Malware Analysis Report

2025-03-15 06:29

Sample ID 240129-2afkvacab9
Target 8102275c886875543a28a56edd9215f8
SHA256 c88972c80db4fd3a9b15a9ed8d95688be6a1cfbce5030f55f06c596e32d8c785
Tags
rat upx warzonerat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c88972c80db4fd3a9b15a9ed8d95688be6a1cfbce5030f55f06c596e32d8c785

Threat Level: Known bad

The file 8102275c886875543a28a56edd9215f8 was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat infostealer persistence

Warzone RAT payload

WarzoneRat, AveMaria

Warzonerat family

Warzone RAT payload

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 22:22

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 22:22

Reported

2024-01-29 22:25

Platform

win7-20231215-en

Max time kernel

127s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2000 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2840 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 2184 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 924 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 924 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 924 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 924 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2224 wrote to memory of 1440 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

"C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

N/A

Files

memory/2000-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2000-3-0x0000000000450000-0x0000000000496000-memory.dmp

memory/2840-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2840-4-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-19-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2840-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-29-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2000-31-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2840-32-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2840-33-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2840-34-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-35-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2840-36-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-37-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-38-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-39-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-40-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-42-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2840-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-44-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

memory/2840-45-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2840-47-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

memory/2184-54-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2840-57-0x0000000007060000-0x00000000070A6000-memory.dmp

memory/2184-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2184-52-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2184-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1944-65-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1944-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1944-69-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2184-71-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2840-73-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2840-75-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1944-78-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Windows\system\explorer.exe

MD5 679ed6a4fc978b0a367ff37c9255c658
SHA1 dafceeab1f436049df898cb331c55ce758dc73f3
SHA256 a5e4fff1944b643b8b2a6709a36099df97381498e23636e974d63dbb3486f28c
SHA512 c403dd519e866ebcd6c3ff952b22eaa8bb7fe9b215e3221c0bca514ef1cdee9cc4809a3483113c9fce8e0eac5eb22da29ea439e2b794e6ce69abbb573ea0b2c1

\Windows\system\explorer.exe

MD5 2e85217c6cef1ca20b8941c055edce08
SHA1 45d93898eeb70ac302265d2c21aadbc5f3d07d68
SHA256 689679c9bbe0fa9f41fa6b0db64a6cfde394699e2a0693439a58da45b5e10253
SHA512 a99026843b011cdb77cbd28f7cb7c123da0214255828cf232052bd3ab7688bf481d99625d757110a44424616864c074675aff5ad32748e6760b5606aed14c06a

C:\Windows\system\explorer.exe

MD5 57bfe90eb22648f5bbf1676d56ffdb22
SHA1 9d6d9360b66a5d76c48ff736ee63755b5b345f9e
SHA256 487807a94bf28d3c3c73364d85deb64885cef1a6709df0308b73ee8c5db5648c
SHA512 1e396ec5718bcf91068c2c5cf89822e15bed0a3c84d827e9b163b5b5ddd3bb7ee59775e60461b8ba0f6bd67bc21a2d1aa1865c6bb870bbd4f83ba61e85ad0f4a

\??\c:\windows\system\explorer.exe

MD5 ef04cf59fff7cfbbdcc5bb010e8f8e8b
SHA1 3af5a8f025a3e0dd10696b271f91e68f1373a5f8
SHA256 6aa9f04e9fa8c16a4b15e36790acc3237d469beae940bf4f73b672fed4c87458
SHA512 94f69c77c531dd9166b8f6a5f7b4114cac720bfa63853866c28acbb3e8caf155c99ca2dd7850244abd3e02e9e1aeac083c979d6e0e6ec180f150d11e3360f39f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/2224-118-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1440-127-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2184-125-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1440-137-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

memory/1440-141-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 8102275c886875543a28a56edd9215f8
SHA1 451e70fb4b00605102038935744532d436a73f15
SHA256 c88972c80db4fd3a9b15a9ed8d95688be6a1cfbce5030f55f06c596e32d8c785
SHA512 af1bbf841e6cc05e26965a9e3d7fff81fb1e8d6c4a751922356743e104f2060163534aa0489ae53e4687b79fc34d3cfd7c59884cfb8d1fe572c1e1fb5c6a74b9

