Malware Analysis Report

2025-01-22 14:14

Sample ID 240225-3albrsfc35
Target a4d9c4bf2f849a58500a6d787a9cf49d
SHA256 452c7936f5ad941f5a2ef765238559a0eafd6b18a7bf274b19c6964487341329
Tags
warzonerat evasion infostealer persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

452c7936f5ad941f5a2ef765238559a0eafd6b18a7bf274b19c6964487341329

Threat Level: Known bad

The file a4d9c4bf2f849a58500a6d787a9cf49d was found to be: Known bad.

Malicious Activity Summary

warzonerat evasion infostealer persistence rat upx

Modifies WinLogon for persistence

Warzone RAT payload

Warzonerat family

Modifies visiblity of hidden/system files in Explorer

WarzoneRat, AveMaria

Warzone RAT payload

Modifies Installed Components in the registry

Loads dropped DLL

Drops startup file

Executes dropped EXE

UPX packed file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 23:18

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 23:18

Reported

2024-02-25 23:21

Platform

win10v2004-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\system32\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 856 set thread context of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 set thread context of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 set thread context of 5088 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 4580 set thread context of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1648 set thread context of 4468 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1648 set thread context of 5096 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4124 set thread context of 4828 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 640 set thread context of 3608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4420 set thread context of 3620 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4764 set thread context of 2420 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4668 set thread context of 860 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5072 set thread context of 3004 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2216 set thread context of 4944 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1008 set thread context of 3068 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 116 set thread context of 2132 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4824 set thread context of 4848 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2520 set thread context of 3980 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5052 set thread context of 2816 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3640 set thread context of 4864 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4772 set thread context of 4368 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2792 set thread context of 464 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3148 set thread context of 2304 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1036 set thread context of 2244 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2328 set thread context of 4068 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4836 set thread context of 2892 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 5084 set thread context of 2700 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 760 set thread context of 3120 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4576 set thread context of 1156 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 664 set thread context of 3724 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 428 set thread context of 1492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2160 set thread context of 4000 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2652 set thread context of 332 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4640 set thread context of 2588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4540 set thread context of 1136 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4220 set thread context of 2800 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1228 set thread context of 5020 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3676 set thread context of 1636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 \??\c:\windows\system\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags N/A N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID \??\c:\windows\system\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 N/A N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 \??\c:\windows\system\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID \??\c:\windows\system\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU \??\c:\windows\system\spoolsv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS \??\c:\windows\system\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU N/A N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing \??\c:\windows\system\spoolsv.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft \??\c:\windows\system\spoolsv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A \??\c:\windows\system\spoolsv.exe N/A
Token: SeChangeNotifyPrivilege N/A \??\c:\windows\system\spoolsv.exe N/A
Token: 33 N/A \??\c:\windows\system\spoolsv.exe N/A
Token: SeIncBasePriorityPrivilege N/A \??\c:\windows\system\spoolsv.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 856 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 856 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1260 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1260 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1260 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1260 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1260 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 2384 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 2384 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 2384 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1488 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 1488 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 1488 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4580 wrote to memory of 1648 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

"C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3524 -ip 3524

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 376 -s 3492

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 504

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4196 -ip 4196

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 556

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 548

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f8 0x40c

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 560

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.178.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

memory/856-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1260-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1260-3-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1260-6-0x0000000000400000-0x0000000001990000-memory.dmp

memory/856-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1260-5-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1260-7-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1260-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1260-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1260-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1260-11-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1260-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1260-13-0x0000000008C70000-0x0000000008C71000-memory.dmp

memory/1260-14-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1260-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2384-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5088-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2384-25-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5088-27-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5088-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1260-32-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1260-34-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\explorer.exe

MD5 8420075ac57d1f09192f304e64b5341a
SHA1 a26841073e6c0832332d8659b57354fab4dc385a
SHA256 eaedf50e55112f84c4d67781b5a249d99773f240849fab7d48d8392085bc6919
SHA512 236969644795d9e99a60a5a8c4f49dd810c4e68f6b4b2d4fe3d8653f1a4648432e63fc43446f5425d5cba230d0854c83eb26c9118ccd28ed4c7592157ffc7844

C:\Windows\System\explorer.exe

MD5 f515c9ce11107c8ca05ac578bbd9d509
SHA1 0d6046bff6a1c19775bf0189a087e487e7b1cc89
SHA256 fe0a578e87ab4081d5ca3dca1a5fd3c8e350893503e454174ed9b178c8b42b71
SHA512 42860326603f4d088fdf58402469b7191fe180331b54b0969c07733e889cb6324f883a074707676f83bd2fbd9bbbf38e3386ac1d1928b9e98fc8e179d190c01e

\??\c:\windows\system\explorer.exe

MD5 c713af17ea43194ba8d52bdd5743bec2
SHA1 85d2afe89a06916cf5a5ceeafb82ff874fa5ce4c
SHA256 85b3e0ac8e73daf3d5887023789a4e654ffed41705d87e023b17acd9eb12b9dc
SHA512 dab90d81ca3ea78ba021802df0830f6495619e2a82a13afafe4b801748716b2b59f8b07377cf3596d4ead770a16554cef86c7bfcb81114efa029f5ac503e158a

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 731da1c1a46801dbd9d273ec929638ce
SHA1 1b56dbf09cc42af11dd050dba6ad30a65eb312e4
SHA256 0faf66fb86e388ad55efede5687cc98328d95d7904e348b4c637aa77ad39745c
SHA512 3eefa9fdf8d728ce9ef81884a8df858e6d3d0e7af8faa499a6a0c3b134f7b7a2ef1f4bdf7c436d372c499b276af12a871270dd30ad88db9bb8b7edfd2735551d

memory/4580-46-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1648-45-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1648-47-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2384-48-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1648-50-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1648-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1648-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1648-53-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1648-54-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1648-55-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1648-56-0x00000000073A0000-0x00000000073A1000-memory.dmp

memory/1648-57-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1648-59-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1648-60-0x00000000073A0000-0x00000000073A1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 5e311e8dac788fe17d6533a59746a78f
SHA1 f682c014a420b65e9410b4f216d5928764af2a11
SHA256 689bb183d023425fac3052e345c4ce939a3718047d0418170982de59137bb1ea
SHA512 495b36862d467713495cea8e53772e73a05fcb4fa167fc00a32c94eac2d89a22e9fbc3e656845a88e4e44ed57393cfd987aa46b39c849f2891be8b02af9a912a

