53bb29c109 |
| SHA512 | 459106bbeb370afcbdc54da0abf7b16d697606068a95250fbea6ebcb517baa73f88bcf6f6c28671d91a97d0970e257f24e384143cdccf79289d3de21e4bd2f86 |
memory/1212-525-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1708-531-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | d24e34236047cf5618110cf35ea94dbd |
| SHA1 | 113a9cdb375e6f78295723456859ff48d1958f10 |
| SHA256 | 7c6be192d7ef7ee0103be774135c03fed67acdee435916ce35404c4163d080ce |
| SHA512 | a7bd2ae4f34d9e80af8d1970f47352aa2ee86096baba16a502af8dd249ab4461bc55b3cf2216531d2bc36dad2549d3eb943781c0528f7a28a60fc16e4b05353c |
memory/2300-535-0x0000000002700000-0x0000000002746000-memory.dmp
memory/1708-541-0x00000000003B0000-0x00000000003F6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 2e79ceade87b404b2adcc378d9596625 |
| SHA1 | 4a961b85a557a316652ed62ba71ea28d647c0faa |
| SHA256 | 515b96f299d3599fb77cac3879891dc07867e6483dde38dcb130b9bb4d0e9051 |
| SHA512 | 49a6df6aa05bd060f6c91aa3d114af52c09a1f534d737da3f85982b0dedc17c70f7041a78e16eaf02f026ed8dee486b2dc0b0017727f45857dc00972544eadfc |
\Windows\system\spoolsv.exe
| MD5 | 26f658e08a9ebad3dfdd788c04810b59 |
| SHA1 | 82a416596c37ad3bc45e6077c8779afd847a856c |
| SHA256 | 7c19f6cf048a105e59cd929365c26b7f7106730c09ada9e072340238fed48fde |
| SHA512 | 673676f949591fffa2527419695d2d607a1e7902c58cfc9c2aef2477a6cdfc62bb0a5be4440b5577a6f149246c1255b270600af0c21492b73d29b48da6a37c9a |
C:\Windows\system\spoolsv.exe
| MD5 | 28f1ed5e10df3ff64da3a926807550bc |
| SHA1 | 1f2740de95530d62bc83289e29f07c5779f48de0 |
| SHA256 | 5c0a8f6e85d931743074aff4929856e2deb0c0158563099551719b247ef49951 |
| SHA512 | 8f9b62bcda75acdc5e1f1f4189939e2816b03c9ecb0d04106c8af6ef795bb04b6c1098416e1fd1175dd06ff0185dd0ca60282ea23261a6c33ae4779a0110979d |
memory/2300-583-0x0000000002700000-0x0000000002746000-memory.dmp
memory/1212-584-0x00000000002A0000-0x00000000002A1000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 9849db11146a6b917ebbcd6121745b56 |
| SHA1 | 83cc6efc843bfbf22f4f777060d00bebb9305123 |
| SHA256 | 979b6381707e5844b2ddbbf99ec57522d468e8b1c875d943af6c45cecec4e9ab |
| SHA512 | d98d95b40f769b91a185743e2ba19914766db909877a5cec7843705fa031b414e81b7e06c7ac4e5083e2550d0b7e90a14cf8dd917b2b32d146b8c2d2230c2cae |
memory/916-587-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2412-589-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 8d0c8f1049aab3eab33bcb9760879011 |
| SHA1 | 378fb05d8511bb83ca98637aaaa1597e4729c7f3 |
| SHA256 | 17ea4d6f9e08f4b500688d49167021c9589ff3746982f2b5b9b2677a0a2fd713 |
| SHA512 | 37ee47f8e44377e53de6dbb3fad7a4e41c66ebfe8d94a999764ae1cfab66732902e56988d6a07eb48e07c10d76d6cecff57223990c11fc29f55b81aa0bfd528b |
memory/2412-602-0x0000000001D10000-0x0000000001D56000-memory.dmp
memory/916-606-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 3a94652eb8376be1710bd4c7eecc6403 |
| SHA1 | 2d07c6d66604512905c095085fcebef1ed229f69 |
| SHA256 | 5bc26a295eb3998c658ce1bfd74fa3f2901ad8848d91abf2c6b93ba9166d3ee6 |
| SHA512 | 2074b2e4519b823bf4c9779e9134b4e65358e30abb6873c96c7bedca10eb5df9ff3971c6baf33ced397e7f6206b9cd1983aac8d5fda08e6ac300aa90a0758d05 |
\Windows\system\spoolsv.exe
| MD5 | 6d28830dc8bd2d9b0102d3d67dc4111a |
| SHA1 | 45a16174066d540d5e96184ee923ea13a1a3c85d |
| SHA256 | 80eec76ae710cdb769f9f0a84d2adcf7f040c069d0205c48c066a9c60151aa4e |
| SHA512 | 393debbb79acf820d9ab97d4fcaca804c6174353c89adfb7500f5253f72a9b2bf528ec719ec5caec297995fda3f3dd5b445aff7d118ec5a7e9ca9285c590eae0 |
