Analysis Overview
SHA256
c88972c80db4fd3a9b15a9ed8d95688be6a1cfbce5030f55f06c596e32d8c785
Threat Level: Known bad
The file 8102275c886875543a28a56edd9215f8 was found to be: Known bad.
Malicious Activity Summary
Warzone RAT payload
WarzoneRat, AveMaria
Warzonerat family
Warzone RAT payload
Executes dropped EXE
UPX packed file
Drops startup file
Loads dropped DLL
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-29 22:22
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 22:22
Reported
2024-01-29 22:25
Platform
win7-20231215-en
Max time kernel
127s
Max time network
124s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2000 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe |
| PID 2840 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe |
| PID 2840 set thread context of 1944 | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 2224 set thread context of 1440 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1440 set thread context of 1668 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1440 set thread context of 1512 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
"C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
Network
Files
memory/2000-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2000-3-0x0000000000450000-0x0000000000496000-memory.dmp
memory/2840-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/2840-4-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-6-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-11-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-14-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-15-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-17-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-19-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-20-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-21-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2840-24-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-27-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-29-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2000-31-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2840-32-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2840-33-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2840-34-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-35-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2840-36-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-37-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-38-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-39-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-40-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-42-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2840-41-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-43-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-44-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
memory/2840-45-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2840-47-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
memory/2184-54-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2840-57-0x0000000007060000-0x00000000070A6000-memory.dmp
memory/2184-59-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2184-52-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2184-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1944-65-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1944-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1944-69-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2184-71-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2840-73-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2840-75-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1944-78-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Windows\system\explorer.exe
| MD5 | 679ed6a4fc978b0a367ff37c9255c658 |
| SHA1 | dafceeab1f436049df898cb331c55ce758dc73f3 |
| SHA256 | a5e4fff1944b643b8b2a6709a36099df97381498e23636e974d63dbb3486f28c |
