Analysis Overview
SHA256
452c7936f5ad941f5a2ef765238559a0eafd6b18a7bf274b19c6964487341329
Threat Level: Known bad
The file a4d9c4bf2f849a58500a6d787a9cf49d was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Warzone RAT payload
Warzonerat family
Modifies visiblity of hidden/system files in Explorer
WarzoneRat, AveMaria
Warzone RAT payload
Modifies Installed Components in the registry
Loads dropped DLL
Drops startup file
Executes dropped EXE
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-25 23:18
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-25 23:18
Reported
2024-02-25 23:21
Platform
win10v2004-20240221-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | \??\c:\windows\system\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | \??\c:\windows\system\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | \??\c:\windows\system\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | \??\c:\windows\system\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\dwm.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | \??\c:\windows\system\spoolsv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | \??\c:\windows\system\spoolsv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | N/A | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\dwm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\dwm.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | \??\c:\windows\system\spoolsv.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\dwm.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| Token: 33 | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\dwm.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\dwm.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
"C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3524 -ip 3524
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 504
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 376 -s 3492
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3588 -ip 3588
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 504
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4196 -ip 4196
C:\Windows\system32\dwm.exe
"dwm.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\system32\dwm.exe
"dwm.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 556
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\system32\dwm.exe
"dwm.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 548
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x40c
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4568 -ip 4568
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 560
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.178.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.234.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
Files
memory/856-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1260-2-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1260-3-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1260-6-0x0000000000400000-0x0000000001990000-memory.dmp
memory/856-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1260-5-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1260-7-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1260-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1260-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1260-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1260-11-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1260-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1260-13-0x0000000008C70000-0x0000000008C71000-memory.dmp
memory/1260-14-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1260-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2384-19-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5088-23-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2384-25-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5088-27-0x0000000000400000-0x0000000000412000-memory.dmp
memory/5088-31-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1260-32-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1260-34-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 8420075ac57d1f09192f304e64b5341a |
| SHA1 | a26841073e6c0832332d8659b57354fab4dc385a |
| SHA256 | eaedf50e55112f84c4d67781b5a249d99773f240849fab7d48d8392085bc6919 |
| SHA512 | 236969644795d9e99a60a5a8c4f49dd810c4e68f6b4b2d4fe3d8653f1a4648432e63fc43446f5425d5cba230d0854c83eb26c9118ccd28ed4c7592157ffc7844 |
C:\Windows\System\explorer.exe
| MD5 | f515c9ce11107c8ca05ac578bbd9d509 |
| SHA1 | 0d6046bff6a1c19775bf0189a087e487e7b1cc89 |
| SHA256 | fe0a578e87ab4081d5ca3dca1a5fd3c8e350893503e454174ed9b178c8b42b71 |
| SHA512 | 42860326603f4d088fdf58402469b7191fe180331b54b0969c07733e889cb6324f883a074707676f83bd2fbd9bbbf38e3386ac1d1928b9e98fc8e179d190c01e |
\??\c:\windows\system\explorer.exe
| MD5 | c713af17ea43194ba8d52bdd5743bec2 |
| SHA1 | 85d2afe89a06916cf5a5ceeafb82ff874fa5ce4c |
| SHA256 | 85b3e0ac8e73daf3d5887023789a4e654ffed41705d87e023b17acd9eb12b9dc |
| SHA512 | dab90d81ca3ea78ba021802df0830f6495619e2a82a13afafe4b801748716b2b59f8b07377cf3596d4ead770a16554cef86c7bfcb81114efa029f5ac503e158a |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\System\explorer.exe
| MD5 | 731da1c1a46801dbd9d273ec929638ce |
| SHA1 | 1b56dbf09cc42af11dd050dba6ad30a65eb312e4 |
| SHA256 | 0faf66fb86e388ad55efede5687cc98328d95d7904e348b4c637aa77ad39745c |
| SHA512 | 3eefa9fdf8d728ce9ef81884a8df858e6d3d0e7af8faa499a6a0c3b134f7b7a2ef1f4bdf7c436d372c499b276af12a871270dd30ad88db9bb8b7edfd2735551d |
memory/4580-46-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1648-45-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1648-47-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2384-48-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1648-50-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1648-51-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1648-52-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1648-53-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1648-54-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1648-55-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1648-56-0x00000000073A0000-0x00000000073A1000-memory.dmp
