Malware Analysis Report

2025-01-22 14:11

Sample ID 240228-n5f8zaba56
Target abd3f028f8a68b4608c9e7ac1064f101
SHA256 3391dc20d243deab3083f3fa8e943d88cabc28b4bc438988a5ddb334c380912a
Tags
rat upx warzonerat infostealer persistence evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3391dc20d243deab3083f3fa8e943d88cabc28b4bc438988a5ddb334c380912a

Threat Level: Known bad

The file abd3f028f8a68b4608c9e7ac1064f101 was found to be: Known bad.

Malicious Activity Summary

rat upx warzonerat infostealer persistence evasion

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies WinLogon for persistence

Warzonerat family

WarzoneRat, AveMaria

Warzone RAT payload

Modifies Installed Components in the registry

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops startup file

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 11:58

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 11:58

Reported

2024-02-28 12:01

Platform

win7-20240221-en

Max time kernel

130s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2940 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 1900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 1900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 1900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 1900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 1900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 1900 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 1608 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 1608 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 1608 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 1608 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 2188 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1100 wrote to memory of 1548 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

"C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

N/A

Files

memory/2940-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2940-3-0x0000000001E00000-0x0000000001E46000-memory.dmp

memory/1900-2-0x0000000000300000-0x0000000000400000-memory.dmp

memory/1900-4-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-19-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-22-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-23-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-25-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-26-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1900-29-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-32-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-34-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2940-36-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1900-35-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1900-37-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1900-38-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1900-39-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-40-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1900-41-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-42-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-44-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-45-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-46-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-47-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1900-48-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1900-49-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1900-50-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1900-51-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1608-57-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1608-63-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1900-64-0x0000000009850000-0x0000000009896000-memory.dmp

memory/1976-70-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1608-59-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1608-55-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1976-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1608-80-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1976-83-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1900-86-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\system\explorer.exe

MD5 0ff4766c22e11d6046392c2a9a89c3cd
SHA1 31e55d650ee62528b13448fdc8cbb60e02f2de09
SHA256 0cd2c22f08336621cc29ba02127a0d0e66cd72698ba5e3a48e73ab46d0f6e70a
SHA512 b75deb86b025f3cf15604800dc31baa725b5904266aa0d2917809f3f1dd985b4894b6bf0a39ab7ac0b19e1af2bbe468b87e1b70b97df787d697609b0d07df4fe

\Windows\system\explorer.exe

MD5 41e2d668cb605eb2f0984ff9f3c7986b
SHA1 eab218bc7cc522d49e47022478570eeaedea8086
SHA256 00557f4aebc19817799c9d62078f9f59acdb3695bb728cf7792de2730981df31
SHA512 17531acd22ae373d4a36bb4f564251f36f149cc55a0fae35c4d1d10a00dbbd1575f3d3a0d3f50dc714e13b70860558fdb7e2b07ce903230f983ad87409bcb194

\Windows\system\explorer.exe

MD5 9c40a6c5d830b518542006f9203946da
SHA1 6ba0ea6cf9614cf548dfde9db903cd3d6c8a5f79
SHA256 a8f53253807a4810120ebef42c427021da55a1ac4debd1187f4b9e8179335512
SHA512 37deca13913b00a93d93d798af97a291a57c95555cc9b488d8bd4dbd5e5569dfc71dc01b8ddaf766b9c1bf643c260ff6d14d6a1839a301ab685a9be9f534f165

memory/1608-95-0x0000000001D60000-0x0000000001DA6000-memory.dmp

C:\Windows\system\explorer.exe

MD5 6eb0277a2d9d24ca2c4c10949da31a71
SHA1 2878a975c10f678ca7bcd5d3d0483159608084fb
SHA256 ae6b12651af9864ac3baf2bd4b27ae4344d97290a7acd1720613ae22a787caa3
SHA512 96194f9e50a9d17bd5773ca0b4084965cc6c79dbf94d372e3bd70571ae62d1a33dbbf04a82e143a9039c264f9b338c2db6a56f01f0b3d9eeb1edb213260f081f

memory/1100-97-0x0000000000400000-0x0000000000446000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 33411dd22c9a1b4f85dff7ace9f2ff7b
SHA1 310c927926795fbfdc3d6e89927cf9b2834cb6d4
SHA256 d10696e3983d5a92667345fc71f6af4bcd38a80d760f2c345d8cc713b1587a57
SHA512 5cd1fb46c9f065faf9958e10793060c52ad232f1e1c84f87a54b98beca612b8dcf5a14ddbc5f56271b241bfa5bc90c588cb29c7239f96058056b12a9a4d3e785