| SHA512 | c403dd519e866ebcd6c3ff952b22eaa8bb7fe9b215e3221c0bca514ef1cdee9cc4809a3483113c9fce8e0eac5eb22da29ea439e2b794e6ce69abbb573ea0b2c1 |
\Windows\system\explorer.exe
| MD5 | 2e85217c6cef1ca20b8941c055edce08 |
| SHA1 | 45d93898eeb70ac302265d2c21aadbc5f3d07d68 |
| SHA256 | 689679c9bbe0fa9f41fa6b0db64a6cfde394699e2a0693439a58da45b5e10253 |
| SHA512 | a99026843b011cdb77cbd28f7cb7c123da0214255828cf232052bd3ab7688bf481d99625d757110a44424616864c074675aff5ad32748e6760b5606aed14c06a |
C:\Windows\system\explorer.exe
| MD5 | 57bfe90eb22648f5bbf1676d56ffdb22 |
| SHA1 | 9d6d9360b66a5d76c48ff736ee63755b5b345f9e |
| SHA256 | 487807a94bf28d3c3c73364d85deb64885cef1a6709df0308b73ee8c5db5648c |
| SHA512 | 1e396ec5718bcf91068c2c5cf89822e15bed0a3c84d827e9b163b5b5ddd3bb7ee59775e60461b8ba0f6bd67bc21a2d1aa1865c6bb870bbd4f83ba61e85ad0f4a |
\??\c:\windows\system\explorer.exe
| MD5 | ef04cf59fff7cfbbdcc5bb010e8f8e8b |
| SHA1 | 3af5a8f025a3e0dd10696b271f91e68f1373a5f8 |
| SHA256 | 6aa9f04e9fa8c16a4b15e36790acc3237d469beae940bf4f73b672fed4c87458 |
| SHA512 | 94f69c77c531dd9166b8f6a5f7b4114cac720bfa63853866c28acbb3e8caf155c99ca2dd7850244abd3e02e9e1aeac083c979d6e0e6ec180f150d11e3360f39f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
memory/2224-118-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1440-127-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2184-125-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1440-137-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
memory/1440-141-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 8102275c886875543a28a56edd9215f8 |
| SHA1 | 451e70fb4b00605102038935744532d436a73f15 |
| SHA256 | c88972c80db4fd3a9b15a9ed8d95688be6a1cfbce5030f55f06c596e32d8c785 |
| SHA512 | af1bbf841e6cc05e26965a9e3d7fff81fb1e8d6c4a751922356743e104f2060163534aa0489ae53e4687b79fc34d3cfd7c59884cfb8d1fe572c1e1fb5c6a74b9 |
memory/1512-171-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1440-175-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 7a6d257de6c6538aa8ca2f3a52df8fc4 |
| SHA1 | 41f232538aa54e08e4f8ceaa4119fda430c658cb |
| SHA256 | 134dcff703eb2c28ded27d1b6ddd29c37226951e8b3195dee68ee39437a5e92f |
| SHA512 | df3bb964325000daaacee7f08d70c938d09dabf24a33c3eff5512a4a414f2465049a77c3516a906fedfe8ac60f0373415a209ec807acaaac2fe2f4515a5353ef |
memory/1668-180-0x0000000000850000-0x0000000000896000-memory.dmp
memory/1668-186-0x0000000000850000-0x0000000000896000-memory.dmp
memory/704-188-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1668-231-0x0000000000850000-0x0000000000896000-memory.dmp
memory/2320-233-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
memory/2180-252-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 05f83b1c3140291ad41a688d82b8a97f |
| SHA1 | cb1fbfe7d8029706c1b91c51bee87a71a909c9fd |
| SHA256 | 094758ccfab4a8faf0b1a6dd888a7d2ef98642b17d7166b93099e2e124a71f1e |
| SHA512 | 12aed07e32be078200d6126fbcc7941d90dd7cbb25ecc80aae20264e7160b678f489deb52fcbd9c5dbc31e56963760124d5cb54d3e6088f9d1fb21c7f104b657 |
memory/1668-278-0x0000000000850000-0x0000000000896000-memory.dmp
memory/1668-280-0x0000000000850000-0x0000000000896000-memory.dmp
memory/1668-282-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2672-284-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2760-281-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 512bdb221b523c9e4c02fddc818c2e90 |
| SHA1 | 0f186c514dad843129320c211ba858e4be0d9431 |
| SHA256 | d1db0bcca21435171a014340e5d15f2786de65054e2ef6eb6fde580f144fa41e |
| SHA512 | c00f9540b7ffc26475ce4ed0e8d9c2b947c3fc7da0ef33ba4fead67b35838914f0133afe58f99e8e992ba833930835dde11c0403fc9f05f65c84906dbfa975c6 |
memory/2672-290-0x0000000000380000-0x00000000003C6000-memory.dmp
memory/2760-309-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1668-327-0x0000000000850000-0x0000000000896000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | fba478552e3b8e6ad8346b0e4e757c24 |
| SHA1 | 9545adebc305cec19a9b8b8a54a38d12cac72dec |
| SHA256 | c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248 |