memory/1648-57-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1648-59-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1648-60-0x00000000073A0000-0x00000000073A1000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 5e311e8dac788fe17d6533a59746a78f |
| SHA1 | f682c014a420b65e9410b4f216d5928764af2a11 |
| SHA256 | 689bb183d023425fac3052e345c4ce939a3718047d0418170982de59137bb1ea |
| SHA512 | 495b36862d467713495cea8e53772e73a05fcb4fa167fc00a32c94eac2d89a22e9fbc3e656845a88e4e44ed57393cfd987aa46b39c849f2891be8b02af9a912a |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 70cf203d405e77cee4c98146cc788ea0 |
| SHA1 | 8e044b16c16c92f786219780f2ab486602afc95f |
| SHA256 | 34a13ac898868da643586e5ea443dba8cae0eb6722b6992f36e4c7b82974c820 |
| SHA512 | 6f04fc82635b6b31f7893de5e726a9402ee583e36b90207c3022a93a6147382af26322aa5de54dde43ae8379c03229b788914d563a84660c6b84b424b46975e7 |
memory/4468-71-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 93b9f9afdae531635585d72bdf238112 |
| SHA1 | ef6d240dc084a31332c997dbb8b722acf89955a9 |
| SHA256 | 902c6fc758348ad44de199d4cf1cdc6b02510a7d26f383a757930baa5299aeb5 |
| SHA512 | 370f8607d6c34673358a36c269219a9ac518d30b906a89a0cc75fb5c4e7d01f388d90b050adf56df228227cfff56ccfe6e14ec874c07af5957750a33921d9da4 |
memory/1648-77-0x0000000000400000-0x0000000001400000-memory.dmp
memory/5096-79-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1648-80-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 67a4d4aa9c0ae4a4febce5273f1f00e9 |
| SHA1 | 8a6742d152bdf2a1bdb08a74d629f52907eba87b |
| SHA256 | 6538ae5fc6d668ae43b4d052c5df5689aa75fe06f63c3bed3315fc39f47d310d |
| SHA512 | 2cc6e828c8b5368be137745d75109eb3331d2a972b086411aeaa97985ada61cd4d33c646a5e885dfb64dd5f500ed8057b1c89227d48b6f010e40737bd75ee74c |
\??\c:\windows\system\spoolsv.exe
| MD5 | a3f47ac6b122203efc1ee139e9c3cab6 |
| SHA1 | 1dece59c629aa9bc40cad6e7cb7de68566a8fb70 |
| SHA256 | 9a56177c93d15c15f6af2d3ebee675265c21b17ee3ffac42f5d598f2e13f4c49 |
| SHA512 | 7fb812dcf2e59fd51a7e97672f8eb12416df00dd3bae05889835f6c1d64f7e6aaf30a7deabf15c597887e38f67f4a0cadbb2de6e69c2dae125c673cdad75407c |
memory/4124-87-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
C:\Windows\System\spoolsv.exe
| MD5 | 71103e754e8f6a51e030d97ffd9711ed |
| SHA1 | 2e2535601f88baa120adadc2a150c521f80ff2f9 |
| SHA256 | f7d33a87dd500616d1412460b86ed54dbe08dc6879ac0e08d8664f2d3680442a |
| SHA512 | ef0b3d408b6087cbce87465620aada96f818ac72df63d20dd152ac7a8801781af525b9805d5f52dc84a7ef2e0fefa7fe0f390e261d1acda42ab468b5083878a1 |
memory/4828-97-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | d56c4265b79ac55551d9be733e758e75 |
| SHA1 | 3ee6dcc2322deb1ad10cfe885b917aafab5469b0 |
| SHA256 | 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e |
| SHA512 | 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925 |
memory/4828-99-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4828-98-0x0000000000400000-0x0000000001400000-memory.dmp
memory/640-100-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4828-101-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4828-102-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4828-103-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4828-106-0x0000000007150000-0x0000000007151000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 6b3159725f8ded76b9d763714c81fec4 |
| SHA1 | acac0941e662fb6d380f170d641a7c877817b8b1 |
| SHA256 | 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0 |
| SHA512 | 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8 |
memory/3608-111-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 627e274178dcc737622ed2be0f6f5502 |
| SHA1 | 6b9babc1697a0b58b7907463eb3c5fe76eaab963 |
| SHA256 | 8e52ac3bd96176dcb2589150513d955525c6ad8c909779236b24da336423db86 |
| SHA512 | 141e69667a44e7f54379f0ee9c7095ea155a0de602aadcdb38a2cc9e6423c157495cadcf71661eaf6abae749b1e5904c4f569a5caa4e45495d55c81cc1b1e636 |
memory/3608-113-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3608-114-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3608-116-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3608-115-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3608-117-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3608-118-0x0000000008D90000-0x0000000008D91000-memory.dmp
memory/4420-120-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 2ddf6df817160984e047117d0375347f |
| SHA1 | 11f608ef7e7133e40188df577b54111c9f95cb06 |
| SHA256 | dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21 |
| SHA512 | 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215 |
C:\Windows\System\spoolsv.exe
| MD5 | 0ff4766c22e11d6046392c2a9a89c3cd |
| SHA1 | 31e55d650ee62528b13448fdc8cbb60e02f2de09 |
| SHA256 | 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a |
| SHA512 | b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe |
memory/3620-127-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4468-125-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3620-124-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3620-130-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3620-128-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4764-132-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3620-133-0x0000000007390000-0x0000000007391000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 13728994efa248a6643ed4092716786e |
| SHA1 | 8fa00628cacea76fb24eaeb2d03ee71464ecd2f0 |
| SHA256 | 1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e |
| SHA512 | 902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c |
C:\Windows\System\spoolsv.exe
| MD5 | 1dfb8c9373e65d8f3885359015c7cf54 |
| SHA1 | 3554302584f899733f6f99f27ac15fb51dfd7183 |
| SHA256 | 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593 |
| SHA512 | 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8 |
memory/4828-141-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2420-145-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4668-146-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2420-148-0x0000000007110000-0x0000000007111000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 5eef5b521e52ff3b100e19333257fdf8 |