memory/1512-171-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1440-175-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 7a6d257de6c6538aa8ca2f3a52df8fc4
SHA1 41f232538aa54e08e4f8ceaa4119fda430c658cb
SHA256 134dcff703eb2c28ded27d1b6ddd29c37226951e8b3195dee68ee39437a5e92f
SHA512 df3bb964325000daaacee7f08d70c938d09dabf24a33c3eff5512a4a414f2465049a77c3516a906fedfe8ac60f0373415a209ec807acaaac2fe2f4515a5353ef

memory/1668-180-0x0000000000850000-0x0000000000896000-memory.dmp

memory/1668-186-0x0000000000850000-0x0000000000896000-memory.dmp

memory/704-188-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1668-231-0x0000000000850000-0x0000000000896000-memory.dmp

memory/2320-233-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/2180-252-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 05f83b1c3140291ad41a688d82b8a97f
SHA1 cb1fbfe7d8029706c1b91c51bee87a71a909c9fd
SHA256 094758ccfab4a8faf0b1a6dd888a7d2ef98642b17d7166b93099e2e124a71f1e
SHA512 12aed07e32be078200d6126fbcc7941d90dd7cbb25ecc80aae20264e7160b678f489deb52fcbd9c5dbc31e56963760124d5cb54d3e6088f9d1fb21c7f104b657

memory/1668-278-0x0000000000850000-0x0000000000896000-memory.dmp

memory/1668-280-0x0000000000850000-0x0000000000896000-memory.dmp

memory/1668-282-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2672-284-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2760-281-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 512bdb221b523c9e4c02fddc818c2e90
SHA1 0f186c514dad843129320c211ba858e4be0d9431
SHA256 d1db0bcca21435171a014340e5d15f2786de65054e2ef6eb6fde580f144fa41e
SHA512 c00f9540b7ffc26475ce4ed0e8d9c2b947c3fc7da0ef33ba4fead67b35838914f0133afe58f99e8e992ba833930835dde11c0403fc9f05f65c84906dbfa975c6

memory/2672-290-0x0000000000380000-0x00000000003C6000-memory.dmp

memory/2760-309-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1668-327-0x0000000000850000-0x0000000000896000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 fba478552e3b8e6ad8346b0e4e757c24
SHA1 9545adebc305cec19a9b8b8a54a38d12cac72dec
SHA256 c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248
SHA512 c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29

memory/2276-329-0x0000000000400000-0x0000000001990000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d56c4265b79ac55551d9be733e758e75
SHA1 3ee6dcc2322deb1ad10cfe885b917aafab5469b0
SHA256 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e
SHA512 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

C:\Windows\system\spoolsv.exe

MD5 fd6a7ae6efdd4613f387af832d4f022f
SHA1 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd
SHA256 f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e
SHA512 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78

memory/1668-334-0x0000000000850000-0x0000000000896000-memory.dmp

\Windows\system\spoolsv.exe

MD5 5132a41535fa8fa6eb41b01f4fd4988f
SHA1 1b2b166555fffa865acbf79afbc18c5cbc5ce690
SHA256 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611
SHA512 f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407

memory/948-337-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 6b3159725f8ded76b9d763714c81fec4
SHA1 acac0941e662fb6d380f170d641a7c877817b8b1
SHA256 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0
SHA512 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 22:22

Reported

2024-01-29 22:25

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 4552 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
PID 2144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 2144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe C:\Windows\SysWOW64\diskperf.exe
PID 1080 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 1080 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 1080 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 1044 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 1044 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 1044 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 388 wrote to memory of 2208 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

"C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3620 -ip 3620

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3360 -ip 3360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 548

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3752 -ip 3752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 560

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3324 -ip 3324

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 548

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3616 -ip 3616

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 560

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3216 -ip 3216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 548

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 924 -ip 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 560