| SHA512 | c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29 |
memory/2276-329-0x0000000000400000-0x0000000001990000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | d56c4265b79ac55551d9be733e758e75 |
| SHA1 | 3ee6dcc2322deb1ad10cfe885b917aafab5469b0 |
| SHA256 | 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e |
| SHA512 | 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925 |
C:\Windows\system\spoolsv.exe
| MD5 | fd6a7ae6efdd4613f387af832d4f022f |
| SHA1 | 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd |
| SHA256 | f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e |
| SHA512 | 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78 |
memory/1668-334-0x0000000000850000-0x0000000000896000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 5132a41535fa8fa6eb41b01f4fd4988f |
| SHA1 | 1b2b166555fffa865acbf79afbc18c5cbc5ce690 |
| SHA256 | 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611 |
| SHA512 | f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407 |
memory/948-337-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 6b3159725f8ded76b9d763714c81fec4 |
| SHA1 | acac0941e662fb6d380f170d641a7c877817b8b1 |
| SHA256 | 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0 |
| SHA512 | 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 22:22
Reported
2024-01-29 22:25
Platform
win10v2004-20231222-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4552 set thread context of 2144 | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe |
| PID 2144 set thread context of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe |
| PID 2144 set thread context of 3812 | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 388 set thread context of 2208 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 2208 set thread context of 2956 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 2208 set thread context of 1068 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
"C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Users\Admin\AppData\Local\Temp\8102275c886875543a28a56edd9215f8.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3620 -ip 3620
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 504
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3360 -ip 3360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 504
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 548
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3752 -ip 3752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 560
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3324 -ip 3324
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3324 -s 548
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3616 -ip 3616
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 560
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3216 -ip 3216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 548
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 560
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
Files
memory/4552-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2144-2-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4552-5-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2144-3-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2144-6-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2144-7-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2144-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2144-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2144-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2144-11-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2144-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2144-13-0x00000000073C0000-0x00000000073C1000-memory.dmp
memory/2144-14-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2144-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2144-17-0x00000000073C0000-0x00000000073C1000-memory.dmp