| SHA1 | a7163fb54fb89825df111ba8693e3fa9138daf48 |
| SHA256 | 3fb893007d2d719e184a64ea5e8b64d3be6a213f6b92f437800e403fd7324a53 |
| SHA512 | 6250856933dcc01608d8823626e5755fe9c1e4dd741ab01881e65a5258e94fa123774203ef9a8bac31845487c347c85826ab86b77ed3196f37216585618a8a04 |
C:\Windows\System\spoolsv.exe
| MD5 | 3a85ec6be5cd80aafd992ac95d59a4bd |
| SHA1 | 7b464d1bc6fb4a7ce8d3c681e8c697e20f2f3115 |
| SHA256 | 4fd63282a7d2ca52f05425364044a5f950911699f229a214b58ccc7269e00a63 |
| SHA512 | 63fda58b0ff15f1a7be2a1bb7572a1db809f2a532afc74684b291ecc010d748cb91d2dd8b2df35ed4ac7537949019b2f83fb5f4d1d3ba8e76624b6adc0aad3e4 |
memory/5072-155-0x0000000000400000-0x0000000000446000-memory.dmp
memory/860-157-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3608-153-0x0000000000400000-0x0000000001400000-memory.dmp
memory/860-163-0x00000000071B0000-0x00000000071B1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | ca5d3fc55f56c4175950f1599acda0a6 |
| SHA1 | 8fb4200af40ba707b7133a977d6c8907c2c0f12d |
| SHA256 | 56bb7dc753a4085475b5ca2ac352695e9c285ca15397a379bdf52ecd3cc8b611 |
| SHA512 | 3cdb1fdbb4906ad56f43128d6faba50ec9d0a9007e2d415ddc6315eedcffb1b088ab396a9a7ca799c569f4213524242dc9d06a4d42a7b28c29a860692ccaa359 |
C:\Windows\System\spoolsv.exe
| MD5 | ec6b648553e5c881d5d7fa26bd61d6b7 |
| SHA1 | 570e1186a64c917a89e5fcf537dea1e6cd8b60ce |
| SHA256 | e5c5a3d30ec4852ba0eb43d73a4b3887823f8f0a6d6be4643a74725cb63ced37 |
| SHA512 | 151568ecb4e889aae733365456ae6530662d7c2690c612794e93257434c3b9124a98d78e7ba0061ba04ce786724df9d438f9c336cc2f77066ff4dc217487c1f7 |
memory/3004-172-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3004-174-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3620-176-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2216-177-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3004-178-0x0000000007100000-0x0000000007101000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 31c5c2112ab87251835606d22b7360eb |
| SHA1 | e7c442759d9ac97b7e142008b24c4aed6c5adc2b |
| SHA256 | 6f4e076aa6cd57804cc2045e1f4aadfed2744cda4a75cff95b64faa0ea5aff6d |
| SHA512 | c5a521f3ad7fbcafd72893068b6520c743d9ec2322bb65c03a298ee78fb987525494712d0f94958bdcad1326dd0f98a2668d4e53ad91988474e65b211f6739e1 |
C:\Windows\System\spoolsv.exe
| MD5 | d5b7fffab4892cb246913490acb9c857 |
| SHA1 | 9313a6e99f6288473e0f8f10224312805e39a6ef |
| SHA256 | 2ad2161cd647a7c28ef38c3a7d10d99884301b15b0988e2676a26b9866c51900 |
| SHA512 | c5c29902d857d3506d032da70ec253ee7683c24537c44048a6312ed49656edaf9eea47b42eaff2b7bc616d7bbc91773369e4d728d6561f113c9dabde35e239c3 |
memory/1008-188-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2420-186-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4944-192-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4944-195-0x0000000007390000-0x0000000007391000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e53884ad04f410af7fb3de18db0d4359 |
| SHA1 | 733b477645cc20f54ff39e1d3ddfef3a18be9371 |
| SHA256 | 7db6df08dff9e6ce4e4f39ab2b9e1fd7776d0d299e9d72cd493552dcd5e7cf96 |
| SHA512 | 9b5ab6d4a5d29a044ce7cdac0789505d31e4a3ea625b8a1a4dc1b4d7ff6e161841f0f07c61aa6e5ecdace2d774707f1b11ee1eaa8469b3c3077eb00b0b85b617 |
C:\Windows\System\spoolsv.exe
| MD5 | 871c60898b7f0665633e267c0523aeaa |
| SHA1 | ae241476dce16e9a1b45c4927262c6df93b89f5a |
| SHA256 | 2916168300e6aef0e6c78cea0327989a72e06a95e4e6b8369b0c2b0e0ffdd1be |
| SHA512 | 4b316fb92cf174f183c106a986bbbffe37c4715aa47b99ba86b4ee59009c4057c23f1b172ea9e47dc2c2420052dd47378c4bc6541ad3dd4dec150f79b2c342ec |
memory/3068-201-0x0000000000400000-0x0000000000628000-memory.dmp
memory/860-207-0x0000000000400000-0x0000000001400000-memory.dmp
memory/116-210-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | caf12f9df84a75e1d79079880ca715ce |
| SHA1 | df1941ab3462e9ec172bff9167a6b199cafad441 |
| SHA256 | 556983dcc248b57bb85f837c58f9190fb48dde02fac285469b4309c983d959d7 |
| SHA512 | b3cc406f8b4166b0907d9618888678ec07c2a17470b0fb4fdc0c00be4ce206e3f51024a9cc52d5a2c9adbc033adc7226f51572bdaba2b8742998451f33291b94 |
memory/3068-211-0x0000000007100000-0x0000000007101000-memory.dmp
memory/3004-215-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2132-217-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | a129781cf17cda83bd585d5f9477d4c6 |
| SHA1 | 3a3a8e1a02db0775b2311ecba62ca49827274731 |
| SHA256 | 584ca30a0a509d2a8b31de922e70ad5e1636fbe096b180822ffa56d29bb67513 |
| SHA512 | aace5781d2e73275aa84336e04ebfa52d247eaa0b6ec77ac10c07386c32e88a2985b911b69cd4a36712e4e43ec7eb61debc65672f33f874af9dacca395a55107 |
memory/2132-221-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2132-227-0x0000000008D80000-0x0000000008D81000-memory.dmp
memory/4824-226-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | a5a62a576db32d2a4ebecbb8f61f79ad |
| SHA1 | 8054dc62044e6a20b494214b992465fc063d3006 |
| SHA256 | 1ad69ae11c24f92e25b6894a3451dc2d4a926a09b6b5fa14c887432ab899c3e0 |
| SHA512 | 6ac91273924c38b2f9adb63e978145d9f6a1d818d4b5be7472ba71bb9da22c09ecb5087e673e5cb7d58c80f3731cea391a26deb08e8be84682e47791fda82111 |
memory/4944-230-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 9c7b2728174db887fc9f1dea54400f42 |
| SHA1 | 59b44617f8af85e9481594cb9b5d56c4bfb86d64 |
| SHA256 | cf64b000b92a5d5ad4618ec6f134adfce8ddcb11dd79a6f13138e443ad3cfcf6 |
| SHA512 | e4757c5f1229bcb107c1ec789ed079203f940b040fa731f4a4f2fcf45437883ddeb758ac12a4c962fc2b54b8946ce24d91bba4f2e4985b01c76da4e943326508 |
memory/2520-234-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | fd6a7ae6efdd4613f387af832d4f022f |
| SHA1 | 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd |
| SHA256 | f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e |
| SHA512 | 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78 |
memory/4848-241-0x0000000007160000-0x0000000007161000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c667cee2f2d1ab7d07868ed6260b9618 |
| SHA1 | 30a9417187059c37a8ed9726a39311080accbc23 |
| SHA256 | da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af |
| SHA512 | d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7 |
memory/3068-244-0x0000000000400000-0x0000000001400000-memory.dmp
