Analysis Overview
SHA256
3391dc20d243deab3083f3fa8e943d88cabc28b4bc438988a5ddb334c380912a
Threat Level: Known bad
The file abd3f028f8a68b4608c9e7ac1064f101 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Warzone RAT payload
Modifies WinLogon for persistence
Warzonerat family
WarzoneRat, AveMaria
Warzone RAT payload
Modifies Installed Components in the registry
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-28 11:58
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-28 11:58
Reported
2024-02-28 12:01
Platform
win7-20240221-en
Max time kernel
130s
Max time network
123s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2940 set thread context of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe |
| PID 1900 set thread context of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe |
| PID 1900 set thread context of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1100 set thread context of 1548 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1548 set thread context of 752 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 1548 set thread context of 884 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
"C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
Network
Files
memory/2940-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2940-3-0x0000000001E00000-0x0000000001E46000-memory.dmp
memory/1900-2-0x0000000000300000-0x0000000000400000-memory.dmp
memory/1900-4-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-6-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-14-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-18-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-19-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-21-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-22-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-23-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-24-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-25-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-26-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1900-29-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-32-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-34-0x0000000000400000-0x0000000001990000-memory.dmp
memory/2940-36-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1900-35-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1900-37-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1900-38-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1900-39-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-40-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1900-41-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-42-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-43-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-44-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-45-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-46-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-47-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1900-48-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1900-49-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1900-50-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1900-51-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1608-57-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1608-63-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1900-64-0x0000000009850000-0x0000000009896000-memory.dmp
memory/1976-70-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1608-59-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1608-55-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1976-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1608-80-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1976-83-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1900-86-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 0ff4766c22e11d6046392c2a9a89c3cd |
| SHA1 | 31e55d650ee62528b13448fdc8cbb60e02f2de09 |
| SHA256 | 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a |
| SHA512 | b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe |
\Windows\system\explorer.exe
| MD5 | 41e2d668cb605eb2f0984ff9f3c7986b |
| SHA1 | eab218bc7cc522d49e47022478570eeaedea8086 |
| SHA256 | 00557f4aebc19817799c9d62078f9f59acdb3695bb728cf7792de2730981df31 |
| SHA512 | 17531acd22ae373d4a36bb4f564251f36f149cc55a0fae35c4d1d10a00dbbd1575f3d3a0d3f50dc714e13b70860558fdb7e2b07ce903230f983ad87409bcb194 |
\Windows\system\explorer.exe
| MD5 | 9c40a6c5d830b518542006f9203946da |
| SHA1 | 6ba0ea6cf9614cf548dfde9db903cd3d6c8a5f79 |
| SHA256 | a8f53253807a4810120ebef42c427021da55a1ac4debd1187f4b9e8179335512 |
| SHA512 | 37deca13913b00a93d93d798af97a291a57c95555cc9b488d8bd4dbd5e5569dfc71dc01b8ddaf766b9c1bf643c260ff6d14d6a1839a301ab685a9be9f534f165 |