memory/1080-20-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1080-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3812-24-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3812-29-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2144-33-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3812-32-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2144-30-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 2b28e67fa66945c7088e3532f98010cc |
| SHA1 | d66348240fba34b82520a33ce31a561bff280c0c |
| SHA256 | 1f4e129292e7d65a4919f4a763466c9c096f621eb5078108d5e08ca76b3dc869 |
| SHA512 | 74f3bda6820332628f2237700fbaf73a264c4ab583332848af6e24dbbaf73793f1ab68920e30ed9fef19b9610f0dfd05aab7a806f6bc014e750276b79f21f9a8 |
\??\c:\windows\system\explorer.exe
| MD5 | e23df1ca9a7fe36b6cd642feaaac7256 |
| SHA1 | 15b6c1b1f94252122e343cf1252c38231409e918 |
| SHA256 | 032ea061d93686a246df021734cd2179aa658da5296513360abb87c9f8ed2376 |
| SHA512 | 5ad500587f93446d35609151426b241d7a90402e12a2ccdea954322471f39e8aff3a2492a497693e51a2d682d12936c0ac07b82c5ababd6f7af485cfbee34ab2 |
C:\Windows\System\explorer.exe
| MD5 | 8c79dfb5c3914e9f351ddf362a1a9fd8 |
| SHA1 | 4521126b582e38a76afc2a3c12c63998975b3a5d |
| SHA256 | 56121562b1369c9fc00b143788803a1a8f4871289206c28bd59d4ea6dc320ad7 |
| SHA512 | 29f5bba438578e0ceb2b5410b9b5284076c2ba47ade14625576715fc89e2890d9de002e4ff4491be083353c92a4dfdade925c766e84f2154b167c451962ec7fa |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\System\explorer.exe
| MD5 | 73618e87f55dfe10995fcdf0db4388db |
| SHA1 | 9bd159627fe220b0ce11e047d9029d396fd0d357 |
| SHA256 | d952bcd80cc499fe9c3d1837dc54bcfdc05ae3914f54035d1a8fdfa0f0199c6b |
| SHA512 | eaf2572907c3021683b00373f59c7e49b1942bcca3519525ace3f85c98ca49f4e3aeed559b2c2440f185c5be289c97c4f4aa37c90f6b4a18bcc11566fab8b10e |
memory/1080-47-0x0000000000400000-0x000000000043E000-memory.dmp
memory/388-45-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2208-49-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2208-50-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2208-52-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2208-51-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2208-53-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2208-54-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2208-55-0x0000000008EB0000-0x0000000008EB1000-memory.dmp
memory/2208-56-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2208-58-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | e693159cefd3dcccadd9e05d25d12f28 |
| SHA1 | 0e6614dba0988f8a8c552ac9259a117c449f9fe1 |
| SHA256 | 9c73b8b5ddddbf055ebc49db6cf553c8a7f78ee6b5312db504040a9eaef1bfba |
| SHA512 | 9a9a98a618f9f5605e481d8c216b00926d537d21237dd15b1f9e157b2f6cbbe7c0417400d601bbe3e5e85459f976aec630d11fbd4bf228fa70ba2cf00004c10b |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 48dbaf3dd94414237cc7fd76c2082e96 |
| SHA1 | 278a4889b05545478137c95dc49433d1f13241a0 |
| SHA256 | 28d387f9fc42c2b185065903ded9b76033f132b33ef165fc03ee79aea8edb01c |
| SHA512 | 0940e88a49b78ecf88896570da489f97475cb2e172144e0adfee219a0b4a91c8829c5f6a7588422e542e2d35b254871a9da64747904ec31441fe4314e1352e5c |
C:\Windows\System\explorer.exe
| MD5 | 7590cded74dd0c1e140d4267c849f871 |
| SHA1 | 0eb891937bad66e31a3d848a008249d4f7400a11 |
| SHA256 | 500a9eefff44ed057d23f131e3eaa054deb526b79ff717fafd04c19f6ad67c5a |
| SHA512 | 50d75417e3db47824adf9e2913c74ebaee3605201ef355ce2e9e4baeb7207c2cadb8c213613e24e17e9f35974c2e8f99f7f894deccb333f418fd1ec847660b13 |
memory/2956-69-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2208-72-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2208-74-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1068-77-0x0000000000400000-0x0000000000412000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | dcb767aaece2afee6fa953a3c735ea6a |
| SHA1 | afa9e17b50746ee23a9f6a3987c27a4f40f07235 |
| SHA256 | 0b0852428f5ffe696cc3bc6d8814e8c8428928f723541646e9f667c4ab53b41a |