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp

Files

memory/4552-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2144-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4552-5-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2144-3-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2144-6-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2144-7-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2144-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-11-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2144-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-13-0x00000000073C0000-0x00000000073C1000-memory.dmp

memory/2144-14-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2144-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-17-0x00000000073C0000-0x00000000073C1000-memory.dmp

memory/1080-20-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1080-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3812-24-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3812-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2144-33-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3812-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2144-30-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\explorer.exe

MD5 2b28e67fa66945c7088e3532f98010cc
SHA1 d66348240fba34b82520a33ce31a561bff280c0c
SHA256 1f4e129292e7d65a4919f4a763466c9c096f621eb5078108d5e08ca76b3dc869
SHA512 74f3bda6820332628f2237700fbaf73a264c4ab583332848af6e24dbbaf73793f1ab68920e30ed9fef19b9610f0dfd05aab7a806f6bc014e750276b79f21f9a8

\??\c:\windows\system\explorer.exe

MD5 e23df1ca9a7fe36b6cd642feaaac7256
SHA1 15b6c1b1f94252122e343cf1252c38231409e918
SHA256 032ea061d93686a246df021734cd2179aa658da5296513360abb87c9f8ed2376
SHA512 5ad500587f93446d35609151426b241d7a90402e12a2ccdea954322471f39e8aff3a2492a497693e51a2d682d12936c0ac07b82c5ababd6f7af485cfbee34ab2

C:\Windows\System\explorer.exe

MD5 8c79dfb5c3914e9f351ddf362a1a9fd8
SHA1 4521126b582e38a76afc2a3c12c63998975b3a5d
SHA256 56121562b1369c9fc00b143788803a1a8f4871289206c28bd59d4ea6dc320ad7
SHA512 29f5bba438578e0ceb2b5410b9b5284076c2ba47ade14625576715fc89e2890d9de002e4ff4491be083353c92a4dfdade925c766e84f2154b167c451962ec7fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 73618e87f55dfe10995fcdf0db4388db
SHA1 9bd159627fe220b0ce11e047d9029d396fd0d357
SHA256 d952bcd80cc499fe9c3d1837dc54bcfdc05ae3914f54035d1a8fdfa0f0199c6b
SHA512 eaf2572907c3021683b00373f59c7e49b1942bcca3519525ace3f85c98ca49f4e3aeed559b2c2440f185c5be289c97c4f4aa37c90f6b4a18bcc11566fab8b10e

memory/1080-47-0x0000000000400000-0x000000000043E000-memory.dmp

memory/388-45-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2208-49-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2208-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2208-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2208-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2208-53-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2208-54-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2208-55-0x0000000008EB0000-0x0000000008EB1000-memory.dmp

memory/2208-56-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2208-58-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 e693159cefd3dcccadd9e05d25d12f28
SHA1 0e6614dba0988f8a8c552ac9259a117c449f9fe1
SHA256 9c73b8b5ddddbf055ebc49db6cf553c8a7f78ee6b5312db504040a9eaef1bfba
SHA512 9a9a98a618f9f5605e481d8c216b00926d537d21237dd15b1f9e157b2f6cbbe7c0417400d601bbe3e5e85459f976aec630d11fbd4bf228fa70ba2cf00004c10b

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 48dbaf3dd94414237cc7fd76c2082e96
SHA1 278a4889b05545478137c95dc49433d1f13241a0
SHA256 28d387f9fc42c2b185065903ded9b76033f132b33ef165fc03ee79aea8edb01c
SHA512 0940e88a49b78ecf88896570da489f97475cb2e172144e0adfee219a0b4a91c8829c5f6a7588422e542e2d35b254871a9da64747904ec31441fe4314e1352e5c