memory/5052-249-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3980-253-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c97187041e20fe935c12af7f0255ad1a |
| SHA1 | 47cb884d4a9f7f89839f14502e0aa2a9bc1c574e |
| SHA256 | 6871c7fbd5ec7132b33e595859f751361c2bae56f7ff4fcf25272efd45f0b869 |
| SHA512 | 2fd5936cf39989b62fff551519a54326126fe014437df85957fc7db044b7817ab3bdd5ad40a890d105644dac66656fed5aa7de4f6cb4ec4130269a81f654cb87 |
memory/2132-256-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3980-259-0x0000000007100000-0x0000000007101000-memory.dmp
memory/2816-264-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2816-270-0x0000000007250000-0x0000000007251000-memory.dmp
memory/3640-273-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 32e242e22204513ed8fb5dc4adee4ab0 |
| SHA1 | 8309f6f7b3907bd26df2586b5867dd9bb06dc907 |
| SHA256 | 771b4edd6e0d0e2b615259d8f0ac558e004a4fec511861ce929494e788c84638 |
| SHA512 | 0bcf442308c41a36bd613aa1c540b813be829b1af4efa9458f8d98ee60bfed78037bba5614fba3a6021cbff9e183ca730d21b745f1780a26cca31cedc1d3066c |
C:\Windows\System\spoolsv.exe
| MD5 | e457bd03109e8744779fec9387cceada |
| SHA1 | b4426fca98b6ab0458f6c9c5701b273468c4095d |
| SHA256 | 90ed4b379a7fc24883a49483ec41cc2a096b4933210fbd8f35cdaafef72909f1 |
| SHA512 | 30a3926bc7ba406e5b0fe93149157bb8c3256ea29a7a1a5c4546519017823498ec80221df60967fd62b9c216008d4c68954a630a4952c1a103327750b33f7bca |
C:\Windows\System\spoolsv.exe
| MD5 | fde492789dcd7b085e2cfdd16c016b85 |
| SHA1 | ae04d94711f6b05c9c46b23d7e23d8d4061e8ed2 |
| SHA256 | 26748d30483c3df4bf85d36936b1b5a20e5332e7af86ff47f608c2baf52f055f |
| SHA512 | cc63e8a38e38d97fbe3d3e495b76f5af7d619aaff03f46f73f492423961bb0f08e4fbb6b130455227b66e4fb18dcfabb577c521b51960a493fda17141584230f |
C:\Windows\System\spoolsv.exe
| MD5 | 4e60cd1ceaa0a810eddf7a4244af8194 |
| SHA1 | c247c32257212a9ae09e0fa017979cecda936422 |
| SHA256 | c5ee4763a87bd0b86f85d3ac5d8dde5f286c1a779b7a3c5cefe573dfdaa1f50e |
| SHA512 | 8ca00a4760e3204b05b047ef0b70aa426d872f06820d27fbc876f955b9d75e08b8168c77e5ddb2dde72ae91f6c59464010cf6fd5905085e7ab53224575990ffa |
C:\Windows\System\spoolsv.exe
| MD5 | cfc2323b102ae73f1f2d37d2809373eb |
| SHA1 | 929f5b068cf6dc953d33584bb96036259b7c2ab9 |
| SHA256 | b0a69fa0a4351c77492a2b06df42bcba8ef4caf9f0147e5e25a8ecf5c7d5a9a8 |
| SHA512 | c738b488d3ce0c758f0b979aa43b153b4e4aec621d234dc16f2f54fa52c65516a4bec621644b1f3b35c59161732b1c8d2114fe8d3ffb793b23885e7dffdcb195 |
C:\Windows\System\spoolsv.exe
| MD5 | 40ae3e2986219885ba5ca5d9006df92a |
| SHA1 | fcb2a668ddddbbe61a46cd15d19f669fa9e3b778 |
| SHA256 | 752795473d863253cef725c9adc5f1d2c42dfd207d72d257dc390c9377265eb1 |
| SHA512 | 69ca6c4386ff833653db2d09c29cc2d4be0bd5af1e59bf183958529bca2e2b43e6c19538a60b0f0c48202747366ce16c82f7e08a08ffb6331a326fd99af09b60 |
C:\Windows\System\spoolsv.exe
| MD5 | 4cc7052a3b323fa75ddd89e49793608c |
| SHA1 | c6e9f35071534403079e51e4bd4d2c985547088d |
| SHA256 | f558f3662ca42d2305fbd5565ff4152056e974bf553d754340d9ab17470c81c7 |
| SHA512 | f4a66d1ab3772daba2f144788b4ec96f6c9e3241fd59b17cb5af3728e7aaf7243736a0f62c5b952a5699d3945980253fd860380b3e10403c0cab5af4e141a327 |
C:\Windows\System\spoolsv.exe
| MD5 | 6746e393c2d421b843016561f62447ce |
| SHA1 | cb9558e3c13f86a1bde044e5cb245da01c948b25 |
| SHA256 | c6d06894cc8986a493ba06d8574e099962c6362ecbc78c1dc93fdff5d6d2a5ca |
| SHA512 | c4b00b48afac6f51baa4093e40835d61d4784b8e1597fa9dae02ba78a774a355ad7b0108d2af01d265bafd0cb7a6bc34eaaf21c267be46b5925bceabbd44e1a9 |
C:\Windows\System\spoolsv.exe
| MD5 | 155cbef5689ec8c70ef1209fb1d476ca |
| SHA1 | 204679c4bd23ba0f2304cd604a4d47b0f1827d39 |
| SHA256 | c6a529dc6a36c01e7ffb41d0c4cdd08b294a0fa6f97d0e3bafb9d613390760a2 |
| SHA512 | 6c2a197895368a30f067c16618dddd172f9c6388d4527a5f9409a0e2418c3f2312125f52a3c53dd942812bc99bb0c89ca26186c9f60492cedd8576664b0cc838 |
C:\Windows\System\spoolsv.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System\spoolsv.exe
| MD5 | 73d9aebff3073b252a235f22bcc090fe |
| SHA1 | 54ccb56d327549f7569723672e50c17a9865a343 |
| SHA256 | b7c6389775ddce923259dfaf03db21d986cd05f80b2344238c9f0f60a6dd17b5 |
| SHA512 | 61d6f57a482e389e87dec5e06c3232983d0c4ec502d9c8be3aa5bff493fcb672b5ad1c576a7497842c5c5c7be8a84a6e49090f10981f12e63709481f82731bb9 |
C:\Windows\System\spoolsv.exe
| MD5 | 14311e5634439c12fdde4be34943aee9 |
| SHA1 | 975ac573b5e10e1687137c93b8be31c81c856e7f |
| SHA256 | 9588c835bc350f1079fd7012b79b32bf0a7e6af6f95e78fa782f6dee7389aee3 |
| SHA512 | 644127380e2a4ac8eb6ee572e7dc8ec7a429f966389a309a5f24bceab2a544ecc2f94b8e933c67da325a7d20b2348652cbf7d50fce793dc359a36137fa7cedba |
C:\Windows\System\spoolsv.exe
| MD5 | 6f16b83fedbb9f93a783efc30d3b70c7 |
| SHA1 | eb55b47810e485ba622ef729a088a116f4f6f493 |
| SHA256 | bb3c3928fa0fa7a1895457d6aa87a0d14e2efa2e4f22de85e06ef8e6fa100939 |
| SHA512 | f07912f018a92140f392429fbea09428a90ebf5ca356073036fd67fde02ad60893b5c8da0349b0df85a458570afe0971086c1b8e9a226be36580fc9e1adfc5e8 |
C:\Windows\System\spoolsv.exe
| MD5 | af8068d19cdd576e83533b8e99528fe9 |
| SHA1 | 17ea492c7be312c64df6a084aa045d9a28c262fd |
| SHA256 | 7ac1c4bbe2fe454839e2b2da53d4a83f3a80020b0df89c181111e4f37f93313a |
| SHA512 | f4e1777fdef904e0b6d63becbbdfd896a57f11b6396d6b0690039b27c89a433b16565a05686a001d5fd461511ad279c85ea56377f4bf07e99aecbc34654a5851 |
C:\Windows\System\spoolsv.exe
| MD5 | 3bd6aaa91424453f475168c28165ded3 |
| SHA1 | 6014d37442f8dea42c5f9abd6ef3247cb8adf022 |
| SHA256 | daa86c73f083754347ad1ff1090ef201bb73ae61a11720ef9d836309ae31d34d |
| SHA512 | 122085e0e7276af29c3850dd69e73be397895af4893ef07ba6a0f223a98e9663b1c81aa19bdca223899cd7ace8baa957b370da6509db69fec1197bf7d083b429 |
C:\Windows\System\spoolsv.exe
| MD5 | cbb6f4c004a75933172e088f097592f1 |
| SHA1 | 5e68037de83b9c6cb75a9a9effb4a24df3b485e2 |
| SHA256 | 28d3fb16a4d5bdb3e2bcb1ca1047a04fc791c4152ba6f15ba12269795be69e27 |
| SHA512 | c4f55036fffcf0dbec9a9b3c09cd216d040f3ac4d0121ba5c9135dd8d6eb393bd075a4e946c93f691effddf2faad70de5d121fdf9609a200c319dfb731883d11 |
C:\Windows\System\spoolsv.exe
| MD5 | 0f734998d91202f522a55a31a944eae2 |
| SHA1 | 67112932628d80f260b3eca2d02d207e5d99c954 |
| SHA256 | 06efce6fd9a2fe3673c9385ee413109198d7bf2ba29ef994edd2a7ce8cfc5f72 |