| SHA512 | 92a7f1d293fb18ca90472be9b30281b8aa33ad119109aedd6aaa465d111a8627d0190e36082c8013caf9e8c1a2bdac7a2167eac91c49bc1328b918e626d895a5 |
C:\Windows\System\spoolsv.exe
| MD5 | 7f9d88af8ed2a65d1eed274214f46c71 |
| SHA1 | a02d9ead140dd061329c12a659de2bc360576563 |
| SHA256 | f5f359b4b69b9b35942d53fa3d1e6ecdd17f6709d5210142c07093540970f9a6 |
| SHA512 | aca1c16dff00d0eb70bce39f089b3598b1262197877e497f606337440b14ab6c9c54652fa09920c386b1f91492d1a000af6778811716138ec0f888472cc6857b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
C:\Windows\System\spoolsv.exe
| MD5 | a19ba73650d0d8e72678775d8c34eb55 |
| SHA1 | 47d96f32df9650fe18737d3d54683b08588c49b4 |
| SHA256 | 3d21d910e4c168873d5333310c16f99e3cc578ad4b9da1a19ebdc093f63105af |
| SHA512 | 7071624b2cfc6a5ab37d67a4ab965567e4882c582deb5cb211e5af0bd59570369c459b84d20d6b5e3d8bd6b9b112eb0c95a53756de7cf9830ec11547109dac84 |
memory/2232-91-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4300-95-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4688-94-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e8d30931f327c8c2cb5971b324c0364f |
| SHA1 | c5fff8235294db10fec744607733929c4904b24a |
| SHA256 | f9d8e9c51a4dcc999d6a7b34df7997f8db09e26b14b1fb80c213326adf152515 |
| SHA512 | 18103bbc6094150dc71aa89dbf69ef88edc387755f4e39b4e8e6a5540ea67041d0372bbca0f1fb5215af2a57c6beae6eb92d0cc00baf484d84b55c1fc2fa93e8 |
memory/4688-98-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4688-97-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4688-99-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4688-100-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4688-103-0x0000000008B40000-0x0000000008B41000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | cdebf80cc5741e26fbadfc4065a3c65f |
| SHA1 | 0b87110d4989d871950d99bd9c205e89a5fc833d |
| SHA256 | e61aff9ccb95cc4a2c9701d9055165be0e8fb07e041235938be0c3b24d6ecb42 |
| SHA512 | 94ba9fb58ccb983053c47ab1f55c24e89034e87bf2f2978a73239f2941e5300421057b1f9b44c26076802c822e53cdebc75b6679f5b276e51abab45bb880bf9c |
memory/1928-109-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1928-108-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 503cd1329977e5dc80060b6e630678ba |
| SHA1 | 945bc78c7fc3def33a456bd159119b781f7937c1 |
| SHA256 | 99454fe1a3641aeacffa033fc74b5d3e0c2998ef6e54fc76cd91d253c41b075d |
| SHA512 | 70cec131273347f66269bb5c7b9461db8bd7908955cf7303ab9a42de932f90e3b9beef4e51a351ecf93272d42a7620e9ee6c6c6029f08de73b3aec9dda647dc9 |
memory/1928-110-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1928-112-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1928-114-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1928-113-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1928-115-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1928-118-0x00000000072A0000-0x00000000072A1000-memory.dmp
memory/1764-119-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2956-125-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | ce30a8017b505fec0ab2231364824d6d |
| SHA1 | a49b9019a3ee7d0766aa025f31417cec95fe9bc7 |
| SHA256 | 1ad5c3ba3f590c8d3d59366bbd0fbc119a8dc9ac6c7b587a6e225a33bebc5f92 |
| SHA512 | 564acd128f4fd5d37f4e3d3e5023a2db7a465a99fd44b8d51d6cce9456082fc1b508aeda6faa27c10da31e52381c9cf189640c12dac054320fcc13f7ba050b65 |
C:\Windows\System\spoolsv.exe
| MD5 | a87f163ba7e1325ede749c2921bb83d6 |
| SHA1 | 71680978daceb8a6636d3751cfa57ad78e6ffec4 |
| SHA256 | eece91aef03853ae0c7571deebb0ae9e0c0d228dd1ca2d901ba85f2810b62a2f |
| SHA512 | a38daff3f1fabf070ebfb3b5ed8bd4184fa667f5124639f7c6fc678a57187c2e258eb41b6752be446566450192ed7e0b771adb3886afa35d29538ce93fb680f6 |
memory/5116-134-0x0000000007030000-0x0000000007031000-memory.dmp
memory/4712-133-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 926b9d76d9e338a27e9c90f29d6d6940 |
| SHA1 | 070954bf6b8c34e8204ea6ce2cc734be41c8e7f3 |
| SHA256 | 9790bdfa6a5380224b9861b88a9b2c679c5d465cf9a921fa021ccf4ce9965d98 |
| SHA512 | 2e085533b50b5286d77b1d9f50ebbeb3c7de3b8808d9b56da61cd67e3a2b0ee164d2ce17746cff572e1be10ee902701a64e74ad8866c1d439d8dba0fe83f36ee |