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\system\explorer.exe

MD5 f962405ba617e0e33033b9e8d974d8d8
SHA1 436d5d85cc73b56946322cd19dbc4eae8bd406cd
SHA256 c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e
SHA512 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438

memory/1548-134-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1608-140-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1548-149-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

memory/1548-152-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

C:\Windows\system\explorer.exe

MD5 2ddf6df817160984e047117d0375347f
SHA1 11f608ef7e7133e40188df577b54111c9f95cb06
SHA256 dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21
SHA512 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 e230695c8508d1dd05da9b1f8150a0e5
SHA1 95deee881c579175356f93c5c6555197942f72ce
SHA256 e26848238e4a47ebffff6dcd5ea19c430f6d69b156558e49f35d79621e269f1c
SHA512 73c54ffdb9d889bd9bf044a4a7df744966b745490cd6fbd12f09fc50946c4fae4ba6f30a2c24e4c66b57e93392d07443e95e0aa290ac6ae05905385a170ee8b4

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 f6d012961c9dae2fcc8abb56ca438c6f
SHA1 c01b37a515c16807b34e06b253a29beb67729ed5
SHA256 64c1b262352126f2e25dc39591cbbad7db1a6f25f8005eb30345bdccefa1856c
SHA512 24fed6b43c3080651c634b92c88291425d2625e2baf6fb1e2b4d8955616a39a4c00bdf339fffcc2c97c2dc9f2d63b55d7c545764535acc3c93e445183f4453ef

memory/884-181-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1548-185-0x0000000000400000-0x0000000000628000-memory.dmp

\Windows\system\spoolsv.exe

MD5 0c14a3e04bcd0491807db5db589657a8
SHA1 a817e93212a35277fc6f319103850f7a083889cc
SHA256 8a0d6aae4dba5794c506c03dbf3d2562fe8deece47f5aa018852fb3dff6cb690
SHA512 b946e1cefeb1ead8666d8106b9d1a66f1d8615d80d4f57afa4acc0e632b519445d08c4cd44983824d10d443a4e4e59ce3301fe2df0422a5a667ca08a4cfaacc5

C:\Windows\system\spoolsv.exe

MD5 3932cb826e53f915a2a4cdb043b52885
SHA1 207229d796fb8c9ab5e1c5b79b500900ba0ba65f
SHA256 201d03c0016be41cb8c288f560d5a8a2c3fa3d54bd10164935cca9fce6e1a042
SHA512 e6f22a9a4c6521a2e8c3b3d9cedd81abfbeeb2ce3ab53f1dc7c67ec4dd82994f178e29b110867099464ae708b4adcd9b4c9a22f9ba7afe46b2b91d02813a530f

\Windows\system\spoolsv.exe

MD5 70caa01da86deed78b4839c2cd9a5b03
SHA1 dddc8e66f5ac512586a85eb0de60717ddc5a7bff
SHA256 2149e0e69d58420187aad61d2bc218d006f2c8849d126b5cfc66e6608e01a2ed
SHA512 5a6d17bb24f8fd3b023b3f7df32189fcc18338d81926993e089e0feb0a8442f1c6250fd494b496081206d3c498a439ece2b0a718d80bcdddabfa0ee09442d9d7

memory/752-196-0x0000000002BF0000-0x0000000002C36000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 5fda79822ff28cde94f73f7cf75ff00f
SHA1 34111f9da7d82e440ba52b2c5a35159d1a3455b6
SHA256 c2ab1555d26a230de187f99f22c03d430e092407c27e6666d068cc439f32553a
SHA512 b2b9778718e520975665b0b1e3056f852911a5208b2b2556ad87dbca33fcb48d2a2d9de36145e211ffcdb362f250b1270fdef1af757b6df16179fc0e869222df

memory/1120-198-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 17c31cb7ad10c27b2cea9360d6c70a2c
SHA1 a875214efaa9ff587f134210173159ea287478c0
SHA256 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8
SHA512 d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4