| SHA512 | 74e3539674e416e0adf4d3001d227030f81810b9f39e259aee5de2faaf4a7b853021a9311efb89c3aca43c2388c4dfe778bf4c120647294c2f82172a685182f9 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-25 23:18
Reported
2024-02-25 23:21
Platform
win7-20240220-en
Max time kernel
98s
Max time network
124s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe |
| PID 1588 set thread context of 2412 | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe |
| PID 1588 set thread context of 2304 | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1056 set thread context of 1680 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1680 set thread context of 1140 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1680 set thread context of 1608 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 904 set thread context of 1584 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
"C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Users\Admin\AppData\Local\Temp\a4d9c4bf2f849a58500a6d787a9cf49d.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
Network
Files
memory/3056-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1588-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/3056-4-0x0000000000270000-0x00000000002B6000-memory.dmp
memory/1588-3-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-6-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-14-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-20-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-24-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-26-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-28-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-30-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-32-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1588-35-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-38-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-40-0x0000000000400000-0x0000000001990000-memory.dmp
memory/3056-41-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1588-42-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1588-43-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1588-45-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-46-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1588-47-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-48-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-49-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-50-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-51-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-52-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-53-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1588-54-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1588-55-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1588-56-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1588-58-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2412-69-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2412-65-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2412-63-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2412-61-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1588-75-0x0000000007150000-0x0000000007196000-memory.dmp
memory/2412-86-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1588-91-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2304-90-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1588-92-0x0000000007150000-0x0000000007162000-memory.dmp
memory/1588-94-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 6cc2215e93573edf5e6bae6f5be97347 |
| SHA1 | fc759a5aee1b974e44c43ecbb0e128ceb04a8766 |
| SHA256 | a9e4f31ea41bd48df1a45b1f4433517cc7011fabdbf9a66e139c132a5a81c8e9 |
| SHA512 | 1653fd314ffe077d2f5330ea024c3fac5ae104ece4b81547cd78943c419bfd5028e9b136594a265ca0573a8b0b94a8578c666859e8c03ce6447a1085d5415ddc |
\Windows\system\explorer.exe
| MD5 | 3932cb826e53f915a2a4cdb043b52885 |
| SHA1 | 207229d796fb8c9ab5e1c5b79b500900ba0ba65f |
| SHA256 | 201d03c0016be41cb8c288f560d5a8a2c3fa3d54bd10164935cca9fce6e1a042 |
| SHA512 | e6f22a9a4c6521a2e8c3b3d9cedd81abfbeeb2ce3ab53f1dc7c67ec4dd82994f178e29b110867099464ae708b4adcd9b4c9a22f9ba7afe46b2b91d02813a530f |
\Windows\system\explorer.exe
| MD5 | e498afd84544bb0e617eb79994da5658 |
| SHA1 | a86bee2bd7e37788a6901bbce0669576dbab559f |
| SHA256 | 43058ca15c493dc691cb35b4923a7654159b7b09e0493648f63ff2bf0e5f31df |
| SHA512 | 4770aa26057e39a09a32b9ac8f2922ff8baf1a16351db92e6a29387b1c5d6c3fafc5726ab157a08624636e3f4a27ac5208546ca9709c3b48f3cc438236263983 |
\??\c:\windows\system\explorer.exe
| MD5 | 4c1118698ee3ed03c8f5ca95f9b3edc0 |
| SHA1 | 640e5a10f4f4926051cdcd56b8b43389ed509970 |
| SHA256 | 08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0 |
| SHA512 | 5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a |
memory/1056-107-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2412-106-0x00000000025C0000-0x0000000002606000-memory.dmp
memory/2412-104-0x00000000025C0000-0x0000000002606000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | a4925b580a811cde880b6c69a35ea176 |
| SHA1 | 0fee20695b817665bb60e2dae3172fea392049f0 |
| SHA256 | f9a20bfa57acb325dd94e0ebcb1a2fe846cdc555cbded15bff82338f2dc5068f |
| SHA512 | 9fc7b691d1835dbca4cd463fe05bb7c669d9c495a55de0f561b8bc32d3f51eb577cac73a47e28a794fe1e556b1efa0f082b72bba4a9be35434623dc714bc66ff |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
memory/1680-140-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 1da9b42e228d5f1dd1d6918de8475852 |
| SHA1 | 4481b9e0d6c481383f27102327f9f537a6a232ab |
| SHA256 | d369c634127f5c98147c7d1507b708e5d1698a0f6df3a3113f62d12cf16d2bad |
| SHA512 | caae7ee73a5b527269e061531fea07c8bee0308998719a88113f53fdc3af4cc2124c5295a3fe2ffee371aa3b6ddaf0b4010e48a030c099a2bc6623b50ae2f022 |
memory/2412-143-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1680-147-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1680-155-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
memory/1680-158-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 23013727668fee1964ef9ec4be9309b5 |
| SHA1 | e4e8f934ab49c9680ca53245ef22256e64ff6923 |
| SHA256 | 978eaf5a34feb1a7956654bc903e9b1bb6d82fd7ef87b0705df1495162fac811 |