memory/1148-141-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 1b778af8ca64b5e9923769149373d5cd |
| SHA1 | 40b39d93f8202404cf49640577bb7e3d1ccb5f0a |
| SHA256 | bcd4debca84481f66e0353d1fea8bd789b50be392168d59c0ca725b181df0ae7 |
| SHA512 | b7da00a62728eb15349d01d956617b3a04553242b3e6087864ba950e2cab963b30d59a033e7851f84cdb48c946a98762b86aca5ff0b6026c7060183a22336200 |
memory/1148-146-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1148-150-0x0000000007350000-0x0000000007351000-memory.dmp
memory/4688-149-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3968-151-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 39d26c371eebb56ee29325bab37cfe8b |
| SHA1 | 0f57d6a3ddd7d904664812553678b678f440c7b1 |
| SHA256 | 4cbf5272206c03e08a34ad3578d90559041f6d160b8ffe2224ae9d22739fae5c |
| SHA512 | b98acada640d7d9d1e58cdae05df0b05aec2309b32bc335e6981379e3ecfe7fc7028921e23ad958ffaddff6edd806c5c44696d9855f29b9c21a956e87d704624 |
memory/1412-158-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 4744b536ed261b7eb2e3b8adef927161 |
| SHA1 | 83359bca678c8063b7c72c5209101a5db3f4537f |
| SHA256 | 25112f69ff7968020cd20a6b4347e24de313c10ff5abf17e8613f29cfdf5efea |
| SHA512 | 627a8942b4025635aa3a5cfcdfca355389d6aa1ef4f65cfe8bba476e2b8f0b51fafb23f818fda6e38362c28be54aa9b73525f3de0b61bcec8bc1da96f00bb9c5 |
memory/1928-163-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2404-164-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1412-167-0x0000000007100000-0x0000000007101000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 9aa51d30f36938cad74962a57743f519 |
| SHA1 | 9d2721218bc28d4364551ede51deb9ef139f391f |
| SHA256 | a5e3f8a324ad4f786eefb0d37e52257d330853fab1f6f69f3fa011227d01fde5 |
| SHA512 | 97ac972e1ebbaefc0681006da6cb905831cce4d6bb4d90273803e07dca43f890148bbb2cbc482c488339950b97deecba75f13c6323d06869e5648b4a1d5d53fe |
memory/5116-176-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2188-172-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2188-178-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4748-181-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2188-184-0x0000000007520000-0x0000000007521000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c00f269497a38d46f19a31650db0f935 |
| SHA1 | bf985e2f70359808820fb1e03fd06b8c2935fe60 |
| SHA256 | 248f8885787ae82e610630918d7a8dc115a90350d3f2b6d3da4b6e36747477c8 |
| SHA512 | d0ccdf8120cd72980d3b13852053a2a7b94bdfd3c5851f7139867795af03ff09814eb81ee54ed6e581a78d906b7b80f14a7ea2935cb79037ac33e91f5f000d7f |
C:\Windows\System\spoolsv.exe
| MD5 | 5fc65753044094b7e0d97609c7aebc10 |
| SHA1 | 4d289b48f2ebfef8b61f0c7787dfb8d91a50bf08 |
| SHA256 | 46c666cc88e6fb0508fda8407cf4abca80d23dc17da0f8cd78b650bbc5439dd8 |
| SHA512 | 495807a35a41e3d9bf7f73901072c47641a91683a6811d5a112733d4fa20563c87be6c07717ce2dcba8b7e9488356815041683ac9be156e80e71e316e9f0cf3f |
C:\Windows\System\spoolsv.exe
| MD5 | 081e12f0407fdaaef49383cd623e9bc1 |
| SHA1 | c6344adb2849a84e305e49e97760195f64dd0d36 |
| SHA256 | be8f15481752265307f20f5ab60e519c2da97e28ee0ad9236fa85c673935d1a3 |
| SHA512 | a770bec8e254730c93594043295553ed369696e3c03cf333aace19fd4c187489945d6c3853276f250661e4e4fc6d3a61952afd0b793c1e976e152e190b41dcbb |
memory/1148-189-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4720-194-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2184-199-0x0000000007070000-0x0000000007071000-memory.dmp
memory/1412-207-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2492-208-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 580bc695c702f8f6cb1ea385ce9dd949 |
| SHA1 | 0792d08902d9586350aa03175950e13532972bc5 |
| SHA256 | 8cb8a5fc3c4fcd3fc70f31f6ea9f13311c8342cf984d4c76fe1c4b0db291754f |
| SHA512 | cb174a73c2f386cbe0ff91a53bd384d1c171982ee647cbe8bd737f194adac56df485853217906e5e93250f9929b93ac568b1b07213eb5cda8a54feb6366cabf1 |