memory/1608-95-0x0000000001D60000-0x0000000001DA6000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 6eb0277a2d9d24ca2c4c10949da31a71 |
| SHA1 | 2878a975c10f678ca7bcd5d3d0483159608084fb |
| SHA256 | ae6b12651af9864ac3baf2bd4b27ae4344d97290a7acd1720613ae22a787caa3 |
| SHA512 | 96194f9e50a9d17bd5773ca0b4084965cc6c79dbf94d372e3bd70571ae62d1a33dbbf04a82e143a9039c264f9b338c2db6a56f01f0b3d9eeb1edb213260f081f |
memory/1100-97-0x0000000000400000-0x0000000000446000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | 33411dd22c9a1b4f85dff7ace9f2ff7b |
| SHA1 | 310c927926795fbfdc3d6e89927cf9b2834cb6d4 |
| SHA256 | d10696e3983d5a92667345fc71f6af4bcd38a80d760f2c345d8cc713b1587a57 |
| SHA512 | 5cd1fb46c9f065faf9958e10793060c52ad232f1e1c84f87a54b98beca612b8dcf5a14ddbc5f56271b241bfa5bc90c588cb29c7239f96058056b12a9a4d3e785 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\system\explorer.exe
| MD5 | f962405ba617e0e33033b9e8d974d8d8 |
| SHA1 | 436d5d85cc73b56946322cd19dbc4eae8bd406cd |
| SHA256 | c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e |
| SHA512 | 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438 |
memory/1548-134-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1608-140-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1548-149-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
memory/1548-152-0x0000000006FD0000-0x0000000006FD1000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 2ddf6df817160984e047117d0375347f |
| SHA1 | 11f608ef7e7133e40188df577b54111c9f95cb06 |
| SHA256 | dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21 |
| SHA512 | 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | e230695c8508d1dd05da9b1f8150a0e5 |
| SHA1 | 95deee881c579175356f93c5c6555197942f72ce |
| SHA256 | e26848238e4a47ebffff6dcd5ea19c430f6d69b156558e49f35d79621e269f1c |
| SHA512 | 73c54ffdb9d889bd9bf044a4a7df744966b745490cd6fbd12f09fc50946c4fae4ba6f30a2c24e4c66b57e93392d07443e95e0aa290ac6ae05905385a170ee8b4 |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | f6d012961c9dae2fcc8abb56ca438c6f |
| SHA1 | c01b37a515c16807b34e06b253a29beb67729ed5 |
| SHA256 | 64c1b262352126f2e25dc39591cbbad7db1a6f25f8005eb30345bdccefa1856c |
| SHA512 | 24fed6b43c3080651c634b92c88291425d2625e2baf6fb1e2b4d8955616a39a4c00bdf339fffcc2c97c2dc9f2d63b55d7c545764535acc3c93e445183f4453ef |
memory/884-181-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1548-185-0x0000000000400000-0x0000000000628000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 0c14a3e04bcd0491807db5db589657a8 |
| SHA1 | a817e93212a35277fc6f319103850f7a083889cc |
| SHA256 | 8a0d6aae4dba5794c506c03dbf3d2562fe8deece47f5aa018852fb3dff6cb690 |
| SHA512 | b946e1cefeb1ead8666d8106b9d1a66f1d8615d80d4f57afa4acc0e632b519445d08c4cd44983824d10d443a4e4e59ce3301fe2df0422a5a667ca08a4cfaacc5 |
C:\Windows\system\spoolsv.exe
| MD5 | 3932cb826e53f915a2a4cdb043b52885 |
| SHA1 | 207229d796fb8c9ab5e1c5b79b500900ba0ba65f |
| SHA256 | 201d03c0016be41cb8c288f560d5a8a2c3fa3d54bd10164935cca9fce6e1a042 |
| SHA512 | e6f22a9a4c6521a2e8c3b3d9cedd81abfbeeb2ce3ab53f1dc7c67ec4dd82994f178e29b110867099464ae708b4adcd9b4c9a22f9ba7afe46b2b91d02813a530f |
\Windows\system\spoolsv.exe
| MD5 | 70caa01da86deed78b4839c2cd9a5b03 |
| SHA1 | dddc8e66f5ac512586a85eb0de60717ddc5a7bff |
| SHA256 | 2149e0e69d58420187aad61d2bc218d006f2c8849d126b5cfc66e6608e01a2ed |
| SHA512 | 5a6d17bb24f8fd3b023b3f7df32189fcc18338d81926993e089e0feb0a8442f1c6250fd494b496081206d3c498a439ece2b0a718d80bcdddabfa0ee09442d9d7 |
memory/752-196-0x0000000002BF0000-0x0000000002C36000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | 5fda79822ff28cde94f73f7cf75ff00f |
| SHA1 | 34111f9da7d82e440ba52b2c5a35159d1a3455b6 |
| SHA256 | c2ab1555d26a230de187f99f22c03d430e092407c27e6666d068cc439f32553a |
| SHA512 | b2b9778718e520975665b0b1e3056f852911a5208b2b2556ad87dbca33fcb48d2a2d9de36145e211ffcdb362f250b1270fdef1af757b6df16179fc0e869222df |
memory/1120-198-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 17c31cb7ad10c27b2cea9360d6c70a2c |
| SHA1 | a875214efaa9ff587f134210173159ea287478c0 |
| SHA256 | 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8 |
| SHA512 | d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4 |
C:\Windows\system\spoolsv.exe
| MD5 | dc815de4b487814c1b0bb56bf277b796 |
| SHA1 | 5bbf793a954aeecbea08bf8ddbe536433ab1f73a |
| SHA256 | 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d |
| SHA512 | b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742 |
\Windows\system\spoolsv.exe
| MD5 | 110d1852eca5e01976a6af67391b6505 |
| SHA1 | d5949f7c4bcfb8302df8c641744e4de8ceeeedd2 |
| SHA256 | 48f208df1cad1a92fb45975af94cc21abe3b7f5a933d94f9cbf05d39e4565900 |
