Malware Analysis Report

2025-01-22 14:19

Sample ID 240214-qtshzabh41
Target 9bcee627a1e4caf0ce3fd76712c3a3d6
SHA256 9b856c6a571edd8c70305158af1f1449e78ba9e1907a24790e2e7729c1fd2c3e
Tags
warzonerat infostealer persistence rat upx evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b856c6a571edd8c70305158af1f1449e78ba9e1907a24790e2e7729c1fd2c3e

Threat Level: Known bad

The file 9bcee627a1e4caf0ce3fd76712c3a3d6 was found to be: Known bad.

Malicious Activity Summary

warzonerat infostealer persistence rat upx evasion

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Warzone RAT payload

WarzoneRat, AveMaria

Warzonerat family

Warzone RAT payload

Modifies Installed Components in the registry

Executes dropped EXE

UPX packed file

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-14 13:33

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-14 13:33

Reported

2024-02-14 13:36

Platform

win7-20231215-en

Max time kernel

121s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2144 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2520 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2520 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2520 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2520 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2520 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2520 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2692 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 2692 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 2692 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 2692 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 2232 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3032 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

"C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

N/A

Files

memory/2144-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2520-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2520-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2144-4-0x00000000003A0000-0x00000000003E6000-memory.dmp

memory/2520-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-13-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2520-26-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-29-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-33-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2144-32-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2520-31-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2520-34-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-35-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2520-36-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-37-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-38-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-39-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-40-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-42-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2520-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-44-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2520-45-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2520-47-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2692-58-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2692-54-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-62-0x0000000007200000-0x0000000007246000-memory.dmp

memory/1948-65-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2692-52-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1948-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2692-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1948-69-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2692-70-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2520-73-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2520-75-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1948-78-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 0612afb3e27451c56aaaf412088db0bc
SHA1 8913d87d487bc94c91b045dfe6f64e16a16059ca
SHA256 97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168
SHA512 726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f

\Windows\system\explorer.exe

MD5 cf49da956bedd4089ec7a90413064f2d
SHA1 5992bf0356e7d7d38fe1968e39c120b2bda81b86
SHA256 ef61dfbf788742e51e1cc46d755fa60b484e1e41c86aa9063719929ca9c6b99c
SHA512 ff30d8b203d8b47f6ccd0bdbf15f4691122128c6bee0af2589b228529dbce7ed3ede06110a7edaee012a6181a383015ace7e29188af9c36e89073f2c48ba5924

C:\Windows\system\explorer.exe

MD5 eb4ffa0a3988075ff10a40877b342593
SHA1 72c3226072de364886658048b65d01780cb6a6c7
SHA256 5942bead0c403c32cf4317062838146587b991fc53c97691b3b896e6d1556454
SHA512 d2e19abad69f5065fe325e84accd183fa0b6da80f41ebb63492ce07621e60ef2c14bd0888c42410e5895ff063563d8371965fe8ed2495849cbf4c532e56b0693

memory/3032-91-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2692-93-0x0000000001EE0000-0x0000000001F26000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 1807925bb74d3ea25f20729902ee25fd
SHA1 e76f325c6c50c655bd4ea55f474ae3ef26f49092
SHA256 327b672e3d07f197e4d46ef0dfb240174960d520e3281d425368482884e7b205
SHA512 e7d47c94addcf054afe80dd3ec247ad39435e311e57553d45893d5b94db5cb726b3e2d58fc703e6135a579351dcd368f39e116081ac6ed1790286203969857bb

\Windows\system\explorer.exe

MD5 c663ba8c701bcb066efdf27e9a64f837
SHA1 2c926f2bd5d80e32dd09b54bd706b4be8aa3813a
SHA256 3263c643b73bcab1374273b0d653eb4059d2ce6a495706f20b9915ee487ddc72
SHA512 6e0bfe2dce52bcc3716924758d6f5da8953dd05d891e6029491bfbf187b73332843236383a8ed89e99aea3f4b2d8b98c4148bac66f01e12e0415ff13e76ce11f

memory/2692-85-0x0000000001EE0000-0x0000000001F26000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\system\explorer.exe

MD5 91f6c745e0923e0abc76f13bd0f7174e
SHA1 d13a2e519d2d93eb1d32b9019b680f9d0233ab4a
SHA256 39a2b346c41a34cdec1034b28c4f1be27f7c3d0bda79531c626245e463f34838
SHA512 94b54173dbedeaa73fee40a872819bbc19b967c25d4e3a93561e92ff5e996663ca02f5c3ad59bb88fc1d403d491b052d9a272eaecb19c37a3d59e7d9d2b9e718

memory/1692-134-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2692-137-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1948-139-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1692-144-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1692-153-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1692-156-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\explorer.exe

MD5 3cfdf2ddf2e502abaf85d91b18546efe
SHA1 6eb2f2367135a2543258051cefe5c5aee7c32201
SHA256 08b22cd89d1eecad9c21d8cf5ff3262b5475827dcca2a7a74b9eed12fd3d805a
SHA512 ee7b44cd0899ec745f452ad03edbddac133ebcce90d8f3918fd60ff343e62d77ae3b368d29d5ba20d31e7849bbb15739cb1c09a32a680d164423b16cfba61d74

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 e51597f0e28eb72c6d1afc5d68777e1a
SHA1 536ec194342d07cc58faff2c044e8b5e7c1bd40b
SHA256 f6ffa8333e82869357ef5e427b24042fc0a307dfdfa03ce2beafbea18be2738b
SHA512 7377d41e0bb18b24fa7591a24361505663a0798e363de8ceab11ba1227105984ec7351819f6d065f19f57ce4ed9bdda5d0f3f73a5ba953d77d15d9f0b85c8177

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 554e0cc02e3b13aaddda9196e706ee5a
SHA1 af22fbdcce86868e68dbc2617fd584273d28bfe7
SHA256 d64d56bf07dfbe922eb1a7c1e8162ef29f9a8f2fab52f852748117bca5e4003d
SHA512 f1bad9fed505c8f1182ca6e5e345a8db32d1ff5ccd010fab5276c332706beede2e3564ffd62f33b4a4b8e21e2fc28ac385be1c63e912cbdd26996ff75b095749

memory/1692-190-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1860-191-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1692-194-0x0000000000400000-0x0000000001400000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4c1d3970c98c93d2eebf059159e552a1
SHA1 e842f11a9936866633998467ada4cd5c2d2e87ec
SHA256 045c40743bc6572ed342e6e2db66cced79703b769ca5d17efe424fdad0fa1ff8
SHA512 4ad1ac11d3bf6bed5714da05b0f7ec7d85c5ebff02c0836d436fb8e7d7073f23836fd4faa1e962a23b9af3266053881037dd87e03308f63319795cf3142cd875