C:\Windows\System\explorer.exe

MD5 7590cded74dd0c1e140d4267c849f871
SHA1 0eb891937bad66e31a3d848a008249d4f7400a11
SHA256 500a9eefff44ed057d23f131e3eaa054deb526b79ff717fafd04c19f6ad67c5a
SHA512 50d75417e3db47824adf9e2913c74ebaee3605201ef355ce2e9e4baeb7207c2cadb8c213613e24e17e9f35974c2e8f99f7f894deccb333f418fd1ec847660b13

memory/2956-69-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2208-72-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2208-74-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1068-77-0x0000000000400000-0x0000000000412000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 dcb767aaece2afee6fa953a3c735ea6a
SHA1 afa9e17b50746ee23a9f6a3987c27a4f40f07235
SHA256 0b0852428f5ffe696cc3bc6d8814e8c8428928f723541646e9f667c4ab53b41a
SHA512 92a7f1d293fb18ca90472be9b30281b8aa33ad119109aedd6aaa465d111a8627d0190e36082c8013caf9e8c1a2bdac7a2167eac91c49bc1328b918e626d895a5

C:\Windows\System\spoolsv.exe

MD5 7f9d88af8ed2a65d1eed274214f46c71
SHA1 a02d9ead140dd061329c12a659de2bc360576563
SHA256 f5f359b4b69b9b35942d53fa3d1e6ecdd17f6709d5210142c07093540970f9a6
SHA512 aca1c16dff00d0eb70bce39f089b3598b1262197877e497f606337440b14ab6c9c54652fa09920c386b1f91492d1a000af6778811716138ec0f888472cc6857b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

C:\Windows\System\spoolsv.exe

MD5 a19ba73650d0d8e72678775d8c34eb55
SHA1 47d96f32df9650fe18737d3d54683b08588c49b4
SHA256 3d21d910e4c168873d5333310c16f99e3cc578ad4b9da1a19ebdc093f63105af
SHA512 7071624b2cfc6a5ab37d67a4ab965567e4882c582deb5cb211e5af0bd59570369c459b84d20d6b5e3d8bd6b9b112eb0c95a53756de7cf9830ec11547109dac84

memory/2232-91-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4300-95-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4688-94-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e8d30931f327c8c2cb5971b324c0364f
SHA1 c5fff8235294db10fec744607733929c4904b24a
SHA256 f9d8e9c51a4dcc999d6a7b34df7997f8db09e26b14b1fb80c213326adf152515
SHA512 18103bbc6094150dc71aa89dbf69ef88edc387755f4e39b4e8e6a5540ea67041d0372bbca0f1fb5215af2a57c6beae6eb92d0cc00baf484d84b55c1fc2fa93e8

memory/4688-98-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4688-97-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4688-99-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4688-100-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4688-103-0x0000000008B40000-0x0000000008B41000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 cdebf80cc5741e26fbadfc4065a3c65f
SHA1 0b87110d4989d871950d99bd9c205e89a5fc833d
SHA256 e61aff9ccb95cc4a2c9701d9055165be0e8fb07e041235938be0c3b24d6ecb42
SHA512 94ba9fb58ccb983053c47ab1f55c24e89034e87bf2f2978a73239f2941e5300421057b1f9b44c26076802c822e53cdebc75b6679f5b276e51abab45bb880bf9c

memory/1928-109-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1928-108-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 503cd1329977e5dc80060b6e630678ba
SHA1 945bc78c7fc3def33a456bd159119b781f7937c1
SHA256 99454fe1a3641aeacffa033fc74b5d3e0c2998ef6e54fc76cd91d253c41b075d
SHA512 70cec131273347f66269bb5c7b9461db8bd7908955cf7303ab9a42de932f90e3b9beef4e51a351ecf93272d42a7620e9ee6c6c6029f08de73b3aec9dda647dc9

memory/1928-110-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1928-112-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1928-114-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1928-113-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1928-115-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1928-118-0x00000000072A0000-0x00000000072A1000-memory.dmp

memory/1764-119-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2956-125-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ce30a8017b505fec0ab2231364824d6d
SHA1 a49b9019a3ee7d0766aa025f31417cec95fe9bc7
SHA256 1ad5c3ba3f590c8d3d59366bbd0fbc119a8dc9ac6c7b587a6e225a33bebc5f92
SHA512 564acd128f4fd5d37f4e3d3e5023a2db7a465a99fd44b8d51d6cce9456082fc1b508aeda6faa27c10da31e52381c9cf189640c12dac054320fcc13f7ba050b65