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 70cf203d405e77cee4c98146cc788ea0
SHA1 8e044b16c16c92f786219780f2ab486602afc95f
SHA256 34a13ac898868da643586e5ea443dba8cae0eb6722b6992f36e4c7b82974c820
SHA512 6f04fc82635b6b31f7893de5e726a9402ee583e36b90207c3022a93a6147382af26322aa5de54dde43ae8379c03229b788914d563a84660c6b84b424b46975e7

memory/4468-71-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 93b9f9afdae531635585d72bdf238112
SHA1 ef6d240dc084a31332c997dbb8b722acf89955a9
SHA256 902c6fc758348ad44de199d4cf1cdc6b02510a7d26f383a757930baa5299aeb5
SHA512 370f8607d6c34673358a36c269219a9ac518d30b906a89a0cc75fb5c4e7d01f388d90b050adf56df228227cfff56ccfe6e14ec874c07af5957750a33921d9da4

memory/1648-77-0x0000000000400000-0x0000000001400000-memory.dmp

memory/5096-79-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1648-80-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 67a4d4aa9c0ae4a4febce5273f1f00e9
SHA1 8a6742d152bdf2a1bdb08a74d629f52907eba87b
SHA256 6538ae5fc6d668ae43b4d052c5df5689aa75fe06f63c3bed3315fc39f47d310d
SHA512 2cc6e828c8b5368be137745d75109eb3331d2a972b086411aeaa97985ada61cd4d33c646a5e885dfb64dd5f500ed8057b1c89227d48b6f010e40737bd75ee74c

\??\c:\windows\system\spoolsv.exe

MD5 a3f47ac6b122203efc1ee139e9c3cab6
SHA1 1dece59c629aa9bc40cad6e7cb7de68566a8fb70
SHA256 9a56177c93d15c15f6af2d3ebee675265c21b17ee3ffac42f5d598f2e13f4c49
SHA512 7fb812dcf2e59fd51a7e97672f8eb12416df00dd3bae05889835f6c1d64f7e6aaf30a7deabf15c597887e38f67f4a0cadbb2de6e69c2dae125c673cdad75407c

memory/4124-87-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

C:\Windows\System\spoolsv.exe

MD5 71103e754e8f6a51e030d97ffd9711ed
SHA1 2e2535601f88baa120adadc2a150c521f80ff2f9
SHA256 f7d33a87dd500616d1412460b86ed54dbe08dc6879ac0e08d8664f2d3680442a
SHA512 ef0b3d408b6087cbce87465620aada96f818ac72df63d20dd152ac7a8801781af525b9805d5f52dc84a7ef2e0fefa7fe0f390e261d1acda42ab468b5083878a1

memory/4828-97-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d56c4265b79ac55551d9be733e758e75
SHA1 3ee6dcc2322deb1ad10cfe885b917aafab5469b0
SHA256 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e
SHA512 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

memory/4828-99-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4828-98-0x0000000000400000-0x0000000001400000-memory.dmp

memory/640-100-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4828-101-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4828-102-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4828-103-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4828-106-0x0000000007150000-0x0000000007151000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6b3159725f8ded76b9d763714c81fec4
SHA1 acac0941e662fb6d380f170d641a7c877817b8b1
SHA256 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0
SHA512 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8

memory/3608-111-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 627e274178dcc737622ed2be0f6f5502
SHA1 6b9babc1697a0b58b7907463eb3c5fe76eaab963
SHA256 8e52ac3bd96176dcb2589150513d955525c6ad8c909779236b24da336423db86
SHA512 141e69667a44e7f54379f0ee9c7095ea155a0de602aadcdb38a2cc9e6423c157495cadcf71661eaf6abae749b1e5904c4f569a5caa4e45495d55c81cc1b1e636

memory/3608-113-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3608-114-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3608-116-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3608-115-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3608-117-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3608-118-0x0000000008D90000-0x0000000008D91000-memory.dmp

memory/4420-120-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2ddf6df817160984e047117d0375347f
SHA1 11f608ef7e7133e40188df577b54111c9f95cb06
SHA256 dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21
SHA512 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215

C:\Windows\System\spoolsv.exe

MD5 0ff4766c22e11d6046392c2a9a89c3cd
SHA1 31e55d650ee62528b13448fdc8cbb60e02f2de09
SHA256 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a
SHA512 b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe

memory/3620-127-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4468-125-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3620-124-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3620-130-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3620-128-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4764-132-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3620-133-0x0000000007390000-0x0000000007391000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 13728994efa248a6643ed4092716786e
SHA1 8fa00628cacea76fb24eaeb2d03ee71464ecd2f0
SHA256 1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e
SHA512 902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c

C:\Windows\System\spoolsv.exe

MD5 1dfb8c9373e65d8f3885359015c7cf54
SHA1 3554302584f899733f6f99f27ac15fb51dfd7183
SHA256 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593
SHA512 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8

memory/4828-141-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-145-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4668-146-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2420-148-0x0000000007110000-0x0000000007111000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5eef5b521e52ff3b100e19333257fdf8
SHA1 a7163fb54fb89825df111ba8693e3fa9138daf48
SHA256 3fb893007d2d719e184a64ea5e8b64d3be6a213f6b92f437800e403fd7324a53
SHA512 6250856933dcc01608d8823626e5755fe9c1e4dd741ab01881e65a5258e94fa123774203ef9a8bac31845487c347c85826ab86b77ed3196f37216585618a8a04

C:\Windows\System\spoolsv.exe

MD5 3a85ec6be5cd80aafd992ac95d59a4bd
SHA1 7b464d1bc6fb4a7ce8d3c681e8c697e20f2f3115
SHA256 4fd63282a7d2ca52f05425364044a5f950911699f229a214b58ccc7269e00a63
SHA512 63fda58b0ff15f1a7be2a1bb7572a1db809f2a532afc74684b291ecc010d748cb91d2dd8b2df35ed4ac7537949019b2f83fb5f4d1d3ba8e76624b6adc0aad3e4

memory/5072-155-0x0000000000400000-0x0000000000446000-memory.dmp

memory/860-157-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3608-153-0x0000000000400000-0x0000000001400000-memory.dmp

memory/860-163-0x00000000071B0000-0x00000000071B1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ca5d3fc55f56c4175950f1599acda0a6
SHA1 8fb4200af40ba707b7133a977d6c8907c2c0f12d
SHA256 56bb7dc753a4085475b5ca2ac352695e9c285ca15397a379bdf52ecd3cc8b611
SHA512 3cdb1fdbb4906ad56f43128d6faba50ec9d0a9007e2d415ddc6315eedcffb1b088ab396a9a7ca799c569f4213524242dc9d06a4d42a7b28c29a860692ccaa359

C:\Windows\System\spoolsv.exe

MD5 ec6b648553e5c881d5d7fa26bd61d6b7
SHA1 570e1186a64c917a89e5fcf537dea1e6cd8b60ce
SHA256 e5c5a3d30ec4852ba0eb43d73a4b3887823f8f0a6d6be4643a74725cb63ced37
SHA512 151568ecb4e889aae733365456ae6530662d7c2690c612794e93257434c3b9124a98d78e7ba0061ba04ce786724df9d438f9c336cc2f77066ff4dc217487c1f7

memory/3004-172-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3004-174-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3620-176-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2216-177-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3004-178-0x0000000007100000-0x0000000007101000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 31c5c2112ab87251835606d22b7360eb
SHA1 e7c442759d9ac97b7e142008b24c4aed6c5adc2b
SHA256 6f4e076aa6cd57804cc2045e1f4aadfed2744cda4a75cff95b64faa0ea5aff6d
SHA512 c5a521f3ad7fbcafd72893068b6520c743d9ec2322bb65c03a298ee78fb987525494712d0f94958bdcad1326dd0f98a2668d4e53ad91988474e65b211f6739e1