C:\Windows\system\spoolsv.exe
| MD5 | 35764250b5f578db926d9cd9ca2ad4fd |
| SHA1 | 620c95810f10e398790e625c08eaf1f2191543ef |
| SHA256 | 25ec6e90e7c0831b05e82d73266d4a16b8b218f79d4884e51999a62ac92d7ecc |
| SHA512 | 641efa699a1497290944fd88321bca1939584441709ae293751ed96efa98454cd1e75e69524508904f039b19413ab392de5b0951ea97a6183bd68e1f853355ae |
C:\Windows\system\spoolsv.exe
| MD5 | 4418981ef61f7365b5b5f2d84719ce13 |
| SHA1 | 0e954b35ea82816b837242047364435cb78f9fff |
| SHA256 | 94f6c5451028682fe83aea13f2f8d57ec458c95715980f1e799c46669e41bd2c |
| SHA512 | 4daa6e4fb0a79bc2d579bb74adb080e95f2728545b5cc6f21218b95f572eb714581250ffa3ce990f5e840f4a0c9630f238ffb6a754dc626e88460890ee8254c7 |
memory/3064-638-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1212-637-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2300-648-0x0000000002700000-0x0000000002746000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | f134e702b72d020fbc65e909e1500d55 |
| SHA1 | 64d8bdc353c5b98d6915a418543e5fbca07f67e0 |
| SHA256 | 278e272292cf6c59851c393a53aa8509ba87ac1c6318d40f0f2f8eaeee18d8b1 |
| SHA512 | bdd13577dcb4c2928dc43208ba980f7388858fb00ba642afc52f56b32d1e41b3451eaef3061b4d2e0765028dbcc7e3aaa3bcd87fd5c674cfec824c09ac843bef |
C:\Windows\system\spoolsv.exe
| MD5 | 615ddb6d076562715be474864002bf14 |
| SHA1 | b002346ac82efe9d9ff0fb9ba43b87b5e943f696 |
| SHA256 | d38d5a30eb84672044aacf211b04ab9c4048039292d83054eec5d04f95809290 |
| SHA512 | 61a8599a3ba8d22c3f307331d6c196f8d3c840509f0f88bdd1e5e2c4925475040c72d268a3e87ea5a88f711c158a5aed16df432de1a6ba1d1b829a685306c234 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 06:46
Reported
2024-01-25 06:49
Platform
win10v2004-20231222-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 2672 | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe |
| PID 2672 set thread context of 4160 | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe |
| PID 2672 set thread context of 4828 | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
"C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Users\Admin\AppData\Local\Temp\74016813115c8ac3fb3485e3a102cd13.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3844 -ip 3844
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 560
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 944 -ip 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 548
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2300-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2300-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2672-7-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2672-6-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2672-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2672-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2672-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2672-3-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2672-2-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2672-11-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2672-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2672-13-0x0000000007390000-0x0000000007391000-memory.dmp
memory/2672-14-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2672-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2672-17-0x0000000007390000-0x0000000007391000-memory.dmp