| SHA512 | 7477b7e28533181ca693b43e43e79705f39c0b546a8a448eed457d6690a15e72b1f451f0a8ec1a104d3665e0b5eebe20a41e215c6069670ceb87174f1b638d1d |
\Windows\system\spoolsv.exe
| MD5 | 67a965e20c4f6f7875a0bd59cef3f072 |
| SHA1 | 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002 |
| SHA256 | ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe |
| SHA512 | 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c |
C:\Windows\system\spoolsv.exe
| MD5 | d64579985be59941da25529f147aab92 |
| SHA1 | 47d17d23ee66de97c5ca876ae4cf11059f22e07a |
| SHA256 | a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b |
| SHA512 | ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f |
memory/2472-240-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
memory/752-243-0x0000000002BF0000-0x0000000002C36000-memory.dmp
memory/2340-246-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 113183def317d6bebc3e747da8642b3f |
| SHA1 | 7fcfb6215e2a4e5c1f5d30237237df873e22e033 |
| SHA256 | 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5 |
| SHA512 | 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2 |
memory/2340-250-0x0000000000450000-0x0000000000496000-memory.dmp
memory/2472-262-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 5132a41535fa8fa6eb41b01f4fd4988f |
| SHA1 | 1b2b166555fffa865acbf79afbc18c5cbc5ce690 |
| SHA256 | 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611 |
| SHA512 | f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407 |
memory/2840-282-0x0000000000400000-0x0000000001990000-memory.dmp
memory/752-288-0x0000000002BF0000-0x0000000002C36000-memory.dmp
memory/752-287-0x0000000000400000-0x000000000043E000-memory.dmp
memory/752-289-0x0000000002BF0000-0x0000000002C36000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | f0d17369e60714d71d8b4990e4e3dcc6 |
| SHA1 | cb7850ad40f43b770a9778b4cad1f2b86ae407f8 |
| SHA256 | 5eeb9e15ee28bdc99dcb9dcc8b44257d9e1cab3bd5cae05c246b1791d84af8ea |
| SHA512 | c486ffe8ab832f92276e1c5360ef0141cc3865348f22e9f3ee6ef6be76dbcc97187fc9d390536f0b02cf4a7501e7c1ace67f8e9ab72eba7338801ef7cf39b223 |
memory/3016-291-0x0000000000400000-0x0000000000446000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | e3deb109c419189a759b3240fa723e94 |
| SHA1 | 8402667484d7a517ebfb571a36b7a9b6732a961e |
| SHA256 | 4eee9c710137abc067b02148ce310861479f2d4133884c0e0a3f2a42883e491b |
| SHA512 | e0fda3225d88f16c1106e6ec167f647e16a5109eaa46d379f02fe3fd4eb9741b05ce5b33d3dbeb581da834d26f15c557e1124bb09ca07fab1e2fa3f66761d1d1 |
\Windows\system\spoolsv.exe
| MD5 | 3cfdf2ddf2e502abaf85d91b18546efe |
| SHA1 | 6eb2f2367135a2543258051cefe5c5aee7c32201 |
| SHA256 | 08b22cd89d1eecad9c21d8cf5ff3262b5475827dcca2a7a74b9eed12fd3d805a |
| SHA512 | ee7b44cd0899ec745f452ad03edbddac133ebcce90d8f3918fd60ff343e62d77ae3b368d29d5ba20d31e7849bbb15739cb1c09a32a680d164423b16cfba61d74 |
memory/884-295-0x0000000000400000-0x0000000000412000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 995caca41a6720ea36b02876ce712e9d |
| SHA1 | f481d6040268155fb791151c69ea372e27c05e80 |
| SHA256 | 6afc700879cc6a44b7447381bcbd685bc4eb4380730eda03ab18d20acc1c92f2 |
| SHA512 | fa8d495bee5686bdbb120c1478e0936f61b2ce8e721afb628ad267c84aad492f223bed88bb9ebb673b6142a8a4a3f5c40c9082c4be4462c695a8d881c0e77ab5 |
memory/3016-300-0x0000000000390000-0x00000000003D6000-memory.dmp
memory/2840-320-0x0000000000220000-0x0000000000221000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 4c1118698ee3ed03c8f5ca95f9b3edc0 |
| SHA1 | 640e5a10f4f4926051cdcd56b8b43389ed509970 |
| SHA256 | 08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0 |
| SHA512 | 5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a |
C:\Windows\system\spoolsv.exe
| MD5 | 556be00c0a44f87e4aef202c44ac246d |
| SHA1 | e1be5efd3d1ea9b65836decd9c10126ed36aaf6d |
| SHA256 | cfed1ab7cf265cf5ab419bbd0fd235416305c3d5cf34644ee408839a4323db83 |
| SHA512 | 8446d2b32020042a3507db7cf96b067f6ed3a6eaef320e170c43b04623a0974dac836a7c6ebffd8f8c79c90e54a342c94063a24030a48d9c7a745ada471f332c |
C:\Windows\system\spoolsv.exe
| MD5 | bf5874b19afa20fa3bf0e902da2302b4 |
| SHA1 | ca004c361dbe017dc97f1d423f381b30bc204b91 |
| SHA256 | 5dd9a4127ced859e3cdc4eb023bffa4f677eea7721f5e499bf19efcb95d25937 |
| SHA512 | ec2d720260668f20b76937781bb5995350a63684fa9c475af512b6f06ae23d90d0fa8f34b4864924ce0bd614a447095e555262a5a3ae3ec699c8e891581cd641 |
memory/752-348-0x0000000002BF0000-0x0000000002C36000-memory.dmp
memory/752-352-0x0000000002BF0000-0x0000000002C36000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | b574f96be60c5fe7773aa299dedb50e3 |
| SHA1 | 4d40dd0181527e98956249b0f76d29b0f7f3cba6 |
| SHA256 | c3fe43bd74cf3ce0f70f853b2b6b9f89a431cdadfc98fbda96832ab793d2392b |