C:\Windows\System\spoolsv.exe

MD5 d5b7fffab4892cb246913490acb9c857
SHA1 9313a6e99f6288473e0f8f10224312805e39a6ef
SHA256 2ad2161cd647a7c28ef38c3a7d10d99884301b15b0988e2676a26b9866c51900
SHA512 c5c29902d857d3506d032da70ec253ee7683c24537c44048a6312ed49656edaf9eea47b42eaff2b7bc616d7bbc91773369e4d728d6561f113c9dabde35e239c3

memory/1008-188-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2420-186-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4944-192-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4944-195-0x0000000007390000-0x0000000007391000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e53884ad04f410af7fb3de18db0d4359
SHA1 733b477645cc20f54ff39e1d3ddfef3a18be9371
SHA256 7db6df08dff9e6ce4e4f39ab2b9e1fd7776d0d299e9d72cd493552dcd5e7cf96
SHA512 9b5ab6d4a5d29a044ce7cdac0789505d31e4a3ea625b8a1a4dc1b4d7ff6e161841f0f07c61aa6e5ecdace2d774707f1b11ee1eaa8469b3c3077eb00b0b85b617

C:\Windows\System\spoolsv.exe

MD5 871c60898b7f0665633e267c0523aeaa
SHA1 ae241476dce16e9a1b45c4927262c6df93b89f5a
SHA256 2916168300e6aef0e6c78cea0327989a72e06a95e4e6b8369b0c2b0e0ffdd1be
SHA512 4b316fb92cf174f183c106a986bbbffe37c4715aa47b99ba86b4ee59009c4057c23f1b172ea9e47dc2c2420052dd47378c4bc6541ad3dd4dec150f79b2c342ec

memory/3068-201-0x0000000000400000-0x0000000000628000-memory.dmp

memory/860-207-0x0000000000400000-0x0000000001400000-memory.dmp

memory/116-210-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 caf12f9df84a75e1d79079880ca715ce
SHA1 df1941ab3462e9ec172bff9167a6b199cafad441
SHA256 556983dcc248b57bb85f837c58f9190fb48dde02fac285469b4309c983d959d7
SHA512 b3cc406f8b4166b0907d9618888678ec07c2a17470b0fb4fdc0c00be4ce206e3f51024a9cc52d5a2c9adbc033adc7226f51572bdaba2b8742998451f33291b94

memory/3068-211-0x0000000007100000-0x0000000007101000-memory.dmp

memory/3004-215-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2132-217-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a129781cf17cda83bd585d5f9477d4c6
SHA1 3a3a8e1a02db0775b2311ecba62ca49827274731
SHA256 584ca30a0a509d2a8b31de922e70ad5e1636fbe096b180822ffa56d29bb67513
SHA512 aace5781d2e73275aa84336e04ebfa52d247eaa0b6ec77ac10c07386c32e88a2985b911b69cd4a36712e4e43ec7eb61debc65672f33f874af9dacca395a55107

memory/2132-221-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2132-227-0x0000000008D80000-0x0000000008D81000-memory.dmp

memory/4824-226-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a5a62a576db32d2a4ebecbb8f61f79ad
SHA1 8054dc62044e6a20b494214b992465fc063d3006
SHA256 1ad69ae11c24f92e25b6894a3451dc2d4a926a09b6b5fa14c887432ab899c3e0
SHA512 6ac91273924c38b2f9adb63e978145d9f6a1d818d4b5be7472ba71bb9da22c09ecb5087e673e5cb7d58c80f3731cea391a26deb08e8be84682e47791fda82111

memory/4944-230-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9c7b2728174db887fc9f1dea54400f42
SHA1 59b44617f8af85e9481594cb9b5d56c4bfb86d64
SHA256 cf64b000b92a5d5ad4618ec6f134adfce8ddcb11dd79a6f13138e443ad3cfcf6
SHA512 e4757c5f1229bcb107c1ec789ed079203f940b040fa731f4a4f2fcf45437883ddeb758ac12a4c962fc2b54b8946ce24d91bba4f2e4985b01c76da4e943326508

memory/2520-234-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 fd6a7ae6efdd4613f387af832d4f022f
SHA1 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd
SHA256 f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e
SHA512 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78

memory/4848-241-0x0000000007160000-0x0000000007161000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c667cee2f2d1ab7d07868ed6260b9618
SHA1 30a9417187059c37a8ed9726a39311080accbc23
SHA256 da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af
SHA512 d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7

memory/3068-244-0x0000000000400000-0x0000000001400000-memory.dmp

memory/5052-249-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3980-253-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c97187041e20fe935c12af7f0255ad1a
SHA1 47cb884d4a9f7f89839f14502e0aa2a9bc1c574e
SHA256 6871c7fbd5ec7132b33e595859f751361c2bae56f7ff4fcf25272efd45f0b869
SHA512 2fd5936cf39989b62fff551519a54326126fe014437df85957fc7db044b7817ab3bdd5ad40a890d105644dac66656fed5aa7de4f6cb4ec4130269a81f654cb87

memory/2132-256-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3980-259-0x0000000007100000-0x0000000007101000-memory.dmp

memory/2816-264-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2816-270-0x0000000007250000-0x0000000007251000-memory.dmp

memory/3640-273-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 32e242e22204513ed8fb5dc4adee4ab0
SHA1 8309f6f7b3907bd26df2586b5867dd9bb06dc907
SHA256 771b4edd6e0d0e2b615259d8f0ac558e004a4fec511861ce929494e788c84638
SHA512 0bcf442308c41a36bd613aa1c540b813be829b1af4efa9458f8d98ee60bfed78037bba5614fba3a6021cbff9e183ca730d21b745f1780a26cca31cedc1d3066c

C:\Windows\System\spoolsv.exe

MD5 e457bd03109e8744779fec9387cceada
SHA1 b4426fca98b6ab0458f6c9c5701b273468c4095d
SHA256 90ed4b379a7fc24883a49483ec41cc2a096b4933210fbd8f35cdaafef72909f1
SHA512 30a3926bc7ba406e5b0fe93149157bb8c3256ea29a7a1a5c4546519017823498ec80221df60967fd62b9c216008d4c68954a630a4952c1a103327750b33f7bca

C:\Windows\System\spoolsv.exe

MD5 fde492789dcd7b085e2cfdd16c016b85
SHA1 ae04d94711f6b05c9c46b23d7e23d8d4061e8ed2
SHA256 26748d30483c3df4bf85d36936b1b5a20e5332e7af86ff47f608c2baf52f055f
SHA512 cc63e8a38e38d97fbe3d3e495b76f5af7d619aaff03f46f73f492423961bb0f08e4fbb6b130455227b66e4fb18dcfabb577c521b51960a493fda17141584230f