memory/4828-25-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4828-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2672-34-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2672-30-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4828-29-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4160-24-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | f50a855a021ed71a4d7fa7e0eed4befe |
| SHA1 | 8d251e8c56cee1ebf7695f43763c8f301d9e9803 |
| SHA256 | d936ac80bc73a247dc9c31945f60ffa2aeb53a36ccdb0ce1ce3ec6e22c6d986c |
| SHA512 | b5243cb4261a58a4ec2172fa80212b7e72a3bc4c61a45cbd75d5663d29fc786634ab49c1045396f631010bfd7cd6f6e4f1bcb64e772f43a197611650b041beab |
\??\c:\windows\system\explorer.exe
| MD5 | da730311a775fd62b36d810f66ce8e66 |
| SHA1 | a718bf08730cba03c768b54ca021ea291fc91250 |
| SHA256 | 17332f9b89665aedb37873100072ab232d4ae05ac9541eaf167600ffcc2b58de |
| SHA512 | e32f4d4fc4f6d56ae4b93b182bca2980501c9f9a76e2b05973efb1f38981b18972eb6681b1db4d33374dfcd14985e599d3d98e5adb8e02ec242f0ecfed761b93 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\System\explorer.exe
| MD5 | 439736c5ea4af1218b657abcb60a6b68 |
| SHA1 | 473b0bf47005b40433cfae4977fde5a9eb66c53f |
| SHA256 | cf91cd33678ec145cc9af48cc998c8e7a68de26e80933aba117fa32a7b4d526e |
| SHA512 | d1a85358a8dafeb040a34edb30ce39095b52105bd99c30787b3b0b30e76e35f5243c78a753ce95b2487039b35386c6fd8c9f6c8b9ca7c95372e5bc97a8820f87 |
memory/4160-20-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2636-45-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 8faac164aee8bb31a313c699bd861f0a |
| SHA1 | 2a878953285deee873570de1376089cb28af1d4b |
| SHA256 | 6c070d98f01c81b4421eebd154deafe186786b6c34bffb140c02109a3d7dadb0 |
| SHA512 | 4cf1ff80b3d5d1632c01a9815aec6af9b4f67b64b44180c8d5c282e5d7587a18208f9d10a6e3e8f3acee02883c018c6e88d5f268431d0cedc2e948d0c50c8a6a |
memory/4160-46-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3212-51-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3212-55-0x0000000008DC0000-0x0000000008DC1000-memory.dmp
memory/3212-56-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3212-58-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 5409186198e750e6829f723380c92f22 |
| SHA1 | 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c |
| SHA256 | ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440 |
| SHA512 | 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | f48f5a71b594c6242a337ff93d43a9f7 |
| SHA1 | af4b79769364004c6e04674782e0a6d225355557 |
| SHA256 | 70e1426f11cb6ece49bdeea55122ecda94519e53e84157653318374e7e3a850a |
| SHA512 | 9b8faf573ef6dc5a3d7692d18d57d6a9dfca9c92148f4ca44e3e0286c54f30f67cac80eb12c677c644bb27dbc27fa0f96096747b11d91c48003e48354d5ab05a |
memory/3212-74-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3888-75-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3212-72-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | deadae0747ec96f040056251d80bf627 |
| SHA1 | f0e6bb66685f4b22063c569f27526ac474138ca4 |
| SHA256 | 755b3c78753a9566ff142376308f64f3688444d3b7b7df6620d36135a59e3a6c |
| SHA512 | ac33dbee190bdf52d5658cd1cb19138c12fcc0e9a5ea88d6c5f830bfe225a47dfc6a5358010f982d5f35e3574ce182f5f27151e3c62073b6e62f120c2665a749 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
\??\c:\windows\system\spoolsv.exe
| MD5 | 2cc8fd4295e43752d3df8edabfe91203 |
| SHA1 | ec29525d3035d7523add2b11685c4a0b91592415 |
| SHA256 | dc498d2fa2a2a00e7901b9b69262374c5a7e472a4bcafb432f103b69c675167f |