| SHA512 | 0d6fad39c176dea3538c013fcac8697f84e1f488cad496ac81f2ea542c6dcedd569126b464b4c5f2a9aa51c60ad1d725c8340c11a5290af453da3dfaf9a75dd2 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 8abe95b69040b3c8df0597b9e105e6df |
| SHA1 | e31ccea84056d40dc6460a2bf4364153907870a6 |
| SHA256 | b9bbc9a14b0a4f83d623b25ba0e9201cc826c3f1614216a09f404cdba2bbf0bd |
| SHA512 | 4ced11bd0d6ef60f4fcb05f6e3cc5d09b00d2183cd0981da9da0f4f0256af1e34d444e1380d73f371309e11d953292539def417111d28c5993b2f71d5b88c6ab |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 5b55bb758efdd1c84700543b648f0e4d |
| SHA1 | 18ac33b9bd15f5a3d42547ab9c28a73f25cdb455 |
| SHA256 | edda8f0886818194d64420178911b1cc9500d07e8ff83d51aed64b13b97474ac |
| SHA512 | 06da11f0e1ad2bb416a29a54dc7c42d21da9e81f497face2742d5c599399c4a002c386f60f068d09f65772cab83234b410aa6174bd50167345ec5772d30ed74c |
memory/1608-191-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1680-192-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1680-193-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 0c14a3e04bcd0491807db5db589657a8 |
| SHA1 | a817e93212a35277fc6f319103850f7a083889cc |
| SHA256 | 8a0d6aae4dba5794c506c03dbf3d2562fe8deece47f5aa018852fb3dff6cb690 |
| SHA512 | b946e1cefeb1ead8666d8106b9d1a66f1d8615d80d4f57afa4acc0e632b519445d08c4cd44983824d10d443a4e4e59ce3301fe2df0422a5a667ca08a4cfaacc5 |
C:\Windows\system\spoolsv.exe
| MD5 | 7f6b731ed3cc910fe5496894829117eb |
| SHA1 | 28b6de234cc999eb688b96d10903b8a2abcb7095 |
| SHA256 | 54817575eb4d83170aefe635f6f42a9dc75f815112b5092a13a30dcbd559d28d |
| SHA512 | 6c69ab55910255a537d81972de0cf988e858bb9b527cbfe40548789f54225780a984b6096f16343773e7c56d7a157c46b600b1f64ee58d5db3fec87427e5dc5f |
\Windows\system\spoolsv.exe
| MD5 | 57bfe90eb22648f5bbf1676d56ffdb22 |
| SHA1 | 9d6d9360b66a5d76c48ff736ee63755b5b345f9e |
| SHA256 | 487807a94bf28d3c3c73364d85deb64885cef1a6709df0308b73ee8c5db5648c |
| SHA512 | 1e396ec5718bcf91068c2c5cf89822e15bed0a3c84d827e9b163b5b5ddd3bb7ee59775e60461b8ba0f6bd67bc21a2d1aa1865c6bb870bbd4f83ba61e85ad0f4a |
memory/1140-203-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1140-205-0x0000000002660000-0x00000000026A6000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | c78a519ecde015d10ed67e76cead83f5 |
| SHA1 | 3352a78172f676d60f9c52010c13dfe5cab8d854 |
| SHA256 | 5beb2ef22573b1abfb42d2b21dbeb99233a3f5fe53c4089319daf5734ca27062 |
| SHA512 | eb24a3e5e4ef9e646c1ce97f7474bc59b8455adcb85029cf2e42ea2c8afad2fb81d953936ec8e39f71aabba83fbffdf1b8031ec3390af34280d40cd55dd6bc93 |
memory/904-206-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
\Windows\system\spoolsv.exe
| MD5 | 0612afb3e27451c56aaaf412088db0bc |
| SHA1 | 8913d87d487bc94c91b045dfe6f64e16a16059ca |
| SHA256 | 97ac3821b5bbf7c56fd7d5e3f4f7a99859855a72c711259f5148739c1de64168 |
| SHA512 | 726fe4ada9f97ed88418086c872cd7bbb07c97c9b4f94eca72a9b583ff4cbeb013f9fb229183c51cf76d62c01965474e5486d0ddfac47230368176ad7c282f3f |
memory/904-212-0x00000000005E0000-0x0000000000626000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 2dda9be27a9c18d3f5b674099b811bd3 |
| SHA1 | ef96177c49a830120f76fee77aa5315bab5814fb |
| SHA256 | 0a432f2bf8e1277fc7a3b2136fa515e885c9afea76af04a0f86ac32213482809 |
| SHA512 | 429858db5e5b0b8681080b49c3bc5baf8b17f599597be5fbabd33c8e60b1c6ed73f7eabae27915ca58c100f248a39f521db47168ae4f23c302fa5385fa911131 |
memory/1140-244-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1988-245-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | b0ee74c452a9d47057e54d4b22963ecc |
| SHA1 | 882912c487b80b25e87fc34f5c8c3db1eae80812 |
| SHA256 | b1d8e22f10b45428d83aec4084b2e01643a75742a490f3af591565c148288e15 |
| SHA512 | 8b2da93d04333488b0613c3dfd4fcd1c3e69119ea9c99536e7101b406bbab9d4b0ad52e88bd1447018e639075e5b5c3c095bbb580b057488422bf2983527522a |
\Windows\system\spoolsv.exe
| MD5 | a48a41ba254e582e6ac15bf5ac25143f |
| SHA1 | 94177561bad9613aa7661597936a25a8574df44d |
| SHA256 | fed7d1428a7ab53d88e0baa8a6e89c260aed942a7d218e65cfe0f29da52ab3f8 |
| SHA512 | 1c8bd106cd75dfca5aef910c758e24e8bac8341febda5e0cb2b0080b6d627917a8771f3ee0a258e3cdcda3dd1495f9bdb4eb47db11f9eeee748e647bd1ded740 |
\Windows\system\spoolsv.exe
| MD5 | fa5f172fec296217d25f7dd10bfcee6a |
| SHA1 | 43710fc6b12a341a69b8a91d504eac5a2e211916 |
| SHA256 | 2b75c4295a6c531c13c10e16e795fecddc4fb0d4c7afea6a3f68360570f63e1e |
| SHA512 | 2d53247cb70e9ec68771a8892455587370d3278fa740cdc1af51d4ef548d719b0878999e3459289c4560c17cf76b91cae28fd140f89ba78c246d53c95131d20a |
memory/1584-259-0x00000000001C0000-0x00000000001C1000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 70c1f45ab920e8a15c72ca8ec042387d |
| SHA1 | ab9ed3a7a4f4dde12e43a1ea3a5a2d981fddf80d |
| SHA256 | 1f3f626ce7d1e47a9c08b518da64b1a366b8aa089b7445ca31f7bb46056ecbd0 |
| SHA512 | 7afdb14a9a4bc56eee9c9cffc22b456cdb674f7f12cebfb183d31afc87ba833e13854bbec81bbbd1f7805c007cce45f1f40bd43e80f092162f553ad0eb9bff42 |
C:\Windows\system\spoolsv.exe
| MD5 | c667cee2f2d1ab7d07868ed6260b9618 |
| SHA1 | 30a9417187059c37a8ed9726a39311080accbc23 |
| SHA256 | da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af |
| SHA512 | d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7 |
C:\Windows\system\spoolsv.exe
| MD5 | 13728994efa248a6643ed4092716786e |
| SHA1 | 8fa00628cacea76fb24eaeb2d03ee71464ecd2f0 |
| SHA256 | 1b9bd631514ed4fb5a64a4ef49522f266e65a5d3da0840fc05090fe503cf876e |
| SHA512 | 902e603a8a31c1c7a7bd772f6ad4169491bd83cb7f565c294a96902787c1e66cf33928e40ffecf3eb02b0d9c97fce5c17856e36cec49e57f4581f83ca7f6815c |
memory/1140-297-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1256-299-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1140-298-0x0000000002660000-0x00000000026A6000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | acee08d1465658e7d73b92226f5be7d8 |
| SHA1 | a31873e607fb5175947384320845f19b29419980 |
| SHA256 | 864a0707558b7fcfc031734bc3073b6ed5d25b8d479cf8eca49356ed480e9e28 |
| SHA512 | 728b8548bf4680ee24a3140a84203eae22c86b8706758a63adedaa874ef42593df6bfc1a24cc7df292a70d6d989775693efd69ee81a05213b799ba40f46c7131 |
\Windows\system\spoolsv.exe
| MD5 | 887f36d948675f1c92d0f19138d995c5 |
| SHA1 | 34495951cd32109965dda68ab514cac76fd9b877 |