C:\Windows\System\spoolsv.exe

MD5 4e60cd1ceaa0a810eddf7a4244af8194
SHA1 c247c32257212a9ae09e0fa017979cecda936422
SHA256 c5ee4763a87bd0b86f85d3ac5d8dde5f286c1a779b7a3c5cefe573dfdaa1f50e
SHA512 8ca00a4760e3204b05b047ef0b70aa426d872f06820d27fbc876f955b9d75e08b8168c77e5ddb2dde72ae91f6c59464010cf6fd5905085e7ab53224575990ffa

C:\Windows\System\spoolsv.exe

MD5 cfc2323b102ae73f1f2d37d2809373eb
SHA1 929f5b068cf6dc953d33584bb96036259b7c2ab9
SHA256 b0a69fa0a4351c77492a2b06df42bcba8ef4caf9f0147e5e25a8ecf5c7d5a9a8
SHA512 c738b488d3ce0c758f0b979aa43b153b4e4aec621d234dc16f2f54fa52c65516a4bec621644b1f3b35c59161732b1c8d2114fe8d3ffb793b23885e7dffdcb195

C:\Windows\System\spoolsv.exe

MD5 40ae3e2986219885ba5ca5d9006df92a
SHA1 fcb2a668ddddbbe61a46cd15d19f669fa9e3b778
SHA256 752795473d863253cef725c9adc5f1d2c42dfd207d72d257dc390c9377265eb1
SHA512 69ca6c4386ff833653db2d09c29cc2d4be0bd5af1e59bf183958529bca2e2b43e6c19538a60b0f0c48202747366ce16c82f7e08a08ffb6331a326fd99af09b60

C:\Windows\System\spoolsv.exe

MD5 4cc7052a3b323fa75ddd89e49793608c
SHA1 c6e9f35071534403079e51e4bd4d2c985547088d
SHA256 f558f3662ca42d2305fbd5565ff4152056e974bf553d754340d9ab17470c81c7
SHA512 f4a66d1ab3772daba2f144788b4ec96f6c9e3241fd59b17cb5af3728e7aaf7243736a0f62c5b952a5699d3945980253fd860380b3e10403c0cab5af4e141a327

C:\Windows\System\spoolsv.exe

MD5 6746e393c2d421b843016561f62447ce
SHA1 cb9558e3c13f86a1bde044e5cb245da01c948b25
SHA256 c6d06894cc8986a493ba06d8574e099962c6362ecbc78c1dc93fdff5d6d2a5ca
SHA512 c4b00b48afac6f51baa4093e40835d61d4784b8e1597fa9dae02ba78a774a355ad7b0108d2af01d265bafd0cb7a6bc34eaaf21c267be46b5925bceabbd44e1a9

C:\Windows\System\spoolsv.exe

MD5 155cbef5689ec8c70ef1209fb1d476ca
SHA1 204679c4bd23ba0f2304cd604a4d47b0f1827d39
SHA256 c6a529dc6a36c01e7ffb41d0c4cdd08b294a0fa6f97d0e3bafb9d613390760a2
SHA512 6c2a197895368a30f067c16618dddd172f9c6388d4527a5f9409a0e2418c3f2312125f52a3c53dd942812bc99bb0c89ca26186c9f60492cedd8576664b0cc838

C:\Windows\System\spoolsv.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System\spoolsv.exe

MD5 73d9aebff3073b252a235f22bcc090fe
SHA1 54ccb56d327549f7569723672e50c17a9865a343
SHA256 b7c6389775ddce923259dfaf03db21d986cd05f80b2344238c9f0f60a6dd17b5
SHA512 61d6f57a482e389e87dec5e06c3232983d0c4ec502d9c8be3aa5bff493fcb672b5ad1c576a7497842c5c5c7be8a84a6e49090f10981f12e63709481f82731bb9

C:\Windows\System\spoolsv.exe

MD5 14311e5634439c12fdde4be34943aee9
SHA1 975ac573b5e10e1687137c93b8be31c81c856e7f
SHA256 9588c835bc350f1079fd7012b79b32bf0a7e6af6f95e78fa782f6dee7389aee3
SHA512 644127380e2a4ac8eb6ee572e7dc8ec7a429f966389a309a5f24bceab2a544ecc2f94b8e933c67da325a7d20b2348652cbf7d50fce793dc359a36137fa7cedba

C:\Windows\System\spoolsv.exe

MD5 6f16b83fedbb9f93a783efc30d3b70c7
SHA1 eb55b47810e485ba622ef729a088a116f4f6f493
SHA256 bb3c3928fa0fa7a1895457d6aa87a0d14e2efa2e4f22de85e06ef8e6fa100939
SHA512 f07912f018a92140f392429fbea09428a90ebf5ca356073036fd67fde02ad60893b5c8da0349b0df85a458570afe0971086c1b8e9a226be36580fc9e1adfc5e8

C:\Windows\System\spoolsv.exe

MD5 af8068d19cdd576e83533b8e99528fe9
SHA1 17ea492c7be312c64df6a084aa045d9a28c262fd
SHA256 7ac1c4bbe2fe454839e2b2da53d4a83f3a80020b0df89c181111e4f37f93313a
SHA512 f4e1777fdef904e0b6d63becbbdfd896a57f11b6396d6b0690039b27c89a433b16565a05686a001d5fd461511ad279c85ea56377f4bf07e99aecbc34654a5851

C:\Windows\System\spoolsv.exe

MD5 3bd6aaa91424453f475168c28165ded3
SHA1 6014d37442f8dea42c5f9abd6ef3247cb8adf022
SHA256 daa86c73f083754347ad1ff1090ef201bb73ae61a11720ef9d836309ae31d34d
SHA512 122085e0e7276af29c3850dd69e73be397895af4893ef07ba6a0f223a98e9663b1c81aa19bdca223899cd7ace8baa957b370da6509db69fec1197bf7d083b429

C:\Windows\System\spoolsv.exe

MD5 cbb6f4c004a75933172e088f097592f1
SHA1 5e68037de83b9c6cb75a9a9effb4a24df3b485e2
SHA256 28d3fb16a4d5bdb3e2bcb1ca1047a04fc791c4152ba6f15ba12269795be69e27
SHA512 c4f55036fffcf0dbec9a9b3c09cd216d040f3ac4d0121ba5c9135dd8d6eb393bd075a4e946c93f691effddf2faad70de5d121fdf9609a200c319dfb731883d11

C:\Windows\System\spoolsv.exe

MD5 0f734998d91202f522a55a31a944eae2
SHA1 67112932628d80f260b3eca2d02d207e5d99c954
SHA256 06efce6fd9a2fe3673c9385ee413109198d7bf2ba29ef994edd2a7ce8cfc5f72
SHA512 74e3539674e416e0adf4d3001d227030f81810b9f39e259aee5de2faaf4a7b853021a9311efb89c3aca43c2388c4dfe778bf4c120647294c2f82172a685182f9