| SHA512 | 88728c0b55d00c56418f449a9866e464c7892fceec4d3a8b59462f3e85c8bea816b9824c54fb30374b77ab4e1f70a4a96b3741727b18f7ef90360b4176977e9e |
C:\Windows\System\spoolsv.exe
| MD5 | 80dedea39bd681d0d3539bf43e26f172 |
| SHA1 | 007cb8b209acb41f04122148ea752b0b3bc0236c |
| SHA256 | f063e5a51af41d5bcacf8d17c317d83fa30eb46fea8dcd10dd745bff6601c7f4 |
| SHA512 | d9ec74f91da0884f3c6089b011cb035af5bedc0333008c403a59fbd464d680298b7f05a7015e2078fae2faaa56ad7f8bf37edb7d8c88e492a94cba2f3bdb78da |
C:\Windows\System\spoolsv.exe
| MD5 | 0abfc1329e4534985e86833d3de1d4f3 |
| SHA1 | bf5113acf82165dc26ce0a25c19390b31d8e393d |
| SHA256 | f905d8215a35bfdd982884ed9933b33dcd32f23f8a0cdb770c520c280fb05f22 |
| SHA512 | e8f5984f7ec914c5f322ec57bf92eb7c4a665ac411fb97de67fad1a98f4078eadb79a52fc63c8cb9979eeeb2d2259a1c398dc0b6a22ee8adc18d1533b8dd4e3b |
memory/1984-95-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2720-98-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1984-97-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1984-102-0x00000000070E0000-0x00000000070E1000-memory.dmp
memory/1984-99-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1984-96-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1984-94-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4668-91-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | fcbe5b6c2f65efed71096b3e07dbc36d |
| SHA1 | ba9dc019d2d7e3998f39dde62598610f8147548c |
| SHA256 | 090bcddc04f1d3490952c9ee1e4dbae3e902750af7e48a6df2c684df2d4ea094 |
| SHA512 | f44a224e75f3252f5b7b6331e28d74bb01c70afd8a34e5bed582890b9c401a68de2941801d7e77c1d46e883e333b0f83cbaf52acf44c96a6d2e9322b5cc68b69 |
C:\Windows\System\spoolsv.exe
| MD5 | d632d2ba5b4c62131ec78645a8b7d08c |
| SHA1 | 16f0c0737fd26dd1e8bd24009b5b17a9cff804f1 |
| SHA256 | b83f19837608a8b90f46a5530ae40e773281dbc8c380de66684f10ba7b91d615 |
| SHA512 | 8585b7fe77419174aa3a7cd645033632117d7726d9b26a3d3576518d5ba24e723eb0f60888a1af197cc3d2a32559153905698c49c37c8d3872449153245a1153 |
C:\Windows\System\spoolsv.exe
| MD5 | 314d7d1f81988154c713cd371d992720 |
| SHA1 | 4af8829ddb00afadf38bb4df986b096a7c489fcb |
| SHA256 | 3954060d5e54f3f70ef5444e6f6b0cd541238b783e5084cc4ce53310e04e9e5a |
| SHA512 | 1a0889335748c6d4a4772c3613c63367f01e8e88052adbd8687edcc2b7dc754228ecef655bf3776ee0d04426913c59d17f1443d13c6eb6dc469206a6b2b9cebf |
memory/984-109-0x0000000000400000-0x0000000001400000-memory.dmp
memory/984-111-0x0000000000400000-0x0000000001400000-memory.dmp
memory/984-112-0x0000000000400000-0x0000000000628000-memory.dmp
memory/984-110-0x0000000000400000-0x0000000001400000-memory.dmp
memory/984-113-0x0000000000400000-0x0000000001400000-memory.dmp
memory/984-114-0x0000000008D90000-0x0000000008D91000-memory.dmp
memory/2148-117-0x0000000000400000-0x0000000000446000-memory.dmp
memory/984-107-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 31d4fcdfb0ba885171a77870d1d0fd7b |
| SHA1 | f499ac62797f51cf996ef9936b7edc2078e9fa6d |
| SHA256 | 884589c60036fd244cd5de36370accf6205b6a4c4cb08f87a5967ddc2b2a980b |
| SHA512 | 892b9deabee33810309fcf61f7c41437f9cd0adc12c6563eef3e75e147e83ea3317a87d7483bf5f1c3c3aa6754d029b3cca69e8ac65f2e4a53d1347c9d0e1cc0 |
memory/4128-123-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 80391d3c164b00e2bad7a54f2108f7b8 |
| SHA1 | c0a5649233a71d3fce4411bed3137a55c9ba09c2 |
| SHA256 | 059526c7a1fd389ec4e6692f14de78f98fecf4c0b67134e0df975fda68a70964 |
| SHA512 | 80ba69d7194904375a4a7a1faddb2101a87a82345d5b1057a5e341d0a96e9e76aebfa06b84f01dd0eaaec6668b532fffb51b5bd256a3d1aa637b9005d4bc6cf2 |