\??\c:\windows\system\spoolsv.exe

MD5 1a6486968aaf30e232975f485c5881af
SHA1 438913eaf133ea29f89405e3baee0e04d56a954e
SHA256 dc910cd5534fafbd5c9794b91694b208fe2856b7978b84530e46a7464307009e
SHA512 4e62e7a48049956d83dcc41ea5274b4bbd4a6669f5bd2c6b0472cdb07a21bc6a7998b753b7047eb37cfd8020b35c93dae85f4f311cb9f585aecdfbfe7cb937df

memory/1356-205-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/784-204-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 c3ad980436c63490c196f3ddee0aaf52
SHA1 7c1c80aa8149a268cdb62105ffbaea1b214e279e
SHA256 4bd6f142fa0d784f18ed0ac5dcf44689ff10271eb3459e1a59628b3794ddf88f
SHA512 8f3c0b99d0b3aac5bfe0993e4df7c7239b40edffee683750c91385c223642a7ff42095723d75e1296fdaa474182fbb742f41166ac07d7028de353bbc50287201

memory/1356-201-0x0000000002B70000-0x0000000002BB6000-memory.dmp

\Windows\system\spoolsv.exe

MD5 8e3268c291d2f7e0017896e068ea4423
SHA1 dbeba471c9bb94ff943288969f6566e3ee0f7b08
SHA256 e4f7694871d4b8fbdbad44bcf1bb27c9a9b1c2cccd2e78ebc2917fbac6283756
SHA512 7b6ca1e2babd539ae17a92fe53b526f5b78aeaff8d8c4f0490e73de83fdb444c9e4636d96ee6541d6e7d5fd47e2b3d7122d23143e560dceb981ebaee53721410

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

\Windows\system\spoolsv.exe

MD5 261450513ead153a3ef7973a73dc19e4
SHA1 c1a39ec148c6f3a63ffde6cc174c365daf3bc65f
SHA256 1a5640b10413839409831ba7dfc24deb2b700181bc979a2375445615ef962897
SHA512 f0557eb8cd1c2d0107932b9360ef9e8d1fcf81224500e097dbace3dd230378fd4d80f9973d37eb4cdd4c1880cfdb5048d7a36bb1932ed2084dfb5db0b7d8a4cc

C:\Windows\system\spoolsv.exe

MD5 a59c2a594f6335b30f0571787a9d0392
SHA1 ebf3d7b5b7640a29308ec03814a8a03d0018505c
SHA256 cb4fec4f9ff29892026bcfffcb46a5324999bca01e807049aaaef4782de6b604
SHA512 fb7038998807e255ec356b8474e2dc2960d5c72fd36f346fa0f7f1a130bb2bc4ac9f842766a7a913f6de285052e54fc07d955eb670e83d36819aa41376601884

memory/1356-249-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/2828-251-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 ee21cd56a045cfe316c7051ef1927ab5
SHA1 6c290f24c32e8d1db6d69c742c381568d364a881
SHA256 f72898b131edd832b8858470538acf70ee04d54f13a4dc1955042e330692ee26
SHA512 43230b1502eada29245e72f6a868deaa1a58b2db8e777e78a9e672074721c7463fe236e1c2162d5148bc370ca0529f186429bbee30b2df4320f35a44d40a3e67

\Windows\system\spoolsv.exe

MD5 c2c41bb3a4d439d2126a5f48b83c3afb
SHA1 cb6e6c6adaf1c531ce9b809ea14173f88dbd519e
SHA256 0e576adac3fe5f1d762aea9bf237ba10c7a4a27ee543b8aabac488b8206f6f3c
SHA512 4843abe2da92938872263ca65b7608010ad7b013537934acd20c7243b53146205b8eaf36de46e003431a84742d38b3b48bd6acf858c495f9fb83009ab8719c59

\Windows\system\spoolsv.exe

MD5 41fb42cea18796fe6eaa84feb8feacfa
SHA1 a9c82a87d7ee25c28d82373f82328b7eeaa929d8
SHA256 7225a19bd5514c0c4ce0a9f8822fdfc225fbdf325162d0496ef76ae6e665a474
SHA512 4d9ec0496487b3ae6719df7b671fdc710d09297f54f831f209f75726b2a9bbe5370ac8df32bea6793e683484a7bdbe95205fa590c5bc738c6730f1b15c9181c7

\Windows\system\spoolsv.exe

MD5 c0fa754bf5e9c2ed3c8c068e06bc2997
SHA1 409cc2bdc454baec0cf851eefc6b997e4e6efa25
SHA256 f08d87b87e2d01c932597eb26947980ede10b690b589ee4468b96e9f916778b3
SHA512 5ee297d8cc146c7b6cade32d8fd894b77eab11fabe53c91d5acf81bd52ae8b324ee7983b51618156884ad5b4f150f57256aed709422d2a3b296a03fc1ecc3e8d

memory/876-263-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 e4258c8a1d770eb96268155bf7b5ddef
SHA1 6a27590ab0c0a6c93c5afa23a89921e6690fc0c3
SHA256 b537804bebe4b0ba6640580ea9c8e6466c4bb87c637925f49c0c9b070a318255
SHA512 fa629a7022b6ebcf439cc5bb4007b803ff94acbb98a5ac1692bcf7149e4aab11f0411501a2b8046ce333e7684a05dfa16aafd8ddc47021c354afcbc100aa4ea6

C:\Windows\system\spoolsv.exe

MD5 346d00cb7946fdfed4f96006f84f9487
SHA1 ae397ca8022de673f6a263e5b59ef317eae671e4
SHA256 6b9415baaa568d295e68a02199403643e323e77c9e038c47dda738de2264ef93
SHA512 8b7a6d66487de1e80a10fdcdae3ea8584bff0dc1a55a14c5ff7a9ad817fe68aad02833430c845a180ef5f9d204cf8bea7e1d93cc6208f209680b50aed4af41d2

memory/1572-299-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1356-301-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/1356-296-0x0000000000400000-0x000000000043E000-memory.dmp

\Windows\system\spoolsv.exe

MD5 11ab8f692de1b684e544f44126612b59
SHA1 4c67767db54988a5fda60b61c4a8ecb93d7a113c
SHA256 de59f3aa113b68973094276a81a36e41b8abfd4ed38a54a7b1decf9c4a6b102e
SHA512 09adaf6a773a8e5850e9e6d0230a11a915fa4377227dfcb8476e81f0d7ad47b999053caf81390971130e0141b3d18dc090814d24b15d7c7737b0538bd393c08f

\Windows\system\spoolsv.exe

MD5 828fe96648dfa0a5db2be85de0f5755a
SHA1 620d8dd21781e4709c065fded80c28f4f3f3e8a3
SHA256 e14611cc62370f679d85560a4a12e50bfa1448bd82348c4f315f13530b8fe84a
SHA512 8db6395eb2757092c9805298f711053e35590f993b6bfb48242facadfdbec59ef14f176fff43df174a07648e77c500b3cab7743851907c2f2f99fde3fb17ddec