C:\Windows\System\spoolsv.exe

MD5 a87f163ba7e1325ede749c2921bb83d6
SHA1 71680978daceb8a6636d3751cfa57ad78e6ffec4
SHA256 eece91aef03853ae0c7571deebb0ae9e0c0d228dd1ca2d901ba85f2810b62a2f
SHA512 a38daff3f1fabf070ebfb3b5ed8bd4184fa667f5124639f7c6fc678a57187c2e258eb41b6752be446566450192ed7e0b771adb3886afa35d29538ce93fb680f6

memory/5116-134-0x0000000007030000-0x0000000007031000-memory.dmp

memory/4712-133-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 926b9d76d9e338a27e9c90f29d6d6940
SHA1 070954bf6b8c34e8204ea6ce2cc734be41c8e7f3
SHA256 9790bdfa6a5380224b9861b88a9b2c679c5d465cf9a921fa021ccf4ce9965d98
SHA512 2e085533b50b5286d77b1d9f50ebbeb3c7de3b8808d9b56da61cd67e3a2b0ee164d2ce17746cff572e1be10ee902701a64e74ad8866c1d439d8dba0fe83f36ee

memory/1148-141-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 1b778af8ca64b5e9923769149373d5cd
SHA1 40b39d93f8202404cf49640577bb7e3d1ccb5f0a
SHA256 bcd4debca84481f66e0353d1fea8bd789b50be392168d59c0ca725b181df0ae7
SHA512 b7da00a62728eb15349d01d956617b3a04553242b3e6087864ba950e2cab963b30d59a033e7851f84cdb48c946a98762b86aca5ff0b6026c7060183a22336200

memory/1148-146-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1148-150-0x0000000007350000-0x0000000007351000-memory.dmp

memory/4688-149-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3968-151-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 39d26c371eebb56ee29325bab37cfe8b
SHA1 0f57d6a3ddd7d904664812553678b678f440c7b1
SHA256 4cbf5272206c03e08a34ad3578d90559041f6d160b8ffe2224ae9d22739fae5c
SHA512 b98acada640d7d9d1e58cdae05df0b05aec2309b32bc335e6981379e3ecfe7fc7028921e23ad958ffaddff6edd806c5c44696d9855f29b9c21a956e87d704624

memory/1412-158-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 4744b536ed261b7eb2e3b8adef927161
SHA1 83359bca678c8063b7c72c5209101a5db3f4537f
SHA256 25112f69ff7968020cd20a6b4347e24de313c10ff5abf17e8613f29cfdf5efea
SHA512 627a8942b4025635aa3a5cfcdfca355389d6aa1ef4f65cfe8bba476e2b8f0b51fafb23f818fda6e38362c28be54aa9b73525f3de0b61bcec8bc1da96f00bb9c5

memory/1928-163-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2404-164-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1412-167-0x0000000007100000-0x0000000007101000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9aa51d30f36938cad74962a57743f519
SHA1 9d2721218bc28d4364551ede51deb9ef139f391f
SHA256 a5e3f8a324ad4f786eefb0d37e52257d330853fab1f6f69f3fa011227d01fde5
SHA512 97ac972e1ebbaefc0681006da6cb905831cce4d6bb4d90273803e07dca43f890148bbb2cbc482c488339950b97deecba75f13c6323d06869e5648b4a1d5d53fe

memory/5116-176-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2188-172-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2188-178-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4748-181-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2188-184-0x0000000007520000-0x0000000007521000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c00f269497a38d46f19a31650db0f935
SHA1 bf985e2f70359808820fb1e03fd06b8c2935fe60
SHA256 248f8885787ae82e610630918d7a8dc115a90350d3f2b6d3da4b6e36747477c8
SHA512 d0ccdf8120cd72980d3b13852053a2a7b94bdfd3c5851f7139867795af03ff09814eb81ee54ed6e581a78d906b7b80f14a7ea2935cb79037ac33e91f5f000d7f