memory/4128-126-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4128-128-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4128-124-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4128-132-0x0000000008C40000-0x0000000008C41000-memory.dmp
memory/5048-133-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1588-122-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 965bf81f279a2c6f605308de4d516a99 |
| SHA1 | fe0f2b0df24047448b8fcf20f1796a1762a466ab |
| SHA256 | 0ca80a7da77e04b33bb35646c2a38b910b8061c3efa37d988a1907449bc96b1b |
| SHA512 | c3e56427668edb908b9e13d0d0311b9da67090b1e29bab14ce680e818a98581d7c47adbbd4c9c167cb211f0e25f0d2e194e5a9f73528bd9457b962b9b59a7c72 |
memory/448-138-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4884-141-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 31e763469d06bb198ab16555ee7f6300 |
| SHA1 | 6cc381f6e386207b870c75908ca551a4b2ab390a |
| SHA256 | 9b3f8a278444964c43fe4758465aeed85c1a343ccf904c7152d45c461652bfa1 |
| SHA512 | 249ee842ad9835cde1bba2e6b743f76d9bf546e8f38464f4cd4283acbac5a619f0a5d6b25a7da246b17bd79e2e8094101f936dc448fd9343309cbc83cc36a590 |
memory/1984-144-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/448-149-0x0000000007070000-0x0000000007071000-memory.dmp
memory/4780-159-0x0000000000400000-0x0000000001400000-memory.dmp
memory/984-157-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 8c80240783daf37573109a3d95ac5161 |
| SHA1 | b5dafbc96c0a387f774303236561a8c4b5bac7d3 |
| SHA256 | 1433e4eefd20fcdf9372d1b2ed97be73e7d177a84801d0478e2f0b2ed7daca4e |
| SHA512 | 92d12503c0b48cd9a446fc983382d118bf35859f14fa4f73fc516b01edb8148fa02e0d85cec54cc23dc722667f43638a7d16f20ded227f9d62d5e19f99d179e4 |
memory/4780-161-0x0000000000400000-0x0000000000628000-memory.dmp
memory/744-163-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4780-166-0x0000000007150000-0x0000000007151000-memory.dmp
memory/4128-167-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 2c9cfc6402038647b105216a8d2b3268 |
| SHA1 | 34d5500ab4a4cae469de96b5ccf5de436832856b |
| SHA256 | 0c3c45216a51bef3b1f905fd956cfcfd0b67a701573366b535625d0e074c14e5 |
| SHA512 | c785dbdd6f6f44a41a63a8f58c5b641dc0dea86ace1af6ddb1c37b7fda17bce250724cad1375c3c7414d67de84b09aa29cf9899ab393cd2dc6a424a3ffae37a5 |
C:\Windows\System\spoolsv.exe
| MD5 | 3c966776257488392cb291f53775fb24 |
| SHA1 | a8c1c2db9335fedf8cad12278a8179ad8ed56062 |
| SHA256 | 6667025d1bd7ebbbb0e7a9d8b6f329b1711623560a9f5e7bfd87dca208c8f642 |
| SHA512 | 1e6edee66491218c07bd455c66b7698034fcbed6e88d35f583d3879d836029353de62402dcf8300966a7cb4c1c9961e41d432666b3c63be3dad3166ed4ad533d |
memory/2564-178-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4184-181-0x0000000007160000-0x0000000007161000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 3a8d72bc8ea226a792003b56e0dd57b4 |
| SHA1 | 9fe8a671bde60bb02b3cb32ce773e0a5291b1b78 |
| SHA256 | 86fc630a849178b701abca3d632895ac787e7f76fb644368ea923347646da29d |
| SHA512 | 0635598f9bac3d5d83b126203ac3d377ec353f1041d4966e36c26511675193c59a9f8ad404acbd6455159a220743dbf9cd035325471ce6d88dadf030ad03fd51 |
C:\Windows\System\spoolsv.exe
| MD5 | 1a774d2e467348ffe1349b535177f17d |
| SHA1 | 237bc3fc8efb699eb4d2b3ccc2f7dde2480affe9 |
| SHA256 | 353d74f8b88e748c0d5ba0add055687cb602af5ca464c488cacfc50fa168c306 |
| SHA512 | dd8e8ebb6a043e813f2674b2e249e87b9b1c6b6ee36b3bc27f727433e70f152d58495c1e70920da4bd0c05645634cd92fe278b9bffdd80c8758aa106e060b970 |