\Windows\system\spoolsv.exe

MD5 0ff4766c22e11d6046392c2a9a89c3cd
SHA1 31e55d650ee62528b13448fdc8cbb60e02f2de09
SHA256 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a
SHA512 b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe

memory/2324-314-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1356-316-0x0000000002B70000-0x0000000002BB6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 b25731b2df99798862b638df9d56156b
SHA1 047fdaddca9037a2d0081bdec9a3714305ec97d1
SHA256 74be9e12d19e62266a3f642ebf6f503b4c42f9db55c1bbf39feab3d118038768
SHA512 dc15987554439991a5b0b35f3394bcbebde2ce53c22eece1824b625b0ec78bcd5df7e396531de1f1fcfbe5dfaf75424721585bfdafbae5fa69978083252cad65

\Windows\system\spoolsv.exe

MD5 35b62fe6e4fa145bf5c3975dd7bab7f7
SHA1 ae9366831e07e30a4c846ad8025c1a1ae71cfa8e
SHA256 a3df64e80ccb2c036dd4dcd1880ce457e30ddfa060cb2a7a70ff059ec8b38cb8
SHA512 5bdb658869278f8d3ffc6462ad4d406afeccb17178f458b6caf954fc56b59d4f6a29c3a7788dda94c044c9845e914f2b54369716979525e328b4af8ef196e1d5

C:\Windows\system\spoolsv.exe

MD5 fe8538f851817f9214e3ccc2cd43ed7d
SHA1 d921f600ee8af3299a4477e1e4b0b77420b9b902
SHA256 ad66a8cc4cc7908049dda37661e62eabdd5c8aa8f64333b5a3676cc37ea59676
SHA512 0ef5a90ccff81783a6ccfc433a46a1d413813f5a25dc839a0971cef1f4f2f0b7adf03b4df6d4aceaf0a90f0711c0a760df29ead20ea76b8223d044c65ae04368

memory/1356-347-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/1432-349-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 78cec625bf6bab187e7234f775ddca98
SHA1 bbe867cef47008590d4711591cf5a3eedfd61940
SHA256 de3cf5c8d60533e09bf17c227f61e8cd98b0367a19196a838984761222afbaf5
SHA512 d6df53fee15d59ebeef30c4c1082a69db2c810d21992f642edb64fef5afbdcccf39dbe99df5cbccdc626f11ef43e5d437c919b53c74adcf7ebed19e59e7438eb

memory/2660-361-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 52968053b498baf5a00ad158d6b29a0b
SHA1 5086424034ce37c09cd3834ad7367f58fcd7782e
SHA256 4b2f63711e1a927d567859c39d80808c60ca473a3763ff344c97c8b179b5e060
SHA512 dfbd94f46773065af22009320d5ab5b34b599cd58e98657c7d3cafa87981da67664db1559366d9b2844b1ba67dadb52f3889466701671826d8cbc4c2558d9771

memory/1432-363-0x0000000000540000-0x0000000000586000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 45d0d372ae0c1e980285a937333142f8
SHA1 4304e1c40f36d7be514ce39b6e79f24c32e5ef2a
SHA256 478e019ae3ae3113770f60d3ff3af91c83d92bb1598d9044bbecc16cebc5d212
SHA512 0bff6d5b62612fcf81e6379c3ca14ea4f460d4e4a705c4a6e789715e4270239e2fae45af74febfb7cef19e550f3d6dec8f7dd9c240fc6a2e6f6dde3b5a8e40a3

C:\Windows\system\spoolsv.exe

MD5 8f545c49936fff8d3cb9150e5ff0387c
SHA1 d1ee9bda31d940bdb7bc347bfe1a51a276e41d18
SHA256 30e71427d46dcfbd994ebf373eb2ba6d6e5c0dcd79a745d1e346c35369ad3482
SHA512 0b216bfdc31d50540e4d03db28928595aaebeafe82cf85c57a678167b723f40811e8b28d07d683b2fe77c1ec1a5d0f62ac93a28a12748ffb42097edb4d94036a

memory/1356-405-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/1744-408-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 5209d93a7bea69bb9ffe40756be2469f
SHA1 6f98e244895bde957623776a17d0412b8edc0c6f
SHA256 a9bc16093c2cc67ef40d69145b089e4bbd85f90b4a89f9ed07da5ddfb8555c90
SHA512 88c1b5123766b8aa0f424325f19552564eb4e37181213a6d1eb79d1e54ec7b5e82f3bee371193bbb28cfe52be54aa615632084447f035a3a4a51636eee8d620b

\Windows\system\spoolsv.exe

MD5 7c2888502f68e88316216b63fb02ac83
SHA1 8d8be8982e9d530efdd2e9583092e02bca44cbcc
SHA256 fa83fe4dc454a78d90bf1bbc2f6aa2ee518ab17725499e39aad9134a762a1b42
SHA512 198367f5ffa4f08754c6bd80390b580aa4472578fbfa6c42858616a95c1370cc8203c5bcc2664bbd7a687e803dae85b190ce363a470447f28155468ffee0652d

\Windows\system\spoolsv.exe

MD5 59195eb704fd8b7d558d49163813492a
SHA1 a150ddc4a60947274ff9808820b13ee953f00a0f
SHA256 4104d3ea855c9ad57e529aca3729114f4d013c77a1a12b2e16f2cc89536f4354
SHA512 b236a00a87df5c6ecd1e56f7e56cea06876a69f2aaf06734cc4de564c94e180ee07c3bb0c9648aa8d627e39f1a092a467822b4612ade4995f92b68e17f22c0a0

memory/1708-425-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 4c2073cb5b2db5384a2edbd3c05cf3bb
SHA1 94066a64a4c49cfd53b69e9c916fdcb74ed3bb07
SHA256 2f06343c5e1279b6fff051d75400eaac463203c047c6e99730f4d7ba757f1762
SHA512 884785403e90e2c145d35d60fb47e49f3c161c53d934c49f2c5e9065d230e18bb877f60a87ee1b5317b268bc95815cf05bc230855237bed568214332cebf4851

C:\Windows\system\spoolsv.exe

MD5 1ec7a685caf8957c41d5b863178661d7
SHA1 add24d854865195387fb1ae4a79e7ce5b0535e27
SHA256 b4fb3710ff67b6f28acc7480d9d432b97677544466f3d13360ef5616e65d7cef
SHA512 8247e3b812459d2ed8abdf82c05ffa18821d22eb1c6d7ed73d8d98a620024b45e53033014d099ebd511d66e833c3d83223601f183c4442fa4322bed7c66bab95

memory/1752-462-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 685c4ae9808913b8fc564a30d0603098
SHA1 54b034f334e46eaf44798891da746510cfe0e136
SHA256 a4122bced20f32a7d8bdd3c2f962201d1bd6ede6feff9c9ecdac63777cc76b5a
SHA512 001ddd291167240cb149efcdf993fe6cfb84304f22c0b225574a31faf19293259d893820bd57506b98fece66b5b6ebcd94356ce48a761460bbce9732e2d3568f