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 23:18

Reported

2024-02-25 23:21

Platform

win7-20240220-en

Max time kernel

98s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 3056 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
PID 1588 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1588 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1588 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1588 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1588 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 1588 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe C:\Windows\SysWOW64\diskperf.exe
PID 2412 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 2412 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 2412 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 2412 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1624 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1624 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1624 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1624 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1056 wrote to memory of 1680 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

"C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

Network

N/A

Files

memory/3056-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1588-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/3056-4-0x0000000000270000-0x00000000002B6000-memory.dmp

memory/1588-3-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-20-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-26-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-28-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-30-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-32-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1588-35-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-38-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-40-0x0000000000400000-0x0000000001990000-memory.dmp

memory/3056-41-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1588-42-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1588-43-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1588-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-46-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1588-47-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-48-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-49-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-52-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-53-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1588-54-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1588-55-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1588-56-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1588-58-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2412-69-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2412-65-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2412-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2412-61-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1588-75-0x0000000007150000-0x0000000007196000-memory.dmp

memory/2412-86-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1588-91-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2304-90-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1588-92-0x0000000007150000-0x0000000007162000-memory.dmp

memory/1588-94-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\system\explorer.exe

MD5 6cc2215e93573edf5e6bae6f5be97347
SHA1 fc759a5aee1b974e44c43ecbb0e128ceb04a8766
SHA256 a9e4f31ea41bd48df1a45b1f4433517cc7011fabdbf9a66e139c132a5a81c8e9
SHA512 1653fd314ffe077d2f5330ea024c3fac5ae104ece4b81547cd78943c419bfd5028e9b136594a265ca0573a8b0b94a8578c666859e8c03ce6447a1085d5415ddc

\Windows\system\explorer.exe

MD5 3932cb826e53f915a2a4cdb043b52885
SHA1 207229d796fb8c9ab5e1c5b79b500900ba0ba65f
SHA256 201d03c0016be41cb8c288f560d5a8a2c3fa3d54bd10164935cca9fce6e1a042
SHA512 e6f22a9a4c6521a2e8c3b3d9cedd81abfbeeb2ce3ab53f1dc7c67ec4dd82994f178e29b110867099464ae708b4adcd9b4c9a22f9ba7afe46b2b91d02813a530f

\Windows\system\explorer.exe

MD5 e498afd84544bb0e617eb79994da5658
SHA1 a86bee2bd7e37788a6901bbce0669576dbab559f
SHA256 43058ca15c493dc691cb35b4923a7654159b7b09e0493648f63ff2bf0e5f31df
SHA512 4770aa26057e39a09a32b9ac8f2922ff8baf1a16351db92e6a29387b1c5d6c3fafc5726ab157a08624636e3f4a27ac5208546ca9709c3b48f3cc438236263983

\??\c:\windows\system\explorer.exe

MD5 4c1118698ee3ed03c8f5ca95f9b3edc0
SHA1 640e5a10f4f4926051cdcd56b8b43389ed509970
SHA256 08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0
SHA512 5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a

memory/1056-107-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2412-106-0x00000000025C0000-0x0000000002606000-memory.dmp

memory/2412-104-0x00000000025C0000-0x0000000002606000-memory.dmp

C:\Windows\system\explorer.exe

MD5 a4925b580a811cde880b6c69a35ea176
SHA1 0fee20695b817665bb60e2dae3172fea392049f0
SHA256 f9a20bfa57acb325dd94e0ebcb1a2fe846cdc555cbded15bff82338f2dc5068f
SHA512 9fc7b691d1835dbca4cd463fe05bb7c669d9c495a55de0f561b8bc32d3f51eb577cac73a47e28a794fe1e556b1efa0f082b72bba4a9be35434623dc714bc66ff

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/1680-140-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\explorer.exe

MD5 1da9b42e228d5f1dd1d6918de8475852
SHA1 4481b9e0d6c481383f27102327f9f537a6a232ab
SHA256 d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad
SHA512 caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022

memory/2412-143-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1680-147-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1680-155-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

memory/1680-158-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\explorer.exe

MD5 23013727668fee1964ef9ec4be9309b5
SHA1 e4e8f934ab49c9680ca53245ef22256e64ff6923
SHA256 978eaf5a34feb1a7956654bc903e9b1bb6d82fd7ef87b0705df1495162fac811
SHA512 0d6fad39c176dea3538c013fcac8697f84e1f488cad496ac81f2ea542c6dcedd569126b464b4c5f2a9aa51c60ad1d725c8340c11a5290af453da3dfaf9a75dd2

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 8abe95b69040b3c8df0597b9e105e6df
SHA1 e31ccea84056d40dc6460a2bf4364153907870a6
SHA256 b9bbc9a14b0a4f83d623b25ba0e9201cc826c3f1614216a09f404cdba2bbf0bd
SHA512 4ced11bd0d6ef60f4fcb05f6e3cc5d09b00d2183cd0981da9da0f4f0256af1e34d444e1380d73f371309e11d953292539def417111d28c5993b2f71d5b88c6ab

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 5b55bb758efdd1c84700543b648f0e4d
SHA1 18ac33b9bd15f5a3d42547ab9c28a73f25cdb455
SHA256 edda8f0886818194d64420178911b1cc9500d07e8ff83d51aed64b13b97474ac
SHA512 06da11f0e1ad2bb416a29a54dc7c42d21da9e81f497face2742d5c599399c4a002c386f60f068d09f65772cab83234b410aa6174bd50167345ec5772d30ed74c

memory/1608-191-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1680-192-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1680-193-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 0c14a3e04bcd0491807db5db589657a8
SHA1 a817e93212a35277fc6f319103850f7a083889cc
SHA256 8a0d6aae4dba5794c506c03dbf3d2562fe8deece47f5aa018852fb3dff6cb690
SHA512 b946e1cefeb1ead8666d8106b9d1a66f1d8615d80d4f57afa4acc0e632b519445d08c4cd44983824d10d443a4e4e59ce3301fe2df0422a5a667ca08a4cfaacc5

C:\Windows\system\spoolsv.exe

MD5 7f6b731ed3cc910fe5496894829117eb
SHA1 28b6de234cc999eb688b96d10903b8a2abcb7095
SHA256 54817575eb4d83170aefe635f6f42a9dc75f815112b5092a13a30dcbd559d28d
SHA512 6c69ab55910255a537d81972de0cf988e858bb9b527cbfe40548789f54225780a984b6096f16343773e7c56d7a157c46b600b1f64ee58d5db3fec87427e5dc5f