memory/2620-212-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2492-215-0x0000000007070000-0x0000000007071000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c35b246aa4a24dbf10a94976d509e4fe |
| SHA1 | 5568f226a8bc5259101943ec234396275df2c3b1 |
| SHA256 | 3dbea4d8e223a5d185742b3a8315afc6fa4a4900f8851d28ed21df772338a418 |
| SHA512 | 481dd94e67b9edda5140fbe0345d307474946fa6797e83608821dc2aaf3c379c74a5c48567c58bda2950e9ab81c90135cbf55772a0d44d660c0009703c298819 |
C:\Windows\System\spoolsv.exe
| MD5 | bd16294e091e4856aeb2eb6fd050a7ef |
| SHA1 | fc399202225c208c420f3e30718170ef17893c7d |
| SHA256 | 8f4ce013e5bcc3c50f0b2ac59a2f08068f5f13af2f108d3760d3b41432376046 |
| SHA512 | a47e2faeaa6db784595c7c53f13c92837c0bea15776cbe8429c97b0bc08986192e220be8f21417cea1c6c8c1f9593627fac5a3edefc1f1bd68be08be88601a1a |
C:\Windows\System\spoolsv.exe
| MD5 | 5409186198e750e6829f723380c92f22 |
| SHA1 | 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c |
| SHA256 | ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440 |
| SHA512 | 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d |
memory/2936-227-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2488-228-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2188-231-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2936-232-0x0000000007070000-0x0000000007071000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | bfa997586e490d022898817abfba3dcd |
| SHA1 | 375629669a79ebda8ced1817fcb66842e3c94a85 |
| SHA256 | 6716255740d12d0ea686eebd3c4ec5ec04113345868ac00a0c0bc37cdbd3b7d5 |
| SHA512 | b1e1dd5f2aafcc9cb0141656654030e9db56f865b097802d93879463cedf8ead341ab8000a70b0058bf363552cb58c4774e1b1131de71c2a61299b509269a2ec |
memory/2184-241-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c25654a81ce1c9420658318b8888be4a |
| SHA1 | 1abc99597c49623937211e4038d882d051ac8985 |
| SHA256 | 3e0aa69aed38903f57873b132f858a8fba7936fb6a76171dc9b59c63ff93092d |
| SHA512 | ef3afdc99a32915332a19016baf03809e24e78316d951a585f70bad37830ca3009184b93565a128836084c61f32b83cb839febfb1c1090b4124198b1033904cd |
memory/3360-247-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4632-248-0x00000000075E0000-0x00000000075E1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 4001802f23edb5a310fb167bed196d86 |
| SHA1 | ddcc675296622756029144a59cd788b6d3adf163 |
| SHA256 | 8a2b665201592010ecc44674b93ea17061f1de9d7847a23b803ec1c07f7d8d16 |
| SHA512 | ccd808a305d79e3fbd77cf208e028da0d914b03ce30e706da3bf31148d2939145e6512b9a26706e712a96e3da06cd43c5cb7fd27772b5c9010bb95c990e6185a |
C:\Windows\System\spoolsv.exe
| MD5 | 31f23c24d0fc2b87d556544e28210188 |
| SHA1 | 9b8b9309e4a44bf5c1c4206edbb09f6ad70e2886 |
| SHA256 | eae088801201de5f4ae9e63d2ca1fd720c4fa4dc878fb59a36decdf43ad48dde |
| SHA512 | de3aa023f3f0884881a4204ed5a8a5ee995850a3174faae9b761a43c28a70cbddf511061488260e72b43b7b99274feb2d26770ca9816edf985f738cc704b303d |
memory/4952-256-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4952-261-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1968-264-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2492-265-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4952-266-0x0000000007520000-0x0000000007521000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | ac8e76911c947f1ee6b88a0375b66131 |
| SHA1 | f7989579f84bc7df3c17f16829f32d2e78873ae3 |
| SHA256 | 3084908a5f5dc8c94874cacd3d82b92e953026bf76207872448816d717354b0a |
| SHA512 | c85ada5dcc8d4cbec4826087c932be593a53a66bf1faeb8def4b4804d9e83d4bc10cf5c8b323b0d488313c6c3b969b839b4011670d871da100cf23f8317b1eb6 |
memory/3548-273-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2936-275-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 74401ce1d7043ecc99f44d211347c75f |
| SHA1 | 0a4892905defacd17bca93373564157afb926f60 |
| SHA256 | 78cbb98a1073db31b9fa3b4361f74f7ad6fd44a48299b555c072f75b6a6f3ad3 |
| SHA512 | a0f1dad36845cfcc4e7ed5e55b6ab3715926eb937d4a0356961f4f4d801273a4f7892d7768b6c049cef6d3d6fcfead030f08b75b9006fbd22d8c0a896ca74214 |
memory/4396-280-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3548-283-0x0000000007150000-0x0000000007151000-memory.dmp