C:\Windows\system\spoolsv.exe

MD5 dc815de4b487814c1b0bb56bf277b796
SHA1 5bbf793a954aeecbea08bf8ddbe536433ab1f73a
SHA256 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d
SHA512 b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742

\Windows\system\spoolsv.exe

MD5 110d1852eca5e01976a6af67391b6505
SHA1 d5949f7c4bcfb8302df8c641744e4de8ceeeedd2
SHA256 48f208df1cad1a92fb45975af94cc21abe3b7f5a933d94f9cbf05d39e4565900
SHA512 7477b7e28533181ca693b43e43e79705f39c0b546a8a448eed457d6690a15e72b1f451f0a8ec1a104d3665e0b5eebe20a41e215c6069670ceb87174f1b638d1d

\Windows\system\spoolsv.exe

MD5 67a965e20c4f6f7875a0bd59cef3f072
SHA1 63b5531a8bd5c1c657ebc391f673cf8d2d2d3002
SHA256 ee97b476510eee782287725e0aefff7a14d21d75b51beddabecd06c70caf3bfe
SHA512 4755214fabe424f54f8bd82dda9840f3cf0cc2109feaf58f21265aad452ebaebfc4ae5d51c0c3e0c1cff714af9faaecd338e40ff7eeda2cfd03901866ce9227c

C:\Windows\system\spoolsv.exe

MD5 d64579985be59941da25529f147aab92
SHA1 47d17d23ee66de97c5ca876ae4cf11059f22e07a
SHA256 a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b
SHA512 ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f

memory/2472-240-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/752-243-0x0000000002BF0000-0x0000000002C36000-memory.dmp

memory/2340-246-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 113183def317d6bebc3e747da8642b3f
SHA1 7fcfb6215e2a4e5c1f5d30237237df873e22e033
SHA256 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5
SHA512 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2

memory/2340-250-0x0000000000450000-0x0000000000496000-memory.dmp

memory/2472-262-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 5132a41535fa8fa6eb41b01f4fd4988f
SHA1 1b2b166555fffa865acbf79afbc18c5cbc5ce690
SHA256 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611
SHA512 f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407

memory/2840-282-0x0000000000400000-0x0000000001990000-memory.dmp

memory/752-288-0x0000000002BF0000-0x0000000002C36000-memory.dmp

memory/752-287-0x0000000000400000-0x000000000043E000-memory.dmp

memory/752-289-0x0000000002BF0000-0x0000000002C36000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 f0d17369e60714d71d8b4990e4e3dcc6
SHA1 cb7850ad40f43b770a9778b4cad1f2b86ae407f8
SHA256 5eeb9e15ee28bdc99dcb9dcc8b44257d9e1cab3bd5cae05c246b1791d84af8ea
SHA512 c486ffe8ab832f92276e1c5360ef0141cc3865348f22e9f3ee6ef6be76dbcc97187fc9d390536f0b02cf4a7501e7c1ace67f8e9ab72eba7338801ef7cf39b223

memory/3016-291-0x0000000000400000-0x0000000000446000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e3deb109c419189a759b3240fa723e94
SHA1 8402667484d7a517ebfb571a36b7a9b6732a961e
SHA256 4eee9c710137abc067b02148ce310861479f2d4133884c0e0a3f2a42883e491b
SHA512 e0fda3225d88f16c1106e6ec167f647e16a5109eaa46d379f02fe3fd4eb9741b05ce5b33d3dbeb581da834d26f15c557e1124bb09ca07fab1e2fa3f66761d1d1

\Windows\system\spoolsv.exe

MD5 3cfdf2ddf2e502abaf85d91b18546efe
SHA1 6eb2f2367135a2543258051cefe5c5aee7c32201
SHA256 08b22cd89d1eecad9c21d8cf5ff3262b5475827dcca2a7a74b9eed12fd3d805a
SHA512 ee7b44cd0899ec745f452ad03edbddac133ebcce90d8f3918fd60ff343e62d77ae3b368d29d5ba20d31e7849bbb15739cb1c09a32a680d164423b16cfba61d74

memory/884-295-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\spoolsv.exe

MD5 995caca41a6720ea36b02876ce712e9d
SHA1 f481d6040268155fb791151c69ea372e27c05e80
SHA256 6afc700879cc6a44b7447381bcbd685bc4eb4380730eda03ab18d20acc1c92f2
SHA512 fa8d495bee5686bdbb120c1478e0936f61b2ce8e721afb628ad267c84aad492f223bed88bb9ebb673b6142a8a4a3f5c40c9082c4be4462c695a8d881c0e77ab5