| SHA256 | 302f1c6ddff632cf7d1d3b7d6c9528d5e7f43a9ac957d8a6b0ca17486fdfa0a0 |
| SHA512 | 645665318339e420c0645d0384336398373fceb90c05e04405eab4d3ef6cd2f0df83fc07e67ae5b8ddedb58807d493f5bcaa116369793d1643f65029354c44cd |
memory/1140-312-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1256-314-0x0000000000880000-0x00000000008C6000-memory.dmp
memory/2576-317-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | d56f56f731ffba0c60a8493fe3289b93 |
| SHA1 | 74ec2855b97d82202f0119e7cfd6e0a06e5976d6 |
| SHA256 | 1883ced2bdaea5a5a157ee489d30164a9d0e1289d52b55c9639fa1110730dc2b |
| SHA512 | f7c4cd0cf3e53aabca3ef0f19692806b7d5aec9da8a831686f8adc7afca927f21d7aa4a4c17f3b6cb14943d6869ccef0559ca8cc3b09bbcc5d32ddce0aca61eb |
memory/2724-348-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 820f60be9b5a26c8fa1d3a180bb0f385 |
| SHA1 | 12279429fcedd623e575292272301460fcf9839d |
| SHA256 | 93f9df953ca6c4cb727566bd189a57ef67ddfff8d9ceb39c6141d82fb0f55797 |
| SHA512 | 6431b97921d8600ed1218593836731f3f1022f2c2665ef0df625c29445966789c2341b329c495c8194f3fbafb25dd68296018e8bf8e517611e9d25c3e398bd17 |
memory/1140-351-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/2660-352-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 22520c0799e91354be6625e2aba890f5 |
| SHA1 | 36909c8ac97f66fea4dbdffba2b6e176937c1a17 |
| SHA256 | 624b7b10066129351ed3d5748518105f37cf40bc8d7d7125cfab79f9412414ca |
| SHA512 | e9348a673f6ed08365397694c75a2487785c2220d87d665fd4c6f759fde0c029c5f118e6ebfffb584470f09238125c28a2c7a70a66dc4427914347ef490a4531 |
\Windows\system\spoolsv.exe
| MD5 | bd114823a28969b0617dda3f90882cbd |
| SHA1 | eed8d46b1b85604d39584f112331cb1fe7cd0e7e |
| SHA256 | a4d38fc60cd61dc3b6af355abec7609ee92669f454c1561cca6684ab5d7aa564 |
| SHA512 | 7c286dfe4bb179446b240ff61f26215338c2378fe8fcf8f6c4646325692ae68bb25836b860880f2d27091813090a987c94ce75d58d9559ae1555552dc9a2ad68 |
memory/1140-344-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/2724-364-0x00000000002A0000-0x00000000002A1000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 39428dfc9ef6f16b945ce6c92cc660ea |
| SHA1 | ce11e3b27a12ae14532af299eb38d9332213a520 |
| SHA256 | 3b6406a4f2c5a5f30b24eb54aa1145c6c0d3fd7ebe02d496fb7dc0786e403fbf |
| SHA512 | c85f5a88698f5b5b54a045bcc9c94b54c903dc415e440691b0e37067ffe0b7a03035310acd4de19634e376f3739ffc27dc778299fc036fe7e402dc8b5f88642f |
memory/1140-368-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1140-398-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1704-402-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1140-401-0x0000000002660000-0x00000000026A6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | f8f634b376df15bcdb23596634b11b85 |
| SHA1 | 122ef07fc1d697d82ed2ed2b9886301ba42802b4 |
| SHA256 | 0a959d65a0752ff2713e88f1acca3b737c25048f3138a4d693052a9df46c57a3 |
| SHA512 | ca32186b99360a74f7cbb3882edb92b353922fc92630dd1cac803ccaeab8455200153544ff9823723f8fe576e545231f4f042527d6292950e824a7ed001becf9 |
\Windows\system\spoolsv.exe
| MD5 | d5a63dfb75c6eb0a0440be7722443e35 |
| SHA1 | ad7d60e49c73e6fe002c6430239170da53b29ea9 |
| SHA256 | c5a712887b709716cc4cf2c9cc2167753b77a05308dbeee057a96fdca127e53b |
| SHA512 | b0a38317f33a5c928cde246c41b8278378f7e4ff4832780810c46c857fe603475e1d8c726735339ab21c04b8b84ae6e378733e79fd9eadd336060e1a28175c99 |
\Windows\system\spoolsv.exe
| MD5 | 5b3b85949287ab4e268465c59f7c0d1e |
| SHA1 | 7c4ecec7e47ee5d7608a6c9631dd516fa04acf17 |
| SHA256 | 3d6e3e8e4edbf96b6afa8cd1685cece00e4fd6036dff83763fb2735cd6069f6f |
| SHA512 | 41aa3240acf08ff7d60143889aaf03bdf3504c67d446896b7869857917fccdd85fa13da628d926cd48200c36d1be36ca6d2a3d84aaa9f5e56d1fba78e0b177cc |
C:\Windows\system\spoolsv.exe
| MD5 | 02b2d149ad5ffae25a398e4a9b40e2ce |
| SHA1 | a3dab5d4ff9252dd31a88a8cb155ae7e86e23854 |
| SHA256 | 7f596c97b6cafa43afcc85609118ebe9e45e9891deca4c2ce6b2e0f9e03ca826 |
| SHA512 | 9e19db3bb0dd1924f13894f2e3c6e61a13b9c125a88f98a555f9e1e8c65ec92c8b74429c9990d60541433b8283ea48a8e299d5bbbc1e69d58335ec13ccfdf270 |
\Windows\system\spoolsv.exe
| MD5 | d56c4265b79ac55551d9be733e758e75 |
| SHA1 | 3ee6dcc2322deb1ad10cfe885b917aafab5469b0 |
| SHA256 | 9a71c6608cf4af2f9c1267803744b9d998dcffc14a77001e565648a3302f718e |
| SHA512 | 064e8d8bf2d31a3284b08283c0a19f207cbfcb09f2789c80b98b293452c367855f02aa3b56918e97709a3576cbc579e8bc6cebaabe5b238aee17c77491ce4925 |
memory/1140-417-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1140-418-0x0000000002660000-0x00000000026A6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 458bb40a4531575525f18707578bafaa |
| SHA1 | 4c2884e6e9e751e98d6c7c282f59ca0dc705c7e5 |
| SHA256 | 7b121a2911316f3d6af4a73413fcee12ecd628fbb5a5b02544b8cc3087de8bb7 |
| SHA512 | ec51ec302411e15542913624284b4fd21f42743f8cb1a2ebd7188246b3e860012481bb19dfa40b061b843fe8f7c1b4608d383dc09db90e2cab257041ce66f715 |
\Windows\system\spoolsv.exe
| MD5 | d493af2552effa852d3a3c495484926a |
| SHA1 | 5641f97ece6d971b1a06c6ce09bcbfaf41cf1f8a |
| SHA256 | b606e704b12d233e6c8d4c1fafd02abe40f020f01348f2188c4a398281fff927 |
| SHA512 | c929e41c397efc40098feefe0421b320ba239dada1ad8a436788e4ea691d54f6ae9fe0736efaf57dbe645aa5018ad967635f4ddf02228675952cad1996cd0e21 |
memory/1932-452-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1140-454-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1140-451-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1444-458-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | d6801b599e5b516438c3c906430bd1fc |
| SHA1 | 7b86f0cbda49a9af02a00076b835e573bc5ed330 |
| SHA256 | 5ce84922f0d02c536915ced6d312e26e200970b1d50274f8a79e23f64e4219e3 |
| SHA512 | 71809ae38bcf8e46defac72cb3dc15323aa1e11e7dadc6b3ae52c70f3e2004237294a7f6590068dd4287fcfe1f8e34eb82e9b2d9df389f0b1dd47f76e3c9a8fc |
\Windows\system\spoolsv.exe
| MD5 | 8de6cce7a524d1263e0b0b0d3fd31015 |
| SHA1 | 1c03d41e46a05d98b65cc6d3a4708bd8f0c48070 |
| SHA256 | 847d3cf952e73620d3396d8f011e377e2aad9ad3add8580709f4c30047143e95 |
| SHA512 | 1af94ed31be0a33a854e1db67ea35d0ef507cdac3e3ae0f46660c3375376766452f4d9ef0f5e5677f41a337cb2e66807711e24b0a2bd8ccdca8e6ae8c6b36339 |
\Windows\system\spoolsv.exe
| MD5 | b9fb38666e386a8badcd7e31dc088071 |