| SHA512 | 348fabc2ff2071519f4ef058e5472b0f64a8921d30e90cb7926810afd8bf6b747126ecf80c09ff23ae3b9021cfa5405a4a3648f4a5284a2159cf3d217d78e311 |
memory/752-357-0x0000000002BF0000-0x0000000002C36000-memory.dmp
memory/2424-358-0x0000000000400000-0x0000000000628000-memory.dmp
memory/1080-361-0x0000000000400000-0x0000000000446000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-28 11:58
Reported
2024-02-28 12:01
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\System32\Conhost.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
"C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2936 -ip 2936
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 504
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
Files
memory/3808-0-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2544-2-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2544-3-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3808-4-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2544-6-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2544-7-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2544-10-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2544-9-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2544-11-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2544-8-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2544-12-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2544-13-0x00000000073A0000-0x00000000073A1000-memory.dmp
memory/2544-14-0x0000000000400000-0x0000000000628000-memory.dmp
memory/2544-16-0x0000000000400000-0x0000000001400000-memory.dmp
memory/960-19-0x0000000000400000-0x000000000043E000-memory.dmp
memory/620-23-0x0000000000400000-0x0000000000412000-memory.dmp
memory/960-24-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2544-27-0x0000000000400000-0x0000000001400000-memory.dmp
memory/620-28-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2544-29-0x0000000000400000-0x0000000000628000-memory.dmp
memory/620-31-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 6b9415dd036b61ecddc75ae491b0be75 |
| SHA1 | 460a75c95b24c522924a6ac0a9d119926d4e6b22 |
| SHA256 | d79295847d62eeb8528305838cfcf4564758506b7879ade63184388c14528bf7 |
| SHA512 | 7d671629dcb75f1a2dc796accf402f99ef455bb7aa58bdd01c26eda38af1b424b89f699f8a12524dee5716766650fe1422b8f65c4d649dff01d5c0a06672cf73 |
C:\Windows\System\explorer.exe
| MD5 | 71cc4582e23859894cdf271c8864cd7e |
| SHA1 | cfa38758c5eef58d77d11dc25ae2009f0b091e80 |
| SHA256 | 2335ef55514832b9cf117befd56503baffaa60a2fe7a7fdc1bdf906e66c87de1 |
| SHA512 | 337a7c14cfbd4c70bdffc918f5e08b1c09a956c42bfbd04ace0f98d5616dd3de5f26950e4cee84da5deb84c6e797a90dea0638bdd5a93579bd67a03ad0de7152 |
\??\c:\windows\system\explorer.exe
| MD5 | 0fa40a45c884e9f13871684d9cdf1fec |
| SHA1 | 9175da1356b1a1727a8c1aa35e9a8270b03c68cb |
| SHA256 | 73cfc00f8f5e9df8ac411408bc6c7b7b1532c49600968a0e8929de7be8811a6b |
| SHA512 | 69409f6fade23e0a6feda28c781683f7f3be50b11c151ea617891af9b1444bdf7711eabf0444e28ea3bf7ee60f1f8b8165bf5559d54c55127a1205cee3de3d39 |
memory/2108-39-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 8445bfa5a278e2f068300c604a78394b |
| SHA1 | 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65 |
| SHA256 | 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c |
| SHA512 | 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822 |
C:\Windows\System\explorer.exe
| MD5 | fdb3abe1d665333acd0f5f459411bafc |
| SHA1 | cad131ff5bc98877d678ef86bfda6e77e6049475 |
| SHA256 | ed4635bebd686c4e0e733be5f12d7795caa199d3d5b3b77b399d47292389c253 |
| SHA512 | 20d4b437e416cad30e2a9937c0dae194b291529af9941c94bcb45a4f3600b353dc83d8f40f5bc0bfcd6f02789bbffc82cdb54d092b42f0cbfaaed61d13fdf1c3 |
memory/960-46-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3492-48-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3492-51-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3492-50-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3492-52-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3492-53-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3492-54-0x0000000008C70000-0x0000000008C71000-memory.dmp
memory/3492-55-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3492-57-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3492-58-0x0000000008C70000-0x0000000008C71000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | aad0877defbf0b9cbd59fb5fb3c250e5 |
| SHA1 | 092118fe1b88c3ffb00f0ba171ca9d02cafdf843 |
| SHA256 | dbbf259a6bf613cdf74355c82397b32c33e8dfcf3481bdbdd5ac2f8789f057b4 |
| SHA512 | a668a9aa0343034e226ea6a72521b4b4e90b1602febb27ab704c10eb400ec7a4305c3470a6ba2653aadfa8e2bdad201b7e51833ff7f85566a33f38899c9a497c |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 69781dd2543fdf58d405ad90a51ac5c9 |