C:\Windows\System\spoolsv.exe

MD5 5fc65753044094b7e0d97609c7aebc10
SHA1 4d289b48f2ebfef8b61f0c7787dfb8d91a50bf08
SHA256 46c666cc88e6fb0508fda8407cf4abca80d23dc17da0f8cd78b650bbc5439dd8
SHA512 495807a35a41e3d9bf7f73901072c47641a91683a6811d5a112733d4fa20563c87be6c07717ce2dcba8b7e9488356815041683ac9be156e80e71e316e9f0cf3f

C:\Windows\System\spoolsv.exe

MD5 081e12f0407fdaaef49383cd623e9bc1
SHA1 c6344adb2849a84e305e49e97760195f64dd0d36
SHA256 be8f15481752265307f20f5ab60e519c2da97e28ee0ad9236fa85c673935d1a3
SHA512 a770bec8e254730c93594043295553ed369696e3c03cf333aace19fd4c187489945d6c3853276f250661e4e4fc6d3a61952afd0b793c1e976e152e190b41dcbb

memory/1148-189-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4720-194-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2184-199-0x0000000007070000-0x0000000007071000-memory.dmp

memory/1412-207-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2492-208-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 580bc695c702f8f6cb1ea385ce9dd949
SHA1 0792d08902d9586350aa03175950e13532972bc5
SHA256 8cb8a5fc3c4fcd3fc70f31f6ea9f13311c8342cf984d4c76fe1c4b0db291754f
SHA512 cb174a73c2f386cbe0ff91a53bd384d1c171982ee647cbe8bd737f194adac56df485853217906e5e93250f9929b93ac568b1b07213eb5cda8a54feb6366cabf1

memory/2620-212-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2492-215-0x0000000007070000-0x0000000007071000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c35b246aa4a24dbf10a94976d509e4fe
SHA1 5568f226a8bc5259101943ec234396275df2c3b1
SHA256 3dbea4d8e223a5d185742b3a8315afc6fa4a4900f8851d28ed21df772338a418
SHA512 481dd94e67b9edda5140fbe0345d307474946fa6797e83608821dc2aaf3c379c74a5c48567c58bda2950e9ab81c90135cbf55772a0d44d660c0009703c298819

C:\Windows\System\spoolsv.exe

MD5 bd16294e091e4856aeb2eb6fd050a7ef
SHA1 fc399202225c208c420f3e30718170ef17893c7d
SHA256 8f4ce013e5bcc3c50f0b2ac59a2f08068f5f13af2f108d3760d3b41432376046
SHA512 a47e2faeaa6db784595c7c53f13c92837c0bea15776cbe8429c97b0bc08986192e220be8f21417cea1c6c8c1f9593627fac5a3edefc1f1bd68be08be88601a1a

C:\Windows\System\spoolsv.exe

MD5 5409186198e750e6829f723380c92f22
SHA1 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c
SHA256 ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440
SHA512 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d

memory/2936-227-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2488-228-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2188-231-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2936-232-0x0000000007070000-0x0000000007071000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 bfa997586e490d022898817abfba3dcd
SHA1 375629669a79ebda8ced1817fcb66842e3c94a85
SHA256 6716255740d12d0ea686eebd3c4ec5ec04113345868ac00a0c0bc37cdbd3b7d5
SHA512 b1e1dd5f2aafcc9cb0141656654030e9db56f865b097802d93879463cedf8ead341ab8000a70b0058bf363552cb58c4774e1b1131de71c2a61299b509269a2ec

memory/2184-241-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c25654a81ce1c9420658318b8888be4a
SHA1 1abc99597c49623937211e4038d882d051ac8985
SHA256 3e0aa69aed38903f57873b132f858a8fba7936fb6a76171dc9b59c63ff93092d
SHA512 ef3afdc99a32915332a19016baf03809e24e78316d951a585f70bad37830ca3009184b93565a128836084c61f32b83cb839febfb1c1090b4124198b1033904cd

memory/3360-247-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4632-248-0x00000000075E0000-0x00000000075E1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 4001802f23edb5a310fb167bed196d86
SHA1 ddcc675296622756029144a59cd788b6d3adf163
SHA256 8a2b665201592010ecc44674b93ea17061f1de9d7847a23b803ec1c07f7d8d16
SHA512 ccd808a305d79e3fbd77cf208e028da0d914b03ce30e706da3bf31148d2939145e6512b9a26706e712a96e3da06cd43c5cb7fd27772b5c9010bb95c990e6185a