\Windows\system\spoolsv.exe

MD5 57bfe90eb22648f5bbf1676d56ffdb22
SHA1 9d6d9360b66a5d76c48ff736ee63755b5b345f9e
SHA256 487807a94bf28d3c3c73364d85deb64885cef1a6709df0308b73ee8c5db5648c
SHA512 1e396ec5718bcf91068c2c5cf89822e15bed0a3c84d827e9b163b5b5ddd3bb7ee59775e60461b8ba0f6bd67bc21a2d1aa1865c6bb870bbd4f83ba61e85ad0f4a

memory/1140-203-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1140-205-0x0000000002660000-0x00000000026A6000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 c78a519ecde015d10ed67e76cead83f5
SHA1 3352a78172f676d60f9c52010c13dfe5cab8d854
SHA256 5beb2ef22573b1abfb42d2b21dbeb99233a3f5fe53c4089319daf5734ca27062
SHA512 eb24a3e5e4ef9e646c1ce97f7474bc59b8455adcb85029cf2e42ea2c8afad2fb81d953936ec8e39f71aabba83fbffdf1b8031ec3390af34280d40cd55dd6bc93

memory/904-206-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

\Windows\system\spoolsv.exe

MD5 0612afb3e27451c56aaaf412088db0bc
SHA1 8913d87d487bc94c91b045dfe6f64e16a16059ca
SHA256 97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168
SHA512 726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f

memory/904-212-0x00000000005E0000-0x0000000000626000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 2dda9be27a9c18d3f5b674099b811bd3
SHA1 ef96177c49a830120f76fee77aa5315bab5814fb
SHA256 0a432f2bf8e1277fc7a3b2136fa515e885c9afea76af04a0f86ac32213482809
SHA512 429858db5e5b0b8681080b49c3bc5baf8b17f599597be5fbabd33c8e60b1c6ed73f7eabae27915ca58c100f248a39f521db47168ae4f23c302fa5385fa911131

memory/1140-244-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1988-245-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 b0ee74c452a9d47057e54d4b22963ecc
SHA1 882912c487b80b25e87fc34f5c8c3db1eae80812
SHA256 b1d8e22f10b45428d83aec4084b2e01643a75742a490f3af591565c148288e15
SHA512 8b2da93d04333488b0613c3dfd4fcd1c3e69119ea9c99536e7101b406bbab9d4b0ad52e88bd1447018e639075e5b5c3c095bbb580b057488422bf2983527522a

\Windows\system\spoolsv.exe

MD5 a48a41ba254e582e6ac15bf5ac25143f
SHA1 94177561bad9613aa7661597936a25a8574df44d
SHA256 fed7d1428a7ab53d88e0baa8a6e89c260aed942a7d218e65cfe0f29da52ab3f8
SHA512 1c8bd106cd75dfca5aef910c758e24e8bac8341febda5e0cb2b0080b6d627917a8771f3ee0a258e3cdcda3dd1495f9bdb4eb47db11f9eeee748e647bd1ded740

\Windows\system\spoolsv.exe

MD5 fa5f172fec296217d25f7dd10bfcee6a
SHA1 43710fc6b12a341a69b8a91d504eac5a2e211916
SHA256 2b75c4295a6c531c13c10e16e795fecddc4fb0d4c7afea6a3f68360570f63e1e
SHA512 2d53247cb70e9ec68771a8892455587370d3278fa740cdc1af51d4ef548d719b0878999e3459289c4560c17cf76b91cae28fd140f89ba78c246d53c95131d20a

memory/1584-259-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 70c1f45ab920e8a15c72ca8ec042387d
SHA1 ab9ed3a7a4f4dde12e43a1ea3a5a2d981fddf80d
SHA256 1f3f626ce7d1e47a9c08b518da64b1a366b8aa089b7445ca31f7bb46056ecbd0
SHA512 7afdb14a9a4bc56eee9c9cffc22b456cdb674f7f12cebfb183d31afc87ba833e13854bbec81bbbd1f7805c007cce45f1f40bd43e80f092162f553ad0eb9bff42

C:\Windows\system\spoolsv.exe

MD5 c667cee2f2d1ab7d07868ed6260b9618
SHA1 30a9417187059c37a8ed9726a39311080accbc23
SHA256 da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af
SHA512 d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7

C:\Windows\system\spoolsv.exe

MD5 13728994efa248a6643ed4092716786e
SHA1 8fa00628cacea76fb24eaeb2d03ee71464ecd2f0
SHA256 1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e
SHA512 902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c

memory/1140-297-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1256-299-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1140-298-0x0000000002660000-0x00000000026A6000-memory.dmp

\Windows\system\spoolsv.exe

MD5 acee08d1465658e7d73b92226f5be7d8
SHA1 a31873e607fb5175947384320845f19b29419980
SHA256 864a0707558b7fcfc031734bc3073b6ed5d25b8d479cf8eca49356ed480e9e28
SHA512 728b8548bf4680ee24a3140a84203eae22c86b8706758a63adedaa874ef42593df6bfc1a24cc7df292a70d6d989775693efd69ee81a05213b799ba40f46c7131

\Windows\system\spoolsv.exe

MD5 887f36d948675f1c92d0f19138d995c5
SHA1 34495951cd32109965dda68ab514cac76fd9b877
SHA256 302f1c6ddff632cf7d1d3b7d6c9528d5e7f43a9ac957d8a6b0ca17486fdfa0a0
SHA512 645665318339e420c0645d0384336398373fceb90c05e04405eab4d3ef6cd2f0df83fc07e67ae5b8ddedb58807d493f5bcaa116369793d1643f65029354c44cd

memory/1140-312-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1256-314-0x0000000000880000-0x00000000008C6000-memory.dmp

memory/2576-317-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 d56f56f731ffba0c60a8493fe3289b93
SHA1 74ec2855b97d82202f0119e7cfd6e0a06e5976d6
SHA256 1883ced2bdaea5a5a157ee489d30164a9d0e1289d52b55c9639fa1110730dc2b
SHA512 f7c4cd0cf3e53aabca3ef0f19692806b7d5aec9da8a831686f8adc7afca927f21d7aa4a4c17f3b6cb14943d6869ccef0559ca8cc3b09bbcc5d32ddce0aca61eb

memory/2724-348-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 820f60be9b5a26c8fa1d3a180bb0f385
SHA1 12279429fcedd623e575292272301460fcf9839d
SHA256 93f9df953ca6c4cb727566bd189a57ef67ddfff8d9ceb39c6141d82fb0f55797
SHA512 6431b97921d8600ed1218593836731f3f1022f2c2665ef0df625c29445966789c2341b329c495c8194f3fbafb25dd68296018e8bf8e517611e9d25c3e398bd17

memory/1140-351-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/2660-352-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 22520c0799e91354be6625e2aba890f5
SHA1 36909c8ac97f66fea4dbdffba2b6e176937c1a17
SHA256 624b7b10066129351ed3d5748518105f37cf40bc8d7d7125cfab79f9412414ca
SHA512 e9348a673f6ed08365397694c75a2487785c2220d87d665fd4c6f759fde0c029c5f118e6ebfffb584470f09238125c28a2c7a70a66dc4427914347ef490a4531