| SHA1 | 928d0ddc74eb09874a70c29de92cc23d71a7908d |
| SHA256 | a5bbf2e0624e8656faecf98f0a2dfe9215355995c05d9464b01ccea24259badf |
| SHA512 | abe9eaadccfc4b87eadd404418ba91aa863b74ef145acc12f0a847b48541773e3171551cecb5816c47c28683c3b8161740a8160aa708f6bb8ce4d9687cee5c30 |
C:\Windows\System\explorer.exe
| MD5 | dd18d26b60ca724ac435f818b747e4b4 |
| SHA1 | 119270ef8c7308e1afe16cb8f1de2f6bade823ee |
| SHA256 | 0d86b3eff526984cc8c80fddd6021c9713e9739428ede50cf2e72506eef007d9 |
| SHA512 | 9b55d89939c1f147f6ca66fdfad2cfc1e60de39f8f32d9998786c7c8fca78671270eb7435c694c233364d4f5778934e75d8df3214f5db3e6a1f4b9797fb89269 |
memory/1056-68-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3492-72-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4180-75-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3492-76-0x0000000000400000-0x0000000000628000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | 428cc682a15a9db262c3e481ef1f147c |
| SHA1 | 8cdbe86d8f2c977972678eaff7bb97ca5cc8a6f6 |
| SHA256 | 8d0d07d6be32c2eedc758eb05cdf2983da24f3bdc327a4d1cbfc58eb4608e44a |
| SHA512 | 77a94f8fe07313c464be7f5fb77945dcd9c6ad4aa2d6fcbc4214b241e5c19b2fdc9ae272f2c4643901481bf0e2809429c0a931bbbf18b6e2a50a1482d6a649a8 |
C:\Windows\System\spoolsv.exe
| MD5 | d5f76784d1776b9bf00b7b7247652151 |
| SHA1 | 4f990f8cc0529f789310780fa90a6cbbe02597c0 |
| SHA256 | 4511b89e02e41ba7480e96e9834b4072df8328e8ba055ee346f9518a16863656 |
| SHA512 | 7fe49d1bdab23e2b48cffd4439d58061d27ea04e2ef0e5f3d43b838a356f7270dd374515a0e01aac1ac5fda9cc9b68594c8a4df22c1125ebd2a9a36453d8e5da |
memory/2420-84-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs
| MD5 | 13222a4bb413aaa8b92aa5b4f81d2760 |
| SHA1 | 268a48f2fe84ed49bbdc1873a8009db8c7cba66a |
| SHA256 | d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d |
| SHA512 | eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140 |
C:\Windows\System\spoolsv.exe
| MD5 | bf83622517c71b6ba865c1052985fbe2 |
| SHA1 | 1518736417d86a5883f9e6705c6fafd6db2d37fa |
| SHA256 | ac37a2bdbfa073eb6be2b1dfdc56df2b702701f2b428295037ef4661f32e447a |
| SHA512 | 232de3471a618ded0129c6ba3e7b398057b40885f5bb64f8f8ddc9a685a3d32894728751bec078481a0a3c69b62fdf204cdcfdeb54c7d32b1aca81e421f06fdf |
memory/2420-90-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3220-92-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3220-96-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 7d9d8394b9449ee9dd3fcebfdbacd4d4 |
| SHA1 | aa2763fb0a9b29a3fcd3c7d89f13ab4041e97df6 |
| SHA256 | 7938117b9c0f55e8d3dafc7b4112e515ee53ed87c88e4a70a963bbc0e672975f |
| SHA512 | 8b2c0a401ec59b2137bc49ecee422980696816b32a3d88ac6bf9199f99fdaadccaaa00240c541f60db414af53da6e00b1085e543455516b13736d88011088692 |
memory/3220-97-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3220-99-0x0000000000400000-0x0000000000628000-memory.dmp
memory/3220-100-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3220-101-0x00000000071A0000-0x00000000071A1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | d64579985be59941da25529f147aab92 |
| SHA1 | 47d17d23ee66de97c5ca876ae4cf11059f22e07a |
| SHA256 | a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b |
| SHA512 | ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f |
memory/4952-107-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 5132a41535fa8fa6eb41b01f4fd4988f |
| SHA1 | 1b2b166555fffa865acbf79afbc18c5cbc5ce690 |
| SHA256 | 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611 |
| SHA512 | f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407 |
memory/4040-110-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4040-111-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4040-113-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4040-112-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4040-114-0x0000000000400000-0x0000000000628000-memory.dmp
memory/4040-115-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4100-116-0x0000000000400000-0x0000000000446000-memory.dmp
memory/4040-117-0x0000000007250000-0x0000000007251000-memory.dmp
memory/1404-120-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1056-121-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 50a557665c5bb4fa372fadbeba73303e |
| SHA1 | df2eddc14a72381cc26c83268faa2f1806a58457 |
| SHA256 | 26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e |
| SHA512 | 59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad |
memory/1404-124-0x0000000000400000-0x0000000001990000-memory.dmp
memory/3000-125-0x0000000000400000-0x0000000000446000-memory.dmp
memory/1404-122-0x0000000000400000-0x0000000001990000-memory.dmp