C:\Windows\System\spoolsv.exe

MD5 31f23c24d0fc2b87d556544e28210188
SHA1 9b8b9309e4a44bf5c1c4206edbb09f6ad70e2886
SHA256 eae088801201de5f4ae9e63d2ca1fd720c4fa4dc878fb59a36decdf43ad48dde
SHA512 de3aa023f3f0884881a4204ed5a8a5ee995850a3174faae9b761a43c28a70cbddf511061488260e72b43b7b99274feb2d26770ca9816edf985f738cc704b303d

memory/4952-256-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4952-261-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1968-264-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2492-265-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4952-266-0x0000000007520000-0x0000000007521000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ac8e76911c947f1ee6b88a0375b66131
SHA1 f7989579f84bc7df3c17f16829f32d2e78873ae3
SHA256 3084908a5f5dc8c94874cacd3d82b92e953026bf76207872448816d717354b0a
SHA512 c85ada5dcc8d4cbec4826087c932be593a53a66bf1faeb8def4b4804d9e83d4bc10cf5c8b323b0d488313c6c3b969b839b4011670d871da100cf23f8317b1eb6

memory/3548-273-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2936-275-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 74401ce1d7043ecc99f44d211347c75f
SHA1 0a4892905defacd17bca93373564157afb926f60
SHA256 78cbb98a1073db31b9fa3b4361f74f7ad6fd44a48299b555c072f75b6a6f3ad3
SHA512 a0f1dad36845cfcc4e7ed5e55b6ab3715926eb937d4a0356961f4f4d801273a4f7892d7768b6c049cef6d3d6fcfead030f08b75b9006fbd22d8c0a896ca74214

memory/4396-280-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3548-283-0x0000000007150000-0x0000000007151000-memory.dmp

memory/4632-284-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ebee0c929b1a299d9542f6e715c44b71
SHA1 acb2bd905d41d485b43f23b198c75347e2ba6446
SHA256 5e072221453f97453eb13126bc7b11c88439aff56dc319f8f5812aa862208e79
SHA512 9c91c1bbda085c6736eb05dec83d8998fbebd8fc6f194c5a3e4b49e80b77656aaafd837fa1629c3677574011e049884ba07354ff536a3d733464d8ef3b31da0a

C:\Windows\System\spoolsv.exe

MD5 850a4469e231280df64fb4c189e990d6
SHA1 ee49d249f4bc744b1dcb07cc94bb0ca11752fc93
SHA256 b86a6971ca3bafa2a8bf61e5d0224d25afb2b7201d0787675e092b51f9512330
SHA512 28109854ef5a66e2e04792b7062adaa7579c1d7ce331fc566e7ac6878d77a6546458e3bdb11a5b08b7b6b8eb02431a1fd9b03ef457ccb10d5bf0c4ac6c3a8adb

memory/5028-293-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4952-299-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b5fe27b28115499e8b9fe09f45cc4c03
SHA1 67c1042f73f0cb907d40109a3862bb6916f1e05e
SHA256 07695ce12a635bfa3147497f74ef344ce98cae40d81e9594314f489bf7bcefef
SHA512 db8d0168b34f0484de3ba20156e83f253e4f5cac1c5bb6e4edc49574f9b1cc3c4cb02a48a30824b21bedf153174659dfb0a97d08ba1bd3184c127a43549da034