\Windows\system\spoolsv.exe

MD5 bd114823a28969b0617dda3f90882cbd
SHA1 eed8d46b1b85604d39584f112331cb1fe7cd0e7e
SHA256 a4d38fc60cd61dc3b6af355abec7609ee92669f454c1561cca6684ab5d7aa564
SHA512 7c286dfe4bb179446b240ff61f26215338c2378fe8fcf8f6c4646325692ae68bb25836b860880f2d27091813090a987c94ce75d58d9559ae1555552dc9a2ad68

memory/1140-344-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/2724-364-0x00000000002A0000-0x00000000002A1000-memory.dmp

\Windows\system\spoolsv.exe

MD5 39428dfc9ef6f16b945ce6c92cc660ea
SHA1 ce11e3b27a12ae14532af299eb38d9332213a520
SHA256 3b6406a4f2c5a5f30b24eb54aa1145c6c0d3fd7ebe02d496fb7dc0786e403fbf
SHA512 c85f5a88698f5b5b54a045bcc9c94b54c903dc415e440691b0e37067ffe0b7a03035310acd4de19634e376f3739ffc27dc778299fc036fe7e402dc8b5f88642f

memory/1140-368-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1140-398-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1704-402-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1140-401-0x0000000002660000-0x00000000026A6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 f8f634b376df15bcdb23596634b11b85
SHA1 122ef07fc1d697d82ed2ed2b9886301ba42802b4
SHA256 0a959d65a0752ff2713e88f1acca3b737c25048f3138a4d693052a9df46c57a3
SHA512 ca32186b99360a74f7cbb3882edb92b353922fc92630dd1cac803ccaeab8455200153544ff9823723f8fe576e545231f4f042527d6292950e824a7ed001becf9

\Windows\system\spoolsv.exe

MD5 d5a63dfb75c6eb0a0440be7722443e35
SHA1 ad7d60e49c73e6fe002c6430239170da53b29ea9
SHA256 c5a712887b709716cc4cf2c9cc2167753b77a05308dbeee057a96fdca127e53b
SHA512 b0a38317f33a5c928cde246c41b8278378f7e4ff4832780810c46c857fe603475e1d8c726735339ab21c04b8b84ae6e378733e79fd9eadd336060e1a28175c99

\Windows\system\spoolsv.exe

MD5 5b3b85949287ab4e268465c59f7c0d1e
SHA1 7c4ecec7e47ee5d7608a6c9631dd516fa04acf17
SHA256 3d6e3e8e4edbf96b6afa8cd1685cece00e4fd6036dff83763fb2735cd6069f6f
SHA512 41aa3240acf08ff7d60143889aaf03bdf3504c67d446896b7869857917fccdd85fa13da628d926cd48200c36d1be36ca6d2a3d84aaa9f5e56d1fba78e0b177cc

C:\Windows\system\spoolsv.exe

MD5 02b2d149ad5ffae25a398e4a9b40e2ce
SHA1 a3dab5d4ff9252dd31a88a8cb155ae7e86e23854
SHA256 7f596c97b6cafa43afcc85609118ebe9e45e9891deca4c2ce6b2e0f9e03ca826
SHA512 9e19db3bb0dd1924f13894f2e3c6e61a13b9c125a88f98a555f9e1e8c65ec92c8b74429c9990d60541433b8283ea48a8e299d5bbbc1e69d58335ec13ccfdf270

\Windows\system\spoolsv.exe

MD5 d56c4265b79ac55551d9be733e758e75
SHA1 3ee6dcc2322deb1ad10cfe885b917aafab5469b0
SHA256 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e
SHA512 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925

memory/1140-417-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1140-418-0x0000000002660000-0x00000000026A6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 458bb40a4531575525f18707578bafaa
SHA1 4c2884e6e9e751e98d6c7c282f59ca0dc705c7e5
SHA256 7b121a2911316f3d6af4a73413fcee12ecd628fbb5a5b02544b8cc3087de8bb7
SHA512 ec51ec302411e15542913624284b4fd21f42743f8cb1a2ebd7188246b3e860012481bb19dfa40b061b843fe8f7c1b4608d383dc09db90e2cab257041ce66f715

\Windows\system\spoolsv.exe

MD5 d493af2552effa852d3a3c495484926a
SHA1 5641f97ece6d971b1a06c6ce09bcbfaf41cf1f8a
SHA256 b606e704b12d233e6c8d4c1fafd02abe40f020f01348f2188c4a398281fff927
SHA512 c929e41c397efc40098feefe0421b320ba239dada1ad8a436788e4ea691d54f6ae9fe0736efaf57dbe645aa5018ad967635f4ddf02228675952cad1996cd0e21

memory/1932-452-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1140-454-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1140-451-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1444-458-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 d6801b599e5b516438c3c906430bd1fc
SHA1 7b86f0cbda49a9af02a00076b835e573bc5ed330
SHA256 5ce84922f0d02c536915ced6d312e26e200970b1d50274f8a79e23f64e4219e3
SHA512 71809ae38bcf8e46defac72cb3dc15323aa1e11e7dadc6b3ae52c70f3e2004237294a7f6590068dd4287fcfe1f8e34eb82e9b2d9df389f0b1dd47f76e3c9a8fc

\Windows\system\spoolsv.exe

MD5 8de6cce7a524d1263e0b0b0d3fd31015
SHA1 1c03d41e46a05d98b65cc6d3a4708bd8f0c48070
SHA256 847d3cf952e73620d3396d8f011e377e2aad9ad3add8580709f4c30047143e95
SHA512 1af94ed31be0a33a854e1db67ea35d0ef507cdac3e3ae0f46660c3375376766452f4d9ef0f5e5677f41a337cb2e66807711e24b0a2bd8ccdca8e6ae8c6b36339

\Windows\system\spoolsv.exe

MD5 b9fb38666e386a8badcd7e31dc088071
SHA1 568d27c9c113704be263a88300e252558a719d40
SHA256 cb7dbb047bac71d18cf47ae5a1003ddfd150eaef6f8535cf0817f57cdf2403ab
SHA512 5466cf484fda1e25631454819ebbf97ab6f76cc3907150b06ca09f119f7dd31cdcb0e8c28c18fa2391a37044bd9e85f2730923865dbfba72682e98435cd478af

C:\Windows\system\spoolsv.exe

MD5 1d0aa14532531ca62954596ad2f09514
SHA1 bf5641f848e18e34358eeec3c1231b3d9196cd91
SHA256 a2bf67b99b1885a7922d359daa066ba3752690c50d5a2e2d950f50d393f462df
SHA512 52f0a44070db225be47779b8499f600468e2cb80936f9c70bc20234c69e349e55b6411865f269b5c4bf71df1dd0cf563c51ca52f4a95a653286e4dd938a6d8de