memory/1404-126-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1404-127-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3220-130-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1404-132-0x0000000008B40000-0x0000000008B41000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 8b7ec4d3d67a165c2fb6e23a9b5c15aa |
| SHA1 | c741fa02cfb8c2f628e06a0785215e4e6aa33354 |
| SHA256 | cd203d169ff5cad3a86d1ab95acf2fe27ae81882ad36036dcfe8514a921c796c |
| SHA512 | 15de131246ab26d054ab3f3090b53f48db3679a71aeadc9eb2fb3a2033fcb9e9841a683efcc2a933522b04978aacb4215bf22d6b617e4ff8917d52ef42826211 |
memory/1608-137-0x0000000000400000-0x0000000000628000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | fba478552e3b8e6ad8346b0e4e757c24 |
| SHA1 | 9545adebc305cec19a9b8b8a54a38d12cac72dec |
| SHA256 | c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248 |
| SHA512 | c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29 |
memory/1608-141-0x0000000000400000-0x0000000001400000-memory.dmp
memory/648-144-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3220-145-0x00000000071A0000-0x00000000071A1000-memory.dmp
memory/4040-149-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 3cb8a96d8ff37b4a10df1c8c7ba23104 |
| SHA1 | c5f228a5e43be961165b642b913ddec16fb002c5 |
| SHA256 | d905b1c4debd93da701095662c447056c5221fe6e94a52aec4519c98afd76751 |
| SHA512 | 908bec60c3c4655e87b89289ed115f4ee0f61b58d7aff971c82cd4cdf095016982ba131de38c9f483dce8d1403825b1434c6ff85fa07f7708d426a4a1e3d2e31 |
C:\Windows\System\spoolsv.exe
| MD5 | 1e7cd0aa1935cc675bd6acfc57bed70a |
| SHA1 | abc3c6401e41df8676002edc8ec2b758198bf5e1 |
| SHA256 | 054ec396f2ddbfb194b95a0013572629668c5f8419263fe787907c0eb6e369a9 |
| SHA512 | 1ab15042626df8319652de5a68030801cbdd594df8fc66392ccda9503710330a96156257ed90d4b89e263282470625503b5a4c1727469c7e8d4efb494562c97c |
memory/1608-152-0x0000000007490000-0x0000000007491000-memory.dmp
memory/3936-156-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2200-160-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 6333d03c31e01b95b1955043aaaed397 |
| SHA1 | bb3610625e6b5dcaf5da66861b2033e696ace33c |
| SHA256 | cd96e9a43fb5ca1fefc60c6d6aa6f0d4ac60a1d3bac0b27f9c04add1dad06043 |
| SHA512 | 847f7517f61b8cf25f313a5d91ebf572c9c70d3177293713598f2e3b0b256f42f48ee945b74b147c87b74229f904d483bc30dc7d0ffad2653e1c8b65c68e0d51 |
C:\Windows\System\spoolsv.exe
| MD5 | 76deb9d1b85a23807b407ebe2530276f |
| SHA1 | 07913935734c20f0f907ff028fa3e246eae80180 |
| SHA256 | 5200376faa825e44044caafbb8dbcc8c908f68371dc41b5a72de52c3aa0d4911 |
| SHA512 | 46a94185ce4914b9b943de89ccba742e832e31720d4deb88e10440ad0bb6361b3a91ac51fce95024db0cfde1c0549bcaa78522e0e1048e16ec3907f476703c2c |
memory/3912-169-0x0000000000400000-0x0000000000446000-memory.dmp
memory/2200-173-0x00000000071A0000-0x00000000071A1000-memory.dmp
memory/1404-176-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e230695c8508d1dd05da9b1f8150a0e5 |
| SHA1 | 95deee881c579175356f93c5c6555197942f72ce |
| SHA256 | e26848238e4a47ebffff6dcd5ea19c430f6d69b156558e49f35d79621e269f1c |
| SHA512 | 73c54ffdb9d889bd9bf044a4a7df744966b745490cd6fbd12f09fc50946c4fae4ba6f30a2c24e4c66b57e93392d07443e95e0aa290ac6ae05905385a170ee8b4 |
memory/3152-180-0x0000000007390000-0x0000000007391000-memory.dmp
memory/3912-179-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 5c83714ac14719212a07ae34af6d13ff |
| SHA1 | 8f9c61dfc39cc7de96ad6413583508ec0ee48f82 |
| SHA256 | dd02fe039367f687f68ad880128a57bb6eae9df3bf4f9957b7eb3ef70b2a4624 |
| SHA512 | 2cb0f4f732444d8fd66b2fb75e16d1b48bed923834badd931157155d59ffcd71521d0b1f68d3b299080a5e102c76df5e5c45ba1acacd8805f481116e40373871 |
memory/908-188-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1608-190-0x0000000000400000-0x0000000001400000-memory.dmp
memory/2580-193-0x0000000000400000-0x0000000000446000-memory.dmp
memory/908-194-0x0000000007490000-0x0000000007491000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | f962405ba617e0e33033b9e8d974d8d8 |
| SHA1 | 436d5d85cc73b56946322cd19dbc4eae8bd406cd |
| SHA256 | c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e |
| SHA512 | 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438 |
C:\Windows\System\spoolsv.exe
| MD5 | 963c5da593c5feda86337648bd9af538 |
| SHA1 | 4dcde838389bce56117edfac7ed52d11568d4aff |
| SHA256 | 7988a6d0b4c755947c39509474d39b73a127694ea6b0de674d312ae1d5129cfa |
| SHA512 | 191bd96700ccaf2af216870b37d561c1c9e2effcc9ff74490ff7599ebaa8f8696fddd3e9d5cc07ad5985c766dc1616fa36c34cb351f3a52627bdf7295bcaadd2 |
memory/2200-198-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3264-201-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4712-203-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3264-206-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 995caca41a6720ea36b02876ce712e9d |