C:\Windows\System\spoolsv.exe

MD5 fc090b8e97633a35b2e715972ce8b5bf
SHA1 8cb7ae53f84a3bdcda5b676dc595c8e4a797a594
SHA256 ab163177c15aad91550f2544dbe5cfbf8492c07791e47ff4b1f21f842d95bbbb
SHA512 fab88974a22c0e8cb47fc94dd1d37a7baa3c42889bc9af1821d641071bfea74114f5a716151ff578c28d79a01914c83a57c50ee85b9b39000d0db1927275f2c7

C:\Windows\System\spoolsv.exe

MD5 3807ab53bbf8d761dd2170eb370cf730
SHA1 bd8b21abb9b3d0c15caa19a2af47ac91744a6b71
SHA256 bf1044f105d66628608851ba006ae8c3adb4bb4c9fd3e87928aad22f6e1cbce7
SHA512 e397d8a82a580e3ad3f429d150eb51edaa1680f2c53a23b37c06f078af753ce40e52aadcbe2ae6f1dbd8a002129c1b31e260878efd8c263452d4607737d3c3bc

C:\Windows\System\spoolsv.exe

MD5 0207af177122d6c86c406b83c77e8f1c
SHA1 27d7bcd894ae0824379ca1ab01f918c79d5d2b47
SHA256 a3f5b2c717baa3741754eeed291cb8ea37dc0a1a6973efc5af38447be840c878
SHA512 98054ac98d0766441497c10fec210efdf7b3aa11586cd52e99e297ff78969ced02705f5ec33dcbe552a2a6134334c885cea92710aa3d964031266660ff02dc53

C:\Windows\System\spoolsv.exe

MD5 ea6f72a09a2c00169e5e0fa224139ef4
SHA1 7be8ef5f0bfbcb047b1249dfd6df14ed5a613fbd
SHA256 e28875bc95be8c0a89bf8df64da59073aa8203436d98d0d946ac71a6ea7194e8
SHA512 b10fc07bb13706b4b11157b2bc28aedaff330ffd966cedff50ba3b68f3d0d91c1d5c9e5007ec14f4f3f12133ba360436ea6e95a8f96329e3721cdb1cf1deab8c

C:\Windows\System\spoolsv.exe

MD5 182e0c428cc95dfea012ef925da5e38e
SHA1 f9396c7620f1cc08baef55d3b5c9b3f4ab1e7a59
SHA256 eb416314ec44035b1f754a53aae131576e64b5b7dd6e90a55ea7f1b23511180e
SHA512 aec25bcd516c533a6de6540759124c24fa78fb90eb485f1049c1045fda04c1e81ab765bddae33973f602c0938053308a91e4f23b854ac12f8345ca815b806ba2

C:\Windows\System\spoolsv.exe

MD5 78926dfb902d32f383b9d3a6d9a3f995
SHA1 2e45fbf7b4453e7791bc4227cb0ebf39462710ab
SHA256 b384202981de62d2404f3a278061ff7299eec08dff0d2fc8286d2e9bf2773bb6
SHA512 d41cdef4d8403de2cf823dbf92b1c50af2ac059abfb51ccc7509410a7eeced58a0b216b4e553e630dfd6b124034f92e104cd9cc8006cac2dab8b33f9c6a7321e

C:\Windows\System\spoolsv.exe

MD5 f610b0613fd7a82484f3a31a82071c43
SHA1 fee531c49dda74e793fdb10cd79b7a1552667b4c
SHA256 8c8f4eddce51b7e53c73cffa32601585e3e6162b79de8d8b9f3c7ba09707683e
SHA512 dc05edc919c38a38804aeb9639501aeff941de3757e0da33f1a42f1ef67a979ed57bfe360737b513157ca6107af58afedfc61cef7032bdc1f96ecd1b3ba5aff0

C:\Windows\System\spoolsv.exe

MD5 841a47786b85ac2e9cc009078a14063e
SHA1 df1ede607478da70cfc4a9ad23fc155d10c56e63
SHA256 997648d573be426796f5dde4f69e1e3dbe784d806240fd55e9417790e8d2e402
SHA512 6434d0637cab5b938919562c6c6702861957f14beead17e569c9361a9668808754336d6d877dd4708956e552caa227e7baef420f1e7a9171e3c64080c4d004bf