| SHA1 | 568d27c9c113704be263a88300e252558a719d40 |
| SHA256 | cb7dbb047bac71d18cf47ae5a1003ddfd150eaef6f8535cf0817f57cdf2403ab |
| SHA512 | 5466cf484fda1e25631454819ebbf97ab6f76cc3907150b06ca09f119f7dd31cdcb0e8c28c18fa2391a37044bd9e85f2730923865dbfba72682e98435cd478af |
C:\Windows\system\spoolsv.exe
| MD5 | 1d0aa14532531ca62954596ad2f09514 |
| SHA1 | bf5641f848e18e34358eeec3c1231b3d9196cd91 |
| SHA256 | a2bf67b99b1885a7922d359daa066ba3752690c50d5a2e2d950f50d393f462df |
| SHA512 | 52f0a44070db225be47779b8499f600468e2cb80936f9c70bc20234c69e349e55b6411865f269b5c4bf71df1dd0cf563c51ca52f4a95a653286e4dd938a6d8de |
C:\Windows\system\spoolsv.exe
| MD5 | 433d30b9ed6733e2a66cf228d154eeaf |
| SHA1 | 251fbfff211c5bc49b54cf5866c04dc4db479d00 |
| SHA256 | c52b86985379b0c6ee14325071a79e762ce3ea3786b98d16247252fabe7826c9 |
| SHA512 | 5420535e2137afdd25ba40391a9f5f19b3d5410cbe9ce0aa032617c9582ca79a81ebd330ebadab2dc2734c110fe2989c3d38bdcfb81564e930fd30ba568fcb05 |
memory/1780-499-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 201eda75450ec07a3bd5156a4b17565f |
| SHA1 | 36e4f9b1c598ef49b418ca2eacc7360bc3202f33 |
| SHA256 | f857681ce47c713380a7aec14743db0890c52433d9563c1fa079411e1e3cd215 |
| SHA512 | ffb4b9adfacda9368b665987fd3d1bc3b4031e5f7efb4c7289fc33feca1195694613d824fe40bc26826a95725a920d259d6e194d1daf7ae897b9abb59079d5a6 |
memory/1140-503-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1208-504-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 485a709833b009786286d8e74641d9a7 |
| SHA1 | ec149c6128e626cc309874bec766a6107fde25db |
| SHA256 | 0a9682ae060e14b662cef5d47827b9d295e3201b386af0a99368a473e784b234 |
| SHA512 | 42b303dde4816d65a7d5c8b4c7956008ae1b4e17dc8f9aee275da4dc755d0fa642333c7775132db1adbf5b473811770e6eb8a795f0c613cb27f2fb589adae5df |
\Windows\system\spoolsv.exe
| MD5 | 525d8f7fea64840204250ca8d1c66504 |
| SHA1 | f0236e8d04c47fb1498539778ea69fae40db7a64 |
| SHA256 | 8429bc72f974d98571c11cd28fedd91b783d91e216c6b005bdca5149fb752f87 |
| SHA512 | 28baef87e3d5f2c8b2825e43adc73990379365ab86ba671e40c7e04f759f11a71735c306a71993956ad63dfa115b18e53b2a996f8629f7941abb632d8e0ec196 |
memory/1140-512-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/1780-522-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 2bd81f8ec10438c465af48a55f7dcb5b |
| SHA1 | a0f9aea762966ee0addf8a37f9bbb484b13eed1f |
| SHA256 | 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5 |
| SHA512 | 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea |
C:\Windows\system\spoolsv.exe
| MD5 | 87d11e96d34e413198400054698ba7de |
| SHA1 | dd5d274a9acd687b5691e88cdc4b3cde8bf5816a |
| SHA256 | 8d121453c4d72a11fb2434cb798e90a1c8fd557c057071fe36d0b9de90d57c96 |
| SHA512 | 97eb0e63f93e6efcc9baf60d641da3d50843a224cf61483d1cba38474d12475c61ed0a9fee32e4f4ea6f1bed08fe35c59e4da035332bd7d93e1402e31212d14f |
C:\Windows\system\spoolsv.exe
| MD5 | 84d0513b71e656c220095ffa55bc0e95 |
| SHA1 | c640e5400971c69f5eb78646cea8d019b59552b8 |
| SHA256 | 54ba456e6102a43d35a4b2b86d92c1ad6119f5ca01fa06292a4ee71d678daaa2 |
| SHA512 | 1ba99ba42273b6d736c8db811ee6f008ddce21146d2032ea0fbb92cb6ecf289e8bc2f9de03746880e4007a61eed519364ede0be5e0979f0baa87fd9f93501b37 |
memory/1264-556-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1140-558-0x0000000002660000-0x00000000026A6000-memory.dmp
memory/2268-560-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | c0bfdcf8155d9730950037ad3d9e6807 |
| SHA1 | 55fc4d4c5932f3846c3bf34a7b5a83d9489a205c |
| SHA256 | 3e5666e84d8eba3e1fd0e573187e9e1b44ae7652112080a3d9d18345433fd137 |
| SHA512 | 554ea054f8d5a054369cf78cb914b28838a454f52b5031261ebe57533488750221cafe441d4a01e766a15aec11fd99ec33545d2ac82109772998e3d9f4d3a053 |
\Windows\system\spoolsv.exe
| MD5 | 113183def317d6bebc3e747da8642b3f |
| SHA1 | 7fcfb6215e2a4e5c1f5d30237237df873e22e033 |
| SHA256 | 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5 |
| SHA512 | 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2 |
memory/2268-576-0x0000000000450000-0x0000000000496000-memory.dmp
memory/1264-578-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | e64d63c9b5c3e6e61a3536955528e445 |
| SHA1 | eb60195a83d40b73a2c7fb7e7f10625de31dce91 |
| SHA256 | 2efa53af310f897b2937a116a4820c1a5922e7f91bddf1f1036d18d3aad5f0fe |
| SHA512 | 4d50a8405315bceacaf308387ae094dc1bb485da3ad8ae1644f44b25636df65b3016c237f2036d3b0915c4add1d01c1b6166256a97be6c8eaee888e3275196ca |
memory/1140-615-0x0000000002660000-0x00000000026A6000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | d365593555363d429afe562b811c7904 |
| SHA1 | 58e73f7e0c736ffaa2dc0ea5e2847ba177942b2e |
| SHA256 | 6eec36804f42d69835993ed1f5ff71cd0f59cac9076299173bf46c3561b4ad16 |
| SHA512 | efe76d690d4157574b346d58e7980b8fdb12ca9f4065b11238042ead1d0c100c5930b50cf43ae4923455fc78b343447d48f64d343162da63bc44e891f22dde2e |
memory/1140-618-0x0000000002660000-0x00000000026A6000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 1c7c33d7398280862ee6ade94cbc4ae1 |
| SHA1 | c093e2415a63f303aa6ab0a6bb1195879860b3e3 |
| SHA256 | 2e2120dd9e22cf97fed9e69fa2cfd3b8a8b87178c8bdd562cc5ab5620a9045c1 |
| SHA512 | 2c49275c6cc1a91f47154af4fcd92836202467aab6f835a5bc64362b11e605b755f8f8a10785ab94aaef9b7eb9dea3ee86e33bf9e706ed60e816a82e5509a0e0 |
\Windows\system\spoolsv.exe
| MD5 | 8a0aa43de6871bb2e1a6c11703aa5ac7 |
| SHA1 | 1f1ac06ccc1765086a2a63b1e17c83ee7d182dc1 |
| SHA256 | d5e3874f7b7f7544d10151cbdd6e1703e470e39fd0c1e9eb40d41dbe53dfa4f8 |
| SHA512 | 69c0d60ac13364767d4c520bd9a3d77b4ad3a56997bb53317d2aa9b145c68a7c912588ec6807b00d11ed94ee3f7ca01dfec0303937d547927a7f1cdc9386e172 |
\Windows\system\spoolsv.exe
| MD5 | 8b7ec4d3d67a165c2fb6e23a9b5c15aa |
| SHA1 | c741fa02cfb8c2f628e06a0785215e4e6aa33354 |
| SHA256 | cd203d169ff5cad3a86d1ab95acf2fe27ae81882ad36036dcfe8514a921c796c |
| SHA512 | 15de131246ab26d054ab3f3090b53f48db3679a71aeadc9eb2fb3a2033fcb9e9841a683efcc2a933522b04978aacb4215bf22d6b617e4ff8917d52ef42826211 |
C:\Windows\system\spoolsv.exe
| MD5 | dc815de4b487814c1b0bb56bf277b796 |
| SHA1 | 5bbf793a954aeecbea08bf8ddbe536433ab1f73a |
| SHA256 | 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d |
| SHA512 | b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742 |