C:\Windows\system\spoolsv.exe

MD5 433d30b9ed6733e2a66cf228d154eeaf
SHA1 251fbfff211c5bc49b54cf5866c04dc4db479d00
SHA256 c52b86985379b0c6ee14325071a79e762ce3ea3786b98d16247252fabe7826c9
SHA512 5420535e2137afdd25ba40391a9f5f19b3d5410cbe9ce0aa032617c9582ca79a81ebd330ebadab2dc2734c110fe2989c3d38bdcfb81564e930fd30ba568fcb05

memory/1780-499-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 201eda75450ec07a3bd5156a4b17565f
SHA1 36e4f9b1c598ef49b418ca2eacc7360bc3202f33
SHA256 f857681ce47c713380a7aec14743db0890c52433d9563c1fa079411e1e3cd215
SHA512 ffb4b9adfacda9368b665987fd3d1bc3b4031e5f7efb4c7289fc33feca1195694613d824fe40bc26826a95725a920d259d6e194d1daf7ae897b9abb59079d5a6

memory/1140-503-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1208-504-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 485a709833b009786286d8e74641d9a7
SHA1 ec149c6128e626cc309874bec766a6107fde25db
SHA256 0a9682ae060e14b662cef5d47827b9d295e3201b386af0a99368a473e784b234
SHA512 42b303dde4816d65a7d5c8b4c7956008ae1b4e17dc8f9aee275da4dc755d0fa642333c7775132db1adbf5b473811770e6eb8a795f0c613cb27f2fb589adae5df

\Windows\system\spoolsv.exe

MD5 525d8f7fea64840204250ca8d1c66504
SHA1 f0236e8d04c47fb1498539778ea69fae40db7a64
SHA256 8429bc72f974d98571c11cd28fedd91b783d91e216c6b005bdca5149fb752f87
SHA512 28baef87e3d5f2c8b2825e43adc73990379365ab86ba671e40c7e04f759f11a71735c306a71993956ad63dfa115b18e53b2a996f8629f7941abb632d8e0ec196

memory/1140-512-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/1780-522-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2bd81f8ec10438c465af48a55f7dcb5b
SHA1 a0f9aea762966ee0addf8a37f9bbb484b13eed1f
SHA256 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5
SHA512 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea

C:\Windows\system\spoolsv.exe

MD5 87d11e96d34e413198400054698ba7de
SHA1 dd5d274a9acd687b5691e88cdc4b3cde8bf5816a
SHA256 8d121453c4d72a11fb2434cb798e90a1c8fd557c057071fe36d0b9de90d57c96
SHA512 97eb0e63f93e6efcc9baf60d641da3d50843a224cf61483d1cba38474d12475c61ed0a9fee32e4f4ea6f1bed08fe35c59e4da035332bd7d93e1402e31212d14f

C:\Windows\system\spoolsv.exe

MD5 84d0513b71e656c220095ffa55bc0e95
SHA1 c640e5400971c69f5eb78646cea8d019b59552b8
SHA256 54ba456e6102a43d35a4b2b86d92c1ad6119f5ca01fa06292a4ee71d678daaa2
SHA512 1ba99ba42273b6d736c8db811ee6f008ddce21146d2032ea0fbb92cb6ecf289e8bc2f9de03746880e4007a61eed519364ede0be5e0979f0baa87fd9f93501b37

memory/1264-556-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1140-558-0x0000000002660000-0x00000000026A6000-memory.dmp

memory/2268-560-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 c0bfdcf8155d9730950037ad3d9e6807
SHA1 55fc4d4c5932f3846c3bf34a7b5a83d9489a205c
SHA256 3e5666e84d8eba3e1fd0e573187e9e1b44ae7652112080a3d9d18345433fd137
SHA512 554ea054f8d5a054369cf78cb914b28838a454f52b5031261ebe57533488750221cafe441d4a01e766a15aec11fd99ec33545d2ac82109772998e3d9f4d3a053

\Windows\system\spoolsv.exe

MD5 113183def317d6bebc3e747da8642b3f
SHA1 7fcfb6215e2a4e5c1f5d30237237df873e22e033
SHA256 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5
SHA512 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2

memory/2268-576-0x0000000000450000-0x0000000000496000-memory.dmp

memory/1264-578-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 e64d63c9b5c3e6e61a3536955528e445
SHA1 eb60195a83d40b73a2c7fb7e7f10625de31dce91
SHA256 2efa53af310f897b2937a116a4820c1a5922e7f91bddf1f1036d18d3aad5f0fe
SHA512 4d50a8405315bceacaf308387ae094dc1bb485da3ad8ae1644f44b25636df65b3016c237f2036d3b0915c4add1d01c1b6166256a97be6c8eaee888e3275196ca

memory/1140-615-0x0000000002660000-0x00000000026A6000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 d365593555363d429afe562b811c7904
SHA1 58e73f7e0c736ffaa2dc0ea5e2847ba177942b2e
SHA256 6eec36804f42d69835993ed1f5ff71cd0f59cac9076299173bf46c3561b4ad16
SHA512 efe76d690d4157574b346d58e7980b8fdb12ca9f4065b11238042ead1d0c100c5930b50cf43ae4923455fc78b343447d48f64d343162da63bc44e891f22dde2e

memory/1140-618-0x0000000002660000-0x00000000026A6000-memory.dmp

\Windows\system\spoolsv.exe

MD5 1c7c33d7398280862ee6ade94cbc4ae1
SHA1 c093e2415a63f303aa6ab0a6bb1195879860b3e3
SHA256 2e2120dd9e22cf97fed9e69fa2cfd3b8a8b87178c8bdd562cc5ab5620a9045c1
SHA512 2c49275c6cc1a91f47154af4fcd92836202467aab6f835a5bc64362b11e605b755f8f8a10785ab94aaef9b7eb9dea3ee86e33bf9e706ed60e816a82e5509a0e0

\Windows\system\spoolsv.exe

MD5 8a0aa43de6871bb2e1a6c11703aa5ac7
SHA1 1f1ac06ccc1765086a2a63b1e17c83ee7d182dc1
SHA256 d5e3874f7b7f7544d10151cbdd6e1703e470e39fd0c1e9eb40d41dbe53dfa4f8
SHA512 69c0d60ac13364767d4c520bd9a3d77b4ad3a56997bb53317d2aa9b145c68a7c912588ec6807b00d11ed94ee3f7ca01dfec0303937d547927a7f1cdc9386e172

\Windows\system\spoolsv.exe

MD5 8b7ec4d3d67a165c2fb6e23a9b5c15aa
SHA1 c741fa02cfb8c2f628e06a0785215e4e6aa33354
SHA256 cd203d169ff5cad3a86d1ab95acf2fe27ae81882ad36036dcfe8514a921c796c
SHA512 15de131246ab26d054ab3f3090b53f48db3679a71aeadc9eb2fb3a2033fcb9e9841a683efcc2a933522b04978aacb4215bf22d6b617e4ff8917d52ef42826211

C:\Windows\system\spoolsv.exe

MD5 dc815de4b487814c1b0bb56bf277b796
SHA1 5bbf793a954aeecbea08bf8ddbe536433ab1f73a
SHA256 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d
SHA512 b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742