| SHA1 | f481d6040268155fb791151c69ea372e27c05e80 |
| SHA256 | 6afc700879cc6a44b7447381bcbd685bc4eb4380730eda03ab18d20acc1c92f2 |
| SHA512 | fa8d495bee5686bdbb120c1478e0936f61b2ce8e721afb628ad267c84aad492f223bed88bb9ebb673b6142a8a4a3f5c40c9082c4be4462c695a8d881c0e77ab5 |
C:\Windows\System\spoolsv.exe
| MD5 | 8f8b06f1261687f2bbddd260f8f905e2 |
| SHA1 | 8ad81df5cdcb574c64aee591b8292c9febcf35c7 |
| SHA256 | cea05085407edeca71f83b58e2e579bf3f932fe759bf28ea68425a9b8d1272ca |
| SHA512 | d9365201b948a775a86dc8d441f34eba8cf801572347ba0c49cf191e668dc57ac2bf79a0476ca8d7893b1bdb35e4af6d6b0367e531b1092bb1ba30033c8775ae |
memory/3264-215-0x00000000074A0000-0x00000000074A1000-memory.dmp
memory/2336-218-0x0000000000400000-0x0000000000446000-memory.dmp
memory/3876-221-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | bf5874b19afa20fa3bf0e902da2302b4 |
| SHA1 | ca004c361dbe017dc97f1d423f381b30bc204b91 |
| SHA256 | 5dd9a4127ced859e3cdc4eb023bffa4f677eea7721f5e499bf19efcb95d25937 |
| SHA512 | ec2d720260668f20b76937781bb5995350a63684fa9c475af512b6f06ae23d90d0fa8f34b4864924ce0bd614a447095e555262a5a3ae3ec699c8e891581cd641 |
memory/3152-228-0x0000000000400000-0x0000000001400000-memory.dmp
memory/3876-226-0x0000000007520000-0x0000000007521000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b66c95e03333690396f16d3d699508b7 |
| SHA1 | f497909cd7754e4de2ebcd95fedcceb2d7a2d464 |
| SHA256 | 7d30703c67fc845d3fd11ec96f3625cebfa0ef05b2d58bcec198f90473e61556 |
| SHA512 | ab3cb9556888b0c95b9b4337ddaba4366c2f30600a1bce7cc30b6ee761b850480a4a906d791470e445ca1fb7a6666d01957954111f8a78733b8bf413a9fb54bf |
memory/2652-231-0x0000000000400000-0x0000000001990000-memory.dmp
memory/4292-237-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | d3e9e93b727ee83e2b8b06110d3017c8 |
| SHA1 | 3a084b8eeeedcf37ec1b49e22f72c49f0a92e4e7 |
| SHA256 | 8c2224254e69c6279e3b661f438742c5c448267e3cb9966e0df11b57b2d03c96 |
| SHA512 | 5da30337261b699fd0abf617e9c133fe875bf5275e472e90a54eaa95409e313ef3487fcfa8911c4c26af9f134f29f28c875ee17c221a32182ca1bd377e7c5b5a |
C:\Windows\System\spoolsv.exe
| MD5 | dc815de4b487814c1b0bb56bf277b796 |
| SHA1 | 5bbf793a954aeecbea08bf8ddbe536433ab1f73a |
| SHA256 | 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d |
| SHA512 | b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742 |
memory/2652-243-0x0000000007290000-0x0000000007291000-memory.dmp
memory/908-241-0x0000000000400000-0x0000000001400000-memory.dmp
memory/1600-245-0x0000000000400000-0x0000000001400000-memory.dmp
memory/4548-246-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | ff7e197341d102a403182abed0f01420 |
| SHA1 | 6f5ba1bbac72024079444439b42027de07933cb8 |
| SHA256 | 4be8c61d7f8725dafb650e127cb3f68668968a21f61761c7d39fb25f62fe89ad |
| SHA512 | 65cf6e46cf4c831eb85c970142a907c530b1b19f2bf1cd23a0622167b2c23277889fbb0590ef11ea16012eb409e8faae4f3112ea22c92bb289e3b8403abeadc6 |
C:\Windows\System\spoolsv.exe
| MD5 | 173bc7ae8306d4b43f0089621e0706c2 |
| SHA1 | 841b1a4e9cae7178c9908694634535a22c32a374 |
| SHA256 | df472823ebf930546a2cebc3be6977f1f1fcf091a02c3501a67b5324ac9bb433 |
| SHA512 | 77c08d1c70fd4fc1f1d99d99509fb0ee3a123863bfc75b4bf38bab7fa7666ef8c1868c2a2990eadb28d0ddf1f58c066cf10e55ef63da6709afdf011a393f7305 |
memory/388-260-0x0000000000400000-0x0000000001400000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 72899266569cd75b7f56ee876d0771e4 |
| SHA1 | add0613f71b699eee2fedc17289d671e2c7eeac7 |
| SHA256 | 3910f0cebbf5d8da894b6e9cf1a72c4b542b4dfb626968252b6f263a8a40ff01 |
| SHA512 | d98cbafb4eccf398b2675262f64355ed072704c2ddeb64f4421e433b76ad9e28734cbb7e59029c5d2ee01bac70119e4a30706c2ca6900705de0bc6b68d31f58d |
memory/1600-272-0x0000000007150000-0x0000000007151000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 9047901f6be1841c6be69b587f9a9bef |
| SHA1 | 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc |
| SHA256 | 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f |
| SHA512 | 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b |
C:\Windows\System\spoolsv.exe
| MD5 | 6b3159725f8ded76b9d763714c81fec4 |
| SHA1 | acac0941e662fb6d380f170d641a7c877817b8b1 |
| SHA256 | 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0 |
| SHA512 | 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8 |
memory/3264-277-0x0000000000400000-0x0000000001400000-memory.dmp
memory/388-278-0x0000000007070000-0x0000000007071000-memory.dmp
memory/4956-269-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b5095eb2e9a67d7e96d9036871b9b2d3 |
| SHA1 | 87d08e892bf6140403eff1f4be9890fc4bec67a0 |
| SHA256 | 1e9568d57c2f9a42f2e09d05bbefbe0efd1d0c2ebdab1830f77efdfe00a109f4 |
| SHA512 | efbd461665333d1f1b7f7607a7b62d55ac9db81b5d5244cd1ab8423d2160a29465689745fe4836496fef2ca6f19d9008db97e2aed789bb77dac45982838100aa |