memory/4632-284-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | ebee0c929b1a299d9542f6e715c44b71 |
| SHA1 | acb2bd905d41d485b43f23b198c75347e2ba6446 |
| SHA256 | 5e072221453f97453eb13126bc7b11c88439aff56dc319f8f5812aa862208e79 |
| SHA512 | 9c91c1bbda085c6736eb05dec83d8998fbebd8fc6f194c5a3e4b49e80b77656aaafd837fa1629c3677574011e049884ba07354ff536a3d733464d8ef3b31da0a |
C:\Windows\System\spoolsv.exe
| MD5 | 850a4469e231280df64fb4c189e990d6 |
| SHA1 | ee49d249f4bc744b1dcb07cc94bb0ca11752fc93 |
| SHA256 | b86a6971ca3bafa2a8bf61e5d0224d25afb2b7201d0787675e092b51f9512330 |
| SHA512 | 28109854ef5a66e2e04792b7062adaa7579c1d7ce331fc566e7ac6878d77a6546458e3bdb11a5b08b7b6b8eb02431a1fd9b03ef457ccb10d5bf0c4ac6c3a8adb |
memory/5028-293-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4952-299-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b5fe27b28115499e8b9fe09f45cc4c03 |
| SHA1 | 67c1042f73f0cb907d40109a3862bb6916f1e05e |
| SHA256 | 07695ce12a635bfa3147497f74ef344ce98cae40d81e9594314f489bf7bcefef |
| SHA512 | db8d0168b34f0484de3ba20156e83f253e4f5cac1c5bb6e4edc49574f9b1cc3c4cb02a48a30824b21bedf153174659dfb0a97d08ba1bd3184c127a43549da034 |
C:\Windows\System\spoolsv.exe
| MD5 | fc090b8e97633a35b2e715972ce8b5bf |
| SHA1 | 8cb7ae53f84a3bdcda5b676dc595c8e4a797a594 |
| SHA256 | ab163177c15aad91550f2544dbe5cfbf8492c07791e47ff4b1f21f842d95bbbb |
| SHA512 | fab88974a22c0e8cb47fc94dd1d37a7baa3c42889bc9af1821d641071bfea74114f5a716151ff578c28d79a01914c83a57c50ee85b9b39000d0db1927275f2c7 |
C:\Windows\System\spoolsv.exe
| MD5 | 3807ab53bbf8d761dd2170eb370cf730 |
| SHA1 | bd8b21abb9b3d0c15caa19a2af47ac91744a6b71 |
| SHA256 | bf1044f105d66628608851ba006ae8c3adb4bb4c9fd3e87928aad22f6e1cbce7 |
| SHA512 | e397d8a82a580e3ad3f429d150eb51edaa1680f2c53a23b37c06f078af753ce40e52aadcbe2ae6f1dbd8a002129c1b31e260878efd8c263452d4607737d3c3bc |
C:\Windows\System\spoolsv.exe
| MD5 | 0207af177122d6c86c406b83c77e8f1c |
| SHA1 | 27d7bcd894ae0824379ca1ab01f918c79d5d2b47 |
| SHA256 | a3f5b2c717baa3741754eeed291cb8ea37dc0a1a6973efc5af38447be840c878 |
| SHA512 | 98054ac98d0766441497c10fec210efdf7b3aa11586cd52e99e297ff78969ced02705f5ec33dcbe552a2a6134334c885cea92710aa3d964031266660ff02dc53 |
C:\Windows\System\spoolsv.exe
| MD5 | ea6f72a09a2c00169e5e0fa224139ef4 |
| SHA1 | 7be8ef5f0bfbcb047b1249dfd6df14ed5a613fbd |
| SHA256 | e28875bc95be8c0a89bf8df64da59073aa8203436d98d0d946ac71a6ea7194e8 |
| SHA512 | b10fc07bb13706b4b11157b2bc28aedaff330ffd966cedff50ba3b68f3d0d91c1d5c9e5007ec14f4f3f12133ba360436ea6e95a8f96329e3721cdb1cf1deab8c |
C:\Windows\System\spoolsv.exe
| MD5 | 182e0c428cc95dfea012ef925da5e38e |
| SHA1 | f9396c7620f1cc08baef55d3b5c9b3f4ab1e7a59 |
| SHA256 | eb416314ec44035b1f754a53aae131576e64b5b7dd6e90a55ea7f1b23511180e |
| SHA512 | aec25bcd516c533a6de6540759124c24fa78fb90eb485f1049c1045fda04c1e81ab765bddae33973f602c0938053308a91e4f23b854ac12f8345ca815b806ba2 |
C:\Windows\System\spoolsv.exe
| MD5 | 78926dfb902d32f383b9d3a6d9a3f995 |
| SHA1 | 2e45fbf7b4453e7791bc4227cb0ebf39462710ab |
| SHA256 | b384202981de62d2404f3a278061ff7299eec08dff0d2fc8286d2e9bf2773bb6 |
| SHA512 | d41cdef4d8403de2cf823dbf92b1c50af2ac059abfb51ccc7509410a7eeced58a0b216b4e553e630dfd6b124034f92e104cd9cc8006cac2dab8b33f9c6a7321e |
C:\Windows\System\spoolsv.exe
| MD5 | f610b0613fd7a82484f3a31a82071c43 |
| SHA1 | fee531c49dda74e793fdb10cd79b7a1552667b4c |
| SHA256 | 8c8f4eddce51b7e53c73cffa32601585e3e6162b79de8d8b9f3c7ba09707683e |
| SHA512 | dc05edc919c38a38804aeb9639501aeff941de3757e0da33f1a42f1ef67a979ed57bfe360737b513157ca6107af58afedfc61cef7032bdc1f96ecd1b3ba5aff0 |
C:\Windows\System\spoolsv.exe
| MD5 | 841a47786b85ac2e9cc009078a14063e |
| SHA1 | df1ede607478da70cfc4a9ad23fc155d10c56e63 |
| SHA256 | 997648d573be426796f5dde4f69e1e3dbe784d806240fd55e9417790e8d2e402 |
| SHA512 | 6434d0637cab5b938919562c6c6702861957f14beead17e569c9361a9668808754336d6d877dd4708956e552caa227e7baef420f1e7a9171e3c64080c4d004bf |