\Windows\system\spoolsv.exe

MD5 55b9910ec40c4e30657c703d277c82ba
SHA1 df464013d8d49a60ee03993d104ea24429e7f1e6
SHA256 9f7cf4eb43c6832b9a7ceae6384b082eaba19bad93e1acf0dc7f3930950bbe88
SHA512 ccd35efe0fe59d253cf3360b9680ac2e983d795f38ca6e284997416c79080e58ddadf2e8debe7cebf1b7672573d29d9758123f9c0f6f4cb4cb4344b6b5e87313

\Windows\system\spoolsv.exe

MD5 b358ae84fe83a3c23081e908fdef0ce9
SHA1 b952bbcbecc86c33ab45f8620b7d9c10ab3f7ec0
SHA256 35fcedb24e1648ff53da3e76a7d03cc01cdf91724fbe20300de62f9e3692cf99
SHA512 132582b220c2bf17d65e0a145028450d4c4b328465ed0306c4fa7421a3038b56b151b154a5b7993c8b7b73cca4abe683d466b66360419392f98b1356c1d32566

memory/1716-475-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1752-480-0x00000000003B0000-0x00000000003F6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 23825000c3207a0c8ab43cb999a6d2e9
SHA1 fd4834e88052f7362076362d865fb3f5a41bba09
SHA256 6790db02a4cd15b73f9efeaaafef1cf8b8e298fb88390e4423294a3586ed743f
SHA512 4bf78fadc6b4a5e3f80dc1935abbbd540cc488a1beaaf2ddea9214c24fa07f3eaf2bfe07c6760b7cb314f1820b083b523c556b7b77af0e8c33646414d333695b

C:\Windows\system\spoolsv.exe

MD5 c4d3212fac72d954fc01752e156440bc
SHA1 388453e20a76cd61434ead2ad4b14dbef60f8a12
SHA256 39cdbc79f341c72a04b2c317df0c530ab127b9ae1f205044282b893493d9e045
SHA512 dd9d87b1f081be07f7d8d0c702a872f06b80e7ff37c70003a817bdb456cad806e080efdd23453d96d2c89ef0f6ad57d0adc7eaa9460e85e8dbb364a7fadf0db5

\Windows\system\spoolsv.exe

MD5 53ec4a0862a16190aa8836648b89a61b
SHA1 f8bf624388e7642f68da7985d10e4f6eef3bc781
SHA256 f54879ba69fc28b0c22d55755bc67daa7f9eca1a7c23c57b7d75ed141612bf2e
SHA512 d60eac5b8801c446edbda96ccfebb7217f8b6c17af1d028aeb2d2efc408d7f585e237e248a45084946554369ffd6cc71aad7dd873d49c2fda6a57f7d0a1c6c6d

\Windows\system\spoolsv.exe

MD5 187ea92a530d0f242f88bfa9d0d858c5
SHA1 abefef1f81279bdbf2985df8d0c9f341adda640b
SHA256 415c154aa31da595106c1ffd32aa0215c2c36e8fd5a5a5fc3e636c346d7bcc30
SHA512 91af8b865408794321c6c96d854245e5d5e945da0b63ae40983dc9671192ae98985ea170f12c651ebe4d4fce6107259d06812d14d721c1c36bcb7ffd85830d3e

memory/1356-523-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/2388-524-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1356-536-0x0000000002B70000-0x0000000002BB6000-memory.dmp

\Windows\system\spoolsv.exe

MD5 1a025d3e3db0b2efa77885d52bfb8b15
SHA1 faffd2d07a1bc7fdd82806af631b54d8582bdf01
SHA256 53da34a063406ece5c5e5c8bccae6d9d23a407f180b50116a45c97a056563732
SHA512 e784410cbae40aa0ab3585cd734232436143717e9d581395572489dd9583561a254cda3d155eb69096b7a7abe310f174b9e3fe388d5f93414550493d7d90560f

memory/2380-537-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 057db98cf909bc14c4fa812781557348
SHA1 c0b77d2209afe54efddd9edb2cb8e8efcb1b6bcf
SHA256 ead8534aad895aad5ab439d39339681403a9a76d34640d8f4e11ab6d7b4cb7b1
SHA512 de4cb12cd3164db2b3b6ff3a855043150f5a4fdbb37e788d67a69096e6aa787c769e3cb1245b30d1aed45647cefbddfc3d8cc1de27abf34164a6bc37bdbc19fc

memory/1356-577-0x0000000002B70000-0x0000000002BB6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 cb2a78a14d3d94c17b3f9a8306819906
SHA1 f3cd7ec3048a76fe8c2489699c901c3e95d0666e
SHA256 f1d4999c0b4d8a24da7b4f63299fac048efa9eb302a6ca98c4ff527877eae16e
SHA512 ee6b271400de4074c2c6f3362462c0ccecc4293d2244710bed5f652b6bf459dff15472f88a777d7bd05c7ffd18dc6091d60c0ae3552f1642328f0ebaa40e4bc5

\Windows\system\spoolsv.exe

MD5 1e4d8d8fedd87b6474bf4a9c0f19130e
SHA1 b3ad1a7e9cf4bf344fdcf8781bf50565801cf324
SHA256 a52b7824fcdf838d2d1e95b49d7639a89b28f824940c0c389db4d257a9b1a490
SHA512 8334f3df21a91b4b3036ca155130e0cd83f12b935d7b495a52dec69ecf55a5e3ed23aefd99fbd5acc947da38ac4e32ab6c11574ad9fae3ab353fa81d5d2b4ee2

\Windows\system\spoolsv.exe

MD5 5b53da7e4c258245801e4bdcf1cfc350
SHA1 df7c2c032e54340b3b9dbbd2f5286c224a2d75fc
SHA256 086789aa53a2bffae7977aae51d912724cc95a698e42d2c73ac61b22e30faba3
SHA512 fe68710c3ad411359c9b3c66cbce9a691e84664030e5cacc4b3bf391657e230fd894a57f0c2d36d516f0d85f75a6d5a3b7c6623e5cc9925e563623bbf82b0049

memory/2748-581-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2020-580-0x0000000000400000-0x0000000001990000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2bd81f8ec10438c465af48a55f7dcb5b
SHA1 a0f9aea762966ee0addf8a37f9bbb484b13eed1f
SHA256 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5
SHA512 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea

C:\Windows\system\spoolsv.exe

MD5 d1cce2213e9abca81cb5616554d89fd6
SHA1 681009b0f80a024749979ecb38c79e9036503b2f
SHA256 37ddafa420809fd7d748d13c1c1edc1a73e7dd6d0d239c19918fab3a9ce9bcdd
SHA512 1b215a6143b245ae070564bd04b9ff7bf5b86ea8c09554cb0f695f7f97d5e9eb20a9b5ecb8f28f453de13778f41e40d27fb0283b055d5f80682379bd8a239c9d

\Windows\system\spoolsv.exe

MD5 ae852c3969b5057ed5f122c09b05c935
SHA1 5e2c6d06cecc2af076ce37f577f3e9b42a845cb5
SHA256 559ccfc5c0874879942a052103d925138d3a8a24997804654c0af3f59dd77e97
SHA512 c63dce914816213d1221db593e3b9ca037e2eec7cdaae7916bff0aad8e992d34325a293eab725f55e53e217ba84bbcce41c46bd9f15fee9ad19d3380a8c9be58

C:\Windows\system\spoolsv.exe

MD5 4d7c27101f7001ec857444544b3b47e5
SHA1 70f11834ce9c401a40158f6afdf5f4f5ff06b12b
SHA256 6df27f181633fffbe355c53214f7adc49f6da976908f2011e316c63290dd0fa2
SHA512 46e2b754de79daf6c94a0dee4dd8dbf840f4c4de5a6c5f507efce6db76bc3d4026633733b05f4716bdba570563cb7f63700a3510a448a00398de6d3c84b16424

memory/2756-617-0x0000000000400000-0x0000000001990000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c3205bd8833d875e9c7ad81e5a483061
SHA1 836f8eae2805966574fc76b61f78c9b7ed20d1d8
SHA256 41530644e994892a6a47cd5d7bc3142c41e9ccbe080d590e6eafbc631e95e185
SHA512 ffba48d96743c036b4dd87f9102f8966aafaaa7da28ceeb49149153efbd397b293008081ea038151043045f00e79408558068051e2a63ccf9defb524eb2b9953

memory/1356-625-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/2636-626-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 6d736264e30b8d3f206e9e2d646f991a
SHA1 1f37968d9f2b9e094a51535541add23663c7f36e
SHA256 8e2953c5add6eb2694c56c15bed6d5c67d9a9c0acc00c3b64875bdc67cf3170d
SHA512 1297944ef9d9109e97e729c33c3e63e79cd0bd734cedc6bda2bb34ad55e072e257f8edeaf37c0dafe8877c6111e63a6d55ccc393446b6156fea9cffe3143b4ed

memory/2756-645-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 c1cbf8ce331be9ef1b34e788033d0cef
SHA1 c9e53048b3dc59a4d578c9b1fa1368121f97f679
SHA256 8eb73a22655059a8cc440787e75b6193ef51724db63258d378074477af8f2c34
SHA512 7255d24dc45526ea1414b20e49752ba334308da01be908f215951e47934b9df31fa6c9f1d6122e3c2eeedf12ec452608cd436ddbffe14bf907413283076d9b04

memory/2796-678-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1356-680-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/1356-682-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/1892-683-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2796-687-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1356-698-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/1356-700-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/2796-705-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1356-729-0x0000000002B70000-0x0000000002BB6000-memory.dmp

memory/2564-730-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-14 13:33

Reported

2024-02-14 13:36

Platform

win10v2004-20231222-en

Max time kernel

111s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3820 set thread context of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 set thread context of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 set thread context of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 1784 set thread context of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3788 set thread context of 528 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3788 set thread context of 868 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2748 set thread context of 3080 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4400 set thread context of 5012 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2912 set thread context of 1904 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4520 set thread context of 3084 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 800 set thread context of 4464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2028 set thread context of 672 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4004 set thread context of 4540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3468 set thread context of 2500 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3760 set thread context of 4060 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4300 set thread context of 452 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3568 set thread context of 1764 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3224 set thread context of 2380 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 3820 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe
PID 2996 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2996 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2996 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2996 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2996 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe C:\Windows\SysWOW64\diskperf.exe
PID 4088 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 4088 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 4088 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 1460 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1460 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 1460 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1784 wrote to memory of 3788 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

"C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Users\Admin\AppData\Local\Temp\9bcee627a1e4caf0ce3fd76712c3a3d6.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4360 -ip 4360

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3316 -ip 3316

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 580

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1552 -ip 1552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2524 -ip 2524

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 568

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3820-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2996-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3820-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2996-3-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2996-5-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2996-6-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2996-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2996-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2996-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2996-10-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2996-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2996-12-0x00000000071D0000-0x00000000071D1000-memory.dmp

memory/2996-13-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2996-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2996-16-0x00000000071D0000-0x00000000071D1000-memory.dmp

memory/4088-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4088-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4580-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4580-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2996-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4580-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2996-30-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\explorer.exe

MD5 ec6adb808006fb0660bd42bf08a3194a
SHA1 a3360feaeca9e9f32a008d70064c5dcb30de1fe7
SHA256 3b82fbfa51ec7bbf79c652b92297d47398d359926b7b4fbf9a2bf1769ab022f8
SHA512 1c555d10896eccbd2f8cdd3995a7b4f2bd9cdbbd390f0d68a3316ca3fa153f6060c30f07dbad6930778a9e1206fbb815b127d6f3533e8650bde7dc7727a975fd

C:\Windows\System\explorer.exe

MD5 f7f5a7b850635e960778269eceae36ed
SHA1 588d3d9533630d643dc5f6be1c6df1db8a2ea1ab
SHA256 70f7d6cabf05dd521f8eb90f21197693fc321cf4c7f0949653610fa2028fb693
SHA512 4f2859c60c5e9f94cd6a45d9d723f04f11f3049e3f7a761a362f32d2a966da3d628db42afe488230023a7d7211490dcce1fe65c04f1a114e51669656bbc77851

\??\c:\windows\system\explorer.exe

MD5 fc02368cd4b760076bff254a0f579e45
SHA1 1844b96a117644cfbe52b692183bf077fa2ad4c4
SHA256 03d72368e74c42dc851cf9458702f5fa41b6cc92fb51f2a0445c59f460d144c7
SHA512 69daea7bec375b8a6e4556ba19e518edf907f640c08bb1f2b0ed41d99785cfca4b691b7fdd473f76c314061ff73caf4ed0ec71e8ae48a879500357cfc81937dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 2106728edf3b5ffade51a96645878ea7
SHA1 dc0e5dc3f5e6b57eeee28515f68d84daee8743c6
SHA256 fcf4b713ea2e0a604864c187a993a75daa3a2c805ef3f9065e34bd75ab3b8d0b
SHA512 7c9a89e7f776e6b7d89fa5cd7299d5c421f2ce59bea96eeaf065aa2dd5c55cfe17f3e008103b7e07c2dcae343a6fc45f5710a2b1f3b8d21c96b6dfc858793473