memory/448-190-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4868-192-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4868-194-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4868-198-0x00000000074A0000-0x00000000074A1000-memory.dmp
memory/2548-197-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | f68c77de9d8f15ccd208b8c45b97dcd6 |
| SHA1 | 06fca2268cb3838bcb7d86a96a872ab384febf6f |
| SHA256 | 5d056de995387301501e582fd89af37307777e532f87cc93b4d51211cf54ae41 |
| SHA512 | c46dd884bf5e5604fbfca4e71d2fe3ae82ac619b030cc82281b36cd65d4bb365a1c605c95a4be68f56d4116c281d9e14e9947ba06772352fb1732c56e8593534 |
C:\Windows\System\spoolsv.exe
| MD5 | 069d9fa04fc82a6638ba0e47cc4b2df8 |
| SHA1 | 60f0d0ab4348483490ecde390b53d37a91c39e3b |
| SHA256 | d0b84c11c08de6c844ac09fb59539553e92dd38b472a52b8fbecb6c149b55862 |
| SHA512 | a0117ea6c73cdfdf3c6c85ba66b22d555e376214bd52ce7a1c9f26d48e81fc35e9d82f3061cca8f074d61d37ef2f317a01e46f6cdc54ca896cbe1317a517a167 |
memory/3632-208-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2432-209-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4780-206-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2432-212-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2432-215-0x0000000007290000-0x0000000007291000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 4114e44b0d5c92341278665be0d6f14b |
| SHA1 | 73af7a52f44dddfbceb83a6824e48c590191f9d2 |
| SHA256 | d14c955af1c4216375dbff67e2bc60b782d8c760ba3d254beedd87e1fb5fccad |
| SHA512 | 29e55890587e3e83127b629baecb6226b3b594f86b0f8bb04b4ac1128e3e1b789ca0e27cd54a2b5774e9e8629b1c94d67f33de4d6525ae7ba2bdc76af9c9b3ac |
memory/4184-223-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 2c62fe1f8dc064b9a3c22fbab39d7678 |
| SHA1 | 512265da70bdfeca25191f4451bceb6e63f3cbaa |
| SHA256 | edbffeedb0cb2f84fa955c60958fc4dc7d34b0beceec89c33c36a6e3b2381e42 |
| SHA512 | 5956e724c6f4e720cb4c5d90641cc6d4dc3c25273cfa98dfa78aebe660ad9199c30dcee62304c0a2a539e3d80618815e782ab2b42702f44e5dd6c8c74221388b |
memory/4684-231-0x0000000000400000-0x0000000000446000-memory.dmp
memory/368-228-0x0000000000400000-0x0000000000628000-memory.dmp
memory/368-232-0x0000000007180000-0x0000000007181000-memory.dmp
memory/1896-241-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | fa51737617611dc52d1faf6281b41e4c |
| SHA1 | 207bddb35ba2312c3a368400aaee699c9c496763 |
| SHA256 | b4958b9a38eaccdaecd0e7b6648e6137d60b97d5628baba1294e08a68d504c1e |
| SHA512 | abbc95b6c915c35e6b1c13ab2bf132541566db91ab25ef69559771519cb995c2da6620012b57e0d9e2e371acd191d387d4210751a362e55c409605202ab0c78c |
memory/1896-245-0x0000000000400000-0x0000000001400000-memory.dmp
memory/384-248-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1896-249-0x0000000007290000-0x0000000007291000-memory.dmp
memory/4868-250-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c5c21825ec481def9b2f371ae0b7963f |
| SHA1 | 615bc192b5828f3530d5b2ec27f41e55d102a90f |
| SHA256 | 6aa68012751ab500e8e2a576c6fc406f015bfbcffff98d4e77605bf6c44b48b5 |
| SHA512 | 177017818131b345153c1532bddf95e2e1bd94f769671f28f19291f53c129f0882c5590eb58a9fa530d77230e9eb31250b14c8a6ae226aaeaf81b8005eed79cd |
memory/4712-257-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4712-261-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3776-264-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2432-265-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4712-266-0x0000000007490000-0x0000000007491000-memory.dmp