C:\Windows\System\spoolsv.exe
| MD5 | a6bfb7c5e6bd538fb5ca5410027e7817 |
| SHA1 | e036830040c995fa71395803ef857c8198a780e6 |
| SHA256 | 4a5d6056a4788cdaf1bfe217548bcd087a8d3467c5c6882ffc5384c30f4f79d7 |
| SHA512 | 4a5b26f9f3c44fd577a9645399a85656dba5b8acd74b0a5165f115dcc6b12379365628ecf87e3a7714e235620061585646c8d346120194c187e94b784d9e5bbe |
C:\Windows\System\spoolsv.exe
| MD5 | d85ae03e6a9b79205a29de1651b40c4f |
| SHA1 | d90856c796b5bb8c8d5c5eb6d4844e975b3dd079 |
| SHA256 | 4a8365f696ac2a8c7f8b0e011128ef296ec55a8fa152ed65c3e53ac30ea36a7a |
| SHA512 | 9733e0833c221dd90e0b27ca861eb7b7569acd11edd665d0a93a147da0d1bc7638d33148cb5c0f55b00468854bc2a90fcc05c463c1bf9a77f2767aa528f252c8 |
memory/2840-297-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | c667cee2f2d1ab7d07868ed6260b9618 |
| SHA1 | 30a9417187059c37a8ed9726a39311080accbc23 |
| SHA256 | da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af |
| SHA512 | d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7 |
C:\Windows\System\spoolsv.exe
| MD5 | 2ddf6df817160984e047117d0375347f |
| SHA1 | 11f608ef7e7133e40188df577b54111c9f95cb06 |
| SHA256 | dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21 |
| SHA512 | 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215 |
memory/4664-300-0x0000000000400000-0x0000000001990000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 16bd25a3c6d3025ab13249e2c61d981b |
| SHA1 | 342fa28f45ff0c4f7c58441bff92d9ef6930ad36 |
| SHA256 | 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764 |
| SHA512 | 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059 |
C:\Windows\System\spoolsv.exe
| MD5 | 3cfdf2ddf2e502abaf85d91b18546efe |
| SHA1 | 6eb2f2367135a2543258051cefe5c5aee7c32201 |
| SHA256 | 08b22cd89d1eecad9c21d8cf5ff3262b5475827dcca2a7a74b9eed12fd3d805a |
| SHA512 | ee7b44cd0899ec745f452ad03edbddac133ebcce90d8f3918fd60ff343e62d77ae3b368d29d5ba20d31e7849bbb15739cb1c09a32a680d164423b16cfba61d74 |
C:\Windows\System\spoolsv.exe
| MD5 | 09a7b3c6426c87e7372356ba6a38fcff |
| SHA1 | 0c990b3990e67a9643328f4e721ecc7e15f01651 |
| SHA256 | fe6f28958d4a0f073ce4d94f5ffce64fbd050323b22d22e4f182d318c747b108 |
| SHA512 | b61798995c35a116e7a06eec53d16b732420e425e5538daf0f853528b948876174ddf9ae86187d5fab311c0d6746ed7d93d05288e90be4602bcd79bb694424c8 |
C:\Windows\System\spoolsv.exe
| MD5 | fd6a7ae6efdd4613f387af832d4f022f |
| SHA1 | 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd |
| SHA256 | f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e |
| SHA512 | 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78 |
C:\Windows\System\spoolsv.exe
| MD5 | 2bd81f8ec10438c465af48a55f7dcb5b |
| SHA1 | a0f9aea762966ee0addf8a37f9bbb484b13eed1f |
| SHA256 | 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5 |
| SHA512 | 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea |
C:\Windows\System\spoolsv.exe
| MD5 | c08e3de0f4dd75bd37ffe405d863ad6f |
| SHA1 | 98422d88f5a930d095c7536d375913e07e3d39f8 |
| SHA256 | 9124fc0aa94e018d3280d9ea0d2e86eb6132f3dc605ef540a9fb617f0912e001 |
| SHA512 | 7c6cbe5416ac11d0ea2841e9c74bb4cd759de97689c0baf31985bcc0c6f18a165cbd3c13f41970171851d581e47281f55f2616a223101ff45d858236b13d0f5f |
C:\Windows\System\spoolsv.exe
| MD5 | 63a3a954864aca34f057c15c02be6590 |
| SHA1 | cf3ede97211de5a9a72bc81639fcf0eeda600bc7 |
| SHA256 | 2d535fd771f6d837d4f98c4230884e25723c7b592c5c63bd76510c16d59efa04 |
| SHA512 | e295181e438faf76fed0fbf482b563ca95e9579404a6abfe97089a62a9ad270edd68058a7b7ac578c3bd156bde01564acbab0f9282e30275177a3f2b443c36af |
C:\Windows\System\spoolsv.exe
| MD5 | 7fd74c1f46d490fac11fb1dcdaf3cd3d |
| SHA1 | 0a65e5e583c9a4c7ec981371401a8bed57078ffa |
| SHA256 | b8e135f5a7855b661d193942932bf9b5588964d5e6f660278004a40be8325224 |
| SHA512 | 5785a9340076f5bea847fb62dcb51407cc53a36e0c5eb5da2a2844dc573efbba8b697fab6ae97fa49bc9cc7c5ac84bea15bb37ce8d1444d78069341e322ab2fb |
C:\Windows\System\spoolsv.exe
| MD5 | 17c31cb7ad10c27b2cea9360d6c70a2c |
| SHA1 | a875214efaa9ff587f134210173159ea287478c0 |
| SHA256 | 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8 |
| SHA512 | d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4 |
C:\Windows\System\spoolsv.exe
| MD5 | 1dfb8c9373e65d8f3885359015c7cf54 |
| SHA1 | 3554302584f899733f6f99f27ac15fb51dfd7183 |
| SHA256 | 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593 |
| SHA512 | 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8 |
C:\Windows\System\spoolsv.exe
| MD5 | 113183def317d6bebc3e747da8642b3f |
| SHA1 | 7fcfb6215e2a4e5c1f5d30237237df873e22e033 |
| SHA256 | 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5 |
| SHA512 | 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2 |