memory/1784-45-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3788-46-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3788-44-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4088-47-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3788-48-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3788-43-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3788-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3788-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3788-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3788-53-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3788-54-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3788-55-0x0000000007230000-0x0000000007231000-memory.dmp

memory/3788-56-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3788-58-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3788-59-0x0000000007230000-0x0000000007231000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 bd5b19fd647476355dea52a80d2a5bb0
SHA1 20c07c1c0aa2aa7e1367c7cb16933ab84e04bc73
SHA256 d7a5c7b01455f23c2135d46e490e54c595c67628ea62213daac901ff7facff5e
SHA512 d147aeffdbca62635985992aff12744a129c116c562ca3fb0c4ae88e5cb7f01e64d60d3cb9319daa00fd85345f47e20a3a187775b144e41d56ec30ff518e71a4

memory/528-68-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 eaee85b7341d03d64f6df65fe77a15ac
SHA1 4670c6caf4a06f1208d48edbaac918054efab64b
SHA256 91336082c6ff98cc83ecddb09a7e27dfac94f0e514dd14c443d6d2c064b4e320
SHA512 c824a0e079aac52d0950210612258306537eda42c9ac777fff0f930d01c8b28e0fde7e4a446db7909503ad3fcfd557211bf4f330acbf1eb211d4c6ffb80190ca

C:\Windows\System\explorer.exe

MD5 dd0efae47513c446142946f549e3f889
SHA1 24f0542127e55a42d12b87555c69ebd12379bd98
SHA256 646f52ffb733d2f0aa36eb6d302e904d3ed6e9071f45d6764d9e54ab0ef2aead
SHA512 df5f78a308e9dc01c790ea9770e9692ff214ddb9d92efc2f38f28c2584d2936d4e76f2f489f5f900bca86f39cb99066e1cb33d05b41f97883a1c8ef2d5ff5329

memory/3788-74-0x0000000000400000-0x0000000001400000-memory.dmp

memory/868-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3788-77-0x0000000000400000-0x0000000000628000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 f0d17369e60714d71d8b4990e4e3dcc6
SHA1 cb7850ad40f43b770a9778b4cad1f2b86ae407f8
SHA256 5eeb9e15ee28bdc99dcb9dcc8b44257d9e1cab3bd5cae05c246b1791d84af8ea
SHA512 c486ffe8ab832f92276e1c5360ef0141cc3865348f22e9f3ee6ef6be76dbcc97187fc9d390536f0b02cf4a7501e7c1ace67f8e9ab72eba7338801ef7cf39b223

C:\Windows\System\spoolsv.exe

MD5 f17f06712f31ceb6377c4edadfb88dc3
SHA1 10a507e21e428514a8b595e17a138ad0a5949fe1
SHA256 f1c2401692200dbb2f4d52f0a8814ebeddc9ec2cd4e04e29973e9d8f7ceaebad
SHA512 72e73e8ff9e7f9f3b930606b926655add2dd4c9e3568b0626b4209cf88fe97728251139daa429b756b92ce5cdedb46dec1a41873e6d2a35fa8b57ebe00b91dfa

memory/2748-85-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e3deb109c419189a759b3240fa723e94
SHA1 8402667484d7a517ebfb571a36b7a9b6732a961e
SHA256 4eee9c710137abc067b02148ce310861479f2d4133884c0e0a3f2a42883e491b
SHA512 e0fda3225d88f16c1106e6ec167f647e16a5109eaa46d379f02fe3fd4eb9741b05ce5b33d3dbeb581da834d26f15c557e1124bb09ca07fab1e2fa3f66761d1d1

memory/2748-91-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3080-93-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 67a965e20c4f6f7875a0bd59cef3f072
SHA1 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002
SHA256 ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe
SHA512 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c

memory/3080-95-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3080-96-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3080-97-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3080-99-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4400-98-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/3080-100-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3080-103-0x0000000007150000-0x0000000007151000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2dda9be27a9c18d3f5b674099b811bd3
SHA1 ef96177c49a830120f76fee77aa5315bab5814fb
SHA256 0a432f2bf8e1277fc7a3b2136fa515e885c9afea76af04a0f86ac32213482809
SHA512 429858db5e5b0b8681080b49c3bc5baf8b17f599597be5fbabd33c8e60b1c6ed73f7eabae27915ca58c100f248a39f521db47168ae4f23c302fa5385fa911131

memory/5012-109-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 71103e754e8f6a51e030d97ffd9711ed
SHA1 2e2535601f88baa120adadc2a150c521f80ff2f9
SHA256 f7d33a87dd500616d1412460b86ed54dbe08dc6879ac0e08d8664f2d3680442a
SHA512 ef0b3d408b6087cbce87465620aada96f818ac72df63d20dd152ac7a8801781af525b9805d5f52dc84a7ef2e0fefa7fe0f390e261d1acda42ab468b5083878a1

memory/5012-110-0x0000000000400000-0x0000000001400000-memory.dmp

memory/5012-112-0x0000000000400000-0x0000000001400000-memory.dmp

memory/5012-113-0x0000000000400000-0x0000000000628000-memory.dmp

memory/5012-115-0x0000000000400000-0x0000000001400000-memory.dmp

memory/5012-114-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2912-122-0x0000000000400000-0x0000000000446000-memory.dmp

memory/5012-119-0x0000000007310000-0x0000000007311000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 39e3a576359583419ca289eff51b6dd1
SHA1 d6a2bd290e2749464def747bc160a286b3cca088
SHA256 d66e8c5c3dbedac22322b601ad46e515dab16d6c144fe41d8986d030de024bba
SHA512 82eef930c75cff9a8bc47c44a7e2ee430b006a1ed738153db2af5aebbda5a7f835fe16ec9a9605070011f84718a1cced767014d18000ea38a1289ffce89155f5

memory/1904-125-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1904-126-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1904-127-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1904-128-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4520-135-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d64579985be59941da25529f147aab92
SHA1 47d17d23ee66de97c5ca876ae4cf11059f22e07a
SHA256 a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b
SHA512 ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f

memory/528-132-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1904-137-0x0000000007110000-0x0000000007111000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 63a3a954864aca34f057c15c02be6590
SHA1 cf3ede97211de5a9a72bc81639fcf0eeda600bc7
SHA256 2d535fd771f6d837d4f98c4230884e25723c7b592c5c63bd76510c16d59efa04
SHA512 e295181e438faf76fed0fbf482b563ca95e9579404a6abfe97089a62a9ad270edd68058a7b7ac578c3bd156bde01564acbab0f9282e30275177a3f2b443c36af

memory/3084-141-0x0000000000400000-0x0000000001990000-memory.dmp

memory/800-143-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3084-145-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b0e1590486c4453ce8ac30a70d612d62
SHA1 c7e2722d8688c72d50e4fcada31cc502639a15e1
SHA256 a050f5a6e047c09e323bfc084947573e3887ed46e6d91adb51cd05cb90438b03
SHA512 60d3316064e8a4f89650a9a62fb98aa4b2e79626f29c65fb199ab1424ddd4a347fbe24aeb1a584d10249228b70ba648fd8fa4707bba1446d9e64cb27bb3c944c