memory/2780-274-0x0000000000400000-0x0000000001990000-memory.dmp
memory/3796-276-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2780-289-0x0000000007190000-0x0000000007191000-memory.dmp
memory/368-292-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 69de80eb0a3eff85dd4d24b9b75f7f40 |
| SHA1 | 2cae9c6f2e713736f37c1d03684020e9858d47f3 |
| SHA256 | 2a5fcb20871e02fc9dc9454bd619c72f02e9c24639f1b5736e883098b084898a |
| SHA512 | 12df058cb69412af5f68f625ad193b7a16838fc365061ef5395781b7eac2234b020dd9fc99696379fc5d5e83e6d3603fc9fa6420309a2df6a91c6c0977a1d540 |
memory/4844-297-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 16ad17a6a68f241f8f170c981e446fba |
| SHA1 | 9a3776ada0905002d4d25e7b978419bb01a2e02f |
| SHA256 | 725f9067b1792575ccd9ed674fe2da5e9b43ca2bb4507aab100519b9f2d097cb |
| SHA512 | 6d9f1678e5d8873fe9894e97bd36b7384349c530a648ba2b686fb952d9fea62c3e59d14abac6f279aac3385699e4b8d25c13160cdf9b385980dfdcbf0b7663fa |
C:\Windows\System\spoolsv.exe
| MD5 | 7367d79145b3f676e6284d528cf82db4 |
| SHA1 | 8f413df8346f8eff008fcf266f45ae8aa11c19ab |
| SHA256 | 017cceb691963ccd4fbc83fbf19fdb0602b9f3c653219e03cf9939f4aed88036 |
| SHA512 | 4c550c1fe79d597a80537e0b2802a0e50b0f90b0790088bf6f0273244a4d98b58605bc7eb8ce32ca4afbae1ba5ce59867aff8041abe5189094a4a566ce9c7b1a |
C:\Windows\System\spoolsv.exe
| MD5 | 4690864a59c6f6afb2c25995d084f079 |
| SHA1 | 5a3fbc6f87ece26003efdd97bfefaad9ceb427d5 |
| SHA256 | 96f2a7ea16c7c2720253554e1714eae2eda69f374a7709fded250e52768d24d1 |
| SHA512 | 12885983650057893981aa2aa2bbca31901f8a2047b4956bd8240c7b6c84eddc4cf290e6a516925dc8811708402fcb4da5245a146e2aaa2d65f254769e5469b1 |
C:\Windows\System\spoolsv.exe
| MD5 | 91b604111e0206dd8003ac8e24dda219 |
| SHA1 | 9f46bdb632dc7b2496df0a3b7a8e8221f8dd7371 |
| SHA256 | 2252400aeef18d37695179d5cf5b8820680a156288c624ff60d8655ca2c99f81 |
| SHA512 | b7269c148a562ea515df63b8660e138572eb145b89941bd698b49e8004710ea37f2fae323d552629540833e1a56c1b6493992db3119d3d6d81d83909621ceb5a |
C:\Windows\System\spoolsv.exe
| MD5 | 41a9b63c79f92b7327cbe22a1ec2c12a |
| SHA1 | a48f7b439d5a056897effad1e3391a81dc409e31 |
| SHA256 | d38e3f9d2e322a0b2a9c3c01262a6c6dbdf939eeb5441f9cc2a2d62bc3735ab6 |
| SHA512 | 9aff2578b4d4ab23fdc901873796293d15616a0e84f2169c4f0d680f814435292487821cfee0ba707344edf681dcf7d1db473fb1f644041ba7543cddbe1c35f5 |
C:\Windows\System\spoolsv.exe
| MD5 | 5d9ab5c9ac2394dd7b95f7eba16ee164 |
| SHA1 | 7fa5fc23786c70994c6bb8a199859da778cb2c4b |
| SHA256 | 26f5a15d24df9359981671073329bdfa00bda25b26ff30078b3ac983f6289aa0 |
| SHA512 | 0d77058ddaf69512e24679d019c578c53fdedc5b85570c34e718694e2efd1eafc45dc21501129f7cf6f18e3a12aacd750285b6df46f207ff0e1b5aaff4ada745 |
C:\Windows\System\spoolsv.exe
| MD5 | 4e2a1bc8a5ef264c68559be0a449f8d0 |
| SHA1 | 0e8f65ab20acb19903220958bb24c3f9d0cafe31 |
| SHA256 | 868dd4ae983f13e7686ddc9d0e1a8701c9acee3e5e8b91e3e473b6170807428f |
| SHA512 | 2f04cb74e18aac8f5b840835708eac56c0306c73db2a3c046b4249dc72d597dc7751226011c00d99a300b256566b379d0fa6e5790a94e51b361cf2e4cb87aa51 |
C:\Windows\System\spoolsv.exe
| MD5 | 2df2199d25a411b1fd0892b6df026cd1 |
| SHA1 | 2314322902f3142857e5d6d0e6874aca91c5f30c |
| SHA256 | 15de119767c1158d39cdc1731d0ed8fa367b60da34f4d8f0d0fe617b246cae8f |
| SHA512 | 91a80255539a9324bfc8bf7e48bf492099d887d2710415228b84212d4bcc77ffb780180fcf4601378a167ab491f3b802786f564a0e5e7f31155593bea273de49 |