memory/3084-151-0x0000000008C50000-0x0000000008C51000-memory.dmp

memory/3080-153-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 113183def317d6bebc3e747da8642b3f
SHA1 7fcfb6215e2a4e5c1f5d30237237df873e22e033
SHA256 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5
SHA512 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2

memory/4464-155-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2028-158-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4464-163-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 dc815de4b487814c1b0bb56bf277b796
SHA1 5bbf793a954aeecbea08bf8ddbe536433ab1f73a
SHA256 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d
SHA512 b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742

memory/4464-168-0x0000000007030000-0x0000000007031000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9dcbcf11e81986399dd071284b517ad0
SHA1 f7b87968f329b71f24704e33e0a622c34153e359
SHA256 5d0843a451c07ff70dec99dabfb374689497fb25c4dadb5d45143f48343b3875
SHA512 dabfd46670b670e3dbc2270ec016d16657000429b2c92fc3338e6fe2c6c5078a2b814e3aa7f29cc3242729e5352593da4d3dc8a07f682508519e580375da2241

memory/5012-176-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4004-177-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ce2f5b26ab560439558b299bd55d6d5c
SHA1 45ea0ec3e40402007fd92265707cd6aa76ce16eb
SHA256 5291e7f781394f161aa24313986d5df85a0154439ae324347b6fe55ca5430b29
SHA512 992a8ddf55644f1e3c004ec0d2d707165c5685b3ae569eaf510991315d7f6366a1cce5ee9dad7144111c0b06ad0169534271a34189f97520452b832640a4fa8a

memory/672-182-0x0000000007070000-0x0000000007071000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d56c4265b79ac55551d9be733e758e75
SHA1 3ee6dcc2322deb1ad10cfe885b917aafab5469b0
SHA256 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e
SHA512 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

memory/1904-185-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4540-188-0x0000000000400000-0x0000000001990000-memory.dmp

memory/3468-190-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9047901f6be1841c6be69b587f9a9bef
SHA1 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc
SHA256 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f
SHA512 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b

memory/4540-196-0x0000000007080000-0x0000000007081000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3084-198-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3760-203-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4464-208-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 110d1852eca5e01976a6af67391b6505
SHA1 d5949f7c4bcfb8302df8c641744e4de8ceeeedd2
SHA256 48f208df1cad1a92fb45975af94cc21abe3b7f5a933d94f9cbf05d39e4565900
SHA512 7477b7e28533181ca693b43e43e79705f39c0b546a8a448eed457d6690a15e72b1f451f0a8ec1a104d3665e0b5eebe20a41e215c6069670ceb87174f1b638d1d

C:\Windows\System\spoolsv.exe

MD5 679ed6a4fc978b0a367ff37c9255c658
SHA1 dafceeab1f436049df898cb331c55ce758dc73f3
SHA256 a5e4fff1944b643b8b2a6709a36099df97381498e23636e974d63dbb3486f28c
SHA512 c403dd519e866ebcd6c3ff952b22eaa8bb7fe9b215e3221c0bca514ef1cdee9cc4809a3483113c9fce8e0eac5eb22da29ea439e2b794e6ce69abbb573ea0b2c1

memory/2500-211-0x00000000072A0000-0x00000000072A1000-memory.dmp

memory/4300-215-0x0000000000400000-0x0000000000446000-memory.dmp

memory/672-222-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4060-225-0x00000000071A0000-0x00000000071A1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 1dfb8c9373e65d8f3885359015c7cf54
SHA1 3554302584f899733f6f99f27ac15fb51dfd7183
SHA256 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593
SHA512 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8

memory/3568-233-0x0000000000400000-0x0000000000446000-memory.dmp

memory/452-236-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 3f3aa9b577c080c4b6ad1ddfc7b74e8b
SHA1 a3ec913d60fe1acf12fe2fb111fb8d89d2adedd2
SHA256 cb222f786bbe152e090ba62773c0b89570c4483ced6b0a2eb27b794d13355f85
SHA512 c845e74c72ce3727a0da910435a71a0969f6c128f73b56a309961f5fc2cb463d5acc090a65a51f463b4dda9f589b41970c15abd35726517ccd2626b77e40c09b

memory/452-243-0x0000000007290000-0x0000000007291000-memory.dmp

memory/4540-242-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3224-244-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2500-249-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1764-255-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2380-264-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1764-265-0x0000000007110000-0x0000000007111000-memory.dmp

memory/2380-267-0x0000000000400000-0x0000000001990000-memory.dmp

memory/3756-269-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ed54936ca172bfbf9ceac431749758f4
SHA1 37295d6fd8f5a9ef06cf669ddbfac4b7461a3c7c
SHA256 ba28a68a803a4b2a7501b56b74a6bb6ee34274afa5d5e4c53733d5cf129ef949
SHA512 917d7f62f615b5add8c8506ef38f4e70890e8d226001524214166601e7409b7750b3ed0447a310c6469e81e6c146792a4766e36e75e3397ca4c296cf37f4d202

C:\Windows\System\spoolsv.exe

MD5 86fa18f466804de9724d84a34f2d31ce
SHA1 df356c7cd217a1472152f6c457e0de87810bfab9
SHA256 03689da60498d8abcafb10c45670f3e35c7c6943e29a52736eb410ff653b284c
SHA512 a962f40fa902110749f39851bd16f8d2f1a83cc98d3d9fabcaaee02d23efa3b31ea8b83d86234666b106fc0aee26ded78d42d0d5e491b1e8b5b6de73e1915ed3

memory/2380-276-0x0000000007250000-0x0000000007251000-memory.dmp

memory/4060-279-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2340-280-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2e58e494c026b213e6853d4325da8d80
SHA1 801f71379672036725993e466f713be5d8075162
SHA256 191ffb41a39eb030570b928424a397f12aa8c6f5283e655afc827be14f861c1f
SHA512 61087a913822c375be87e2ed392a35c4063b6c753213d363c343c83c11c26608446d91b5a2dc3536d4fce070d98ed2aaa2a7c5abc3fbf06cc77433af5438255f

C:\Windows\System\spoolsv.exe

MD5 86655d237b733e457f2d800c047377e7
SHA1 b1e501d7ee4874f121b7a9eb1bf22ad9478159f0
SHA256 988a599c295415b436806f6bdf38bc16dd947d78b749e4a60aaed45ef7ab404c
SHA512 aa6a274679c9ceaa976f244479195e0fbfb002d190c3c01c295198a39299b5de6c1ae3a6aed54e51f77eec01aac781ab085e04d155edad3d6d1fb6b5feb3aaa5

C:\Windows\System\spoolsv.exe

MD5 1244d6e88a75a3394b875278d8de8a4d
SHA1 9117282e939b9845a0fe2d06661bcc24455fcd0a
SHA256 2052525be98a2f344c42be99fd0f2ba770066586023a2d1410f24751bb916baf
SHA512 6b7793a2a2ca59c58ccbf8fba6639c1f54c3b3451b4a76c44d81e57a0898127b35663bf2ae048dd76a51cab67ecf340d2dcf021206ea622b78a1a980d085533c

C:\Windows\System\spoolsv.exe

MD5 c5d72c28536baacde20b70968727e131
SHA1 fc3c4be1566cfa22720ac743566e2500f0cb5553
SHA256 b0c21af6eea9919144bc6b66b2af17e7edff6beace61c25bd57da2724d96a9e0
SHA512 5e1fa7a82383ad3ee87e1d3f881593a92119fd26f6aaf9cfe6265f419b6acaf67b20229c10c0231fd728ff62444fcff9bd008c4c7e531b601a8fc15f29b37f76

C:\Windows\System\spoolsv.exe

MD5 0d0a88bb5c196bfc0ed21daad31b6fcb
SHA1 1dbdd584dba079414296dd00412108829893f035
SHA256 c488fc0d364f0050d5aaa83b0e2b98a0b422d6dae57a8fc8f4c15516e7aa5436
SHA512 8b455ab147f1917e4ae3fedc62df9388175899b058ac7113a57eb33fb7373bea1dde1e81c3f5bd0382feb75198b4b3031326d7acb2e7f7afafb501d9684e05c9

C:\Windows\System\spoolsv.exe

MD5 274568f9e98573e73c22f68910fbf4c7
SHA1 e8d0ad885a6e7d9e10c94ec8098178db6db2c9a5
SHA256 0ecfffa0af6bf48b3b6b1d40ca52fc43edf8bed5217b0855fc11bde771086bdb
SHA512 26ca4cc3f2ebc76de80d096e15a910fd48bf6f11a802ddc5039f898782f815cc7401464e75efe60d9274896300f927e8a51ea9971e5425ac7e18684424593f2e

C:\Windows\System\spoolsv.exe

MD5 2819a3291caf8d27b2f14d35c74df9f2
SHA1 1c67ee5e5f5280b27e63c4c52427ab40b94f1046
SHA256 6beafd5991720975b4834341fd8ae061257de3664b27713b58ab69543bee102e
SHA512 1b46dac0645545bf7664c7138f0570ab62929b9f4bc3a5716dd362c3854cced181fd9234e1b1622bbcde1e9971746b0f317b7eb03f56df37cf72c7af0beb41af

C:\Windows\System\spoolsv.exe

MD5 bbfb6af6f900c82f18199d61a225d7af
SHA1 a2df9185268702471311bf53207db23edc736ca1
SHA256 191fbbd6f9dab025d5be3565daa597e7df855c21520f9d3aaabc3bca4f8cd500
SHA512 93e30600a6684db26a21886d9e8ce5ff783904dfabfba7745c5203c26ac0d4b1cda7cb548852858f275c91af867f2259c83a5f56abef0d5324b5dccdeb99a878

C:\Windows\System\spoolsv.exe

MD5 c7ef59a0b18806495f37c9e6a0fefe80
SHA1 4b7bf483e151bc378810b0df191f6604ca6f6f2b
SHA256 997f33de59707207b774a629124b71866bc66ac83333fd6a4a58ee68fc1c41c2
SHA512 6da391a14e5666343865619b017a1e2e2741ccd97bfa0c784a82920c4a8f380b41d532b4a4a6eb01a040e04db7af3cd45a2732467b10594ff35b6ddbb560395c

C:\Windows\System\spoolsv.exe

MD5 9acfca49b330159a59ce6521cff1098a
SHA1 681f0ca0ec2b76c4ce362db6232db47dc1a09ae1
SHA256 5eef7d637a1f7ad46222c6a1c8a28a2afe590cc4936b7cdfd3ddb7046d0ce1a4
SHA512 d7500fb301ba492ee3453211eda41c1ab7382f136fb2490ccef9c01fa2b3a606470986d43d744810fa8b50e18b4b091d42ff25f3854912d668f46bfd323a6b21

C:\Windows\System\spoolsv.exe

MD5 c1b5726190203157d840539691537197
SHA1 49e7c485585b1e48738835360e8ced90d921d96c
SHA256 c087c2c631c13da74e1ebaa5465f130cd3fa4948464ff45283b617a029aac96e
SHA512 dea861e995624ab5b195a2cfbd2931114ac19c790b892e050ba1280b01944cc0427e9593049ffe1f89dd71252fa57880da20a883a5901843e32c21076fbfbced

C:\Windows\System\spoolsv.exe

MD5 d8ef626f54a88d32a4d59c769fcfeca7
SHA1 2119b7f1c3a7234d6507a8451b6102ac78f5d333
SHA256 2d27e3badc7ee644e6e14453b05673aaaba6ed7251906e8bbbf79d4fc7adb4f0
SHA512 3d1b7a4267708ebbc091211d3f22f754600097136a6894856760931879f93e32811644b16dff2d523fc7ac8e2e385e954ce9e7d5892554a5e7e8ca94dd3e1c4e

C:\Windows\System\spoolsv.exe

MD5 20ff1090235823ac206b87b8ac731061
SHA1 264c054cc8dddbb00c27b4ef0d946818c0c3bbb3
SHA256 9bce67318f3de955164578b20a81bbcef5f77b3d8dedb39ba7fd35c29694ff8b
SHA512 8b07e07b40e39e9efef3e7d42ca0f3223b1034fdb63137a0131385fff6ff5d6b62e0840c02a55b2c29d2e85b66c5abf1a278c07a1f00167c7449b47885468bc3

C:\Windows\System\spoolsv.exe

MD5 5409186198e750e6829f723380c92f22
SHA1 708e2a4ba1cf4c722fdbe34cf61b8378bcae4a8c
SHA256 ba70e2ac454155d9e45cb59c7fb75d00c7ebcae2457c5bb61980977bbb05d440
SHA512 02fedf7bbd43bf0168cf849aa6e76fc28b4877c8f93051a736dac3677d04b82ea476068272a7628e2cd391cca8b5fd9a55a6ffec44ea9da9751d620fbe0eda8d

C:\Windows\System\spoolsv.exe

MD5 e301cca219b97af337bd64ba4a1ba905
SHA1 d90ebfd4a3926b43cfb9d77bd1aaf6522971db06
SHA256 a4f479c146803a8de17af96ce6e2261752ef5658f0fd6f363053676f57cd5fa8
SHA512 0fd98e87c32d0579d760841c780f9774841d5cd726778747523a28e71216e3af940f6fe159ee116874b8eee36c708b78eafef8957af76584e51351ccf87083e7