memory/3016-300-0x0000000000390000-0x00000000003D6000-memory.dmp

memory/2840-320-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 4c1118698ee3ed03c8f5ca95f9b3edc0
SHA1 640e5a10f4f4926051cdcd56b8b43389ed509970
SHA256 08ffdc96fbba545090a7254eda527cf71d898e85b58c1556ac9e50c3c66ac9c0
SHA512 5c7b4951401bc3d412f03cdbb82fa961373c4288f38c406239ee3d5c308f412aefefbb79eebb6c664b8870a231177311194cf7ff376f1adf40b8cec06fef6f9a

C:\Windows\system\spoolsv.exe

MD5 556be00c0a44f87e4aef202c44ac246d
SHA1 e1be5efd3d1ea9b65836decd9c10126ed36aaf6d
SHA256 cfed1ab7cf265cf5ab419bbd0fd235416305c3d5cf34644ee408839a4323db83
SHA512 8446d2b32020042a3507db7cf96b067f6ed3a6eaef320e170c43b04623a0974dac836a7c6ebffd8f8c79c90e54a342c94063a24030a48d9c7a745ada471f332c

C:\Windows\system\spoolsv.exe

MD5 bf5874b19afa20fa3bf0e902da2302b4
SHA1 ca004c361dbe017dc97f1d423f381b30bc204b91
SHA256 5dd9a4127ced859e3cdc4eb023bffa4f677eea7721f5e499bf19efcb95d25937
SHA512 ec2d720260668f20b76937781bb5995350a63684fa9c475af512b6f06ae23d90d0fa8f34b4864924ce0bd614a447095e555262a5a3ae3ec699c8e891581cd641

memory/752-348-0x0000000002BF0000-0x0000000002C36000-memory.dmp

memory/752-352-0x0000000002BF0000-0x0000000002C36000-memory.dmp

\Windows\system\spoolsv.exe

MD5 b574f96be60c5fe7773aa299dedb50e3
SHA1 4d40dd0181527e98956249b0f76d29b0f7f3cba6
SHA256 c3fe43bd74cf3ce0f70f853b2b6b9f89a431cdadfc98fbda96832ab793d2392b
SHA512 348fabc2ff2071519f4ef058e5472b0f64a8921d30e90cb7926810afd8bf6b747126ecf80c09ff23ae3b9021cfa5405a4a3648f4a5284a2159cf3d217d78e311

memory/752-357-0x0000000002BF0000-0x0000000002C36000-memory.dmp

memory/2424-358-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1080-361-0x0000000000400000-0x0000000000446000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 11:58

Reported

2024-02-28 12:01

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\System32\Conhost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3808 set thread context of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 set thread context of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 set thread context of 620 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 2108 set thread context of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3492 set thread context of 1056 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3492 set thread context of 4180 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2420 set thread context of 3220 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4952 set thread context of 4040 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4100 set thread context of 1404 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3000 set thread context of 1608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 648 set thread context of 2200 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3936 set thread context of 3152 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3808 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2064 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 3808 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe
PID 2544 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 2544 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 2544 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 2544 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 2544 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe C:\Windows\SysWOW64\diskperf.exe
PID 960 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 960 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 960 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 1908 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1908 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 1908 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2108 wrote to memory of 3492 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

"C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Users\Admin\AppData\Local\Temp\abd3f028f8a68b4608c9e7ac1064f101.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2936 -ip 2936

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 504

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp

Files

memory/3808-0-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2544-3-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3808-4-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2544-6-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2544-7-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2544-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2544-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2544-11-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2544-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2544-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2544-13-0x00000000073A0000-0x00000000073A1000-memory.dmp

memory/2544-14-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2544-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/960-19-0x0000000000400000-0x000000000043E000-memory.dmp

memory/620-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/960-24-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2544-27-0x0000000000400000-0x0000000001400000-memory.dmp

memory/620-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2544-29-0x0000000000400000-0x0000000000628000-memory.dmp

memory/620-31-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\explorer.exe

MD5 6b9415dd036b61ecddc75ae491b0be75
SHA1 460a75c95b24c522924a6ac0a9d119926d4e6b22
SHA256 d79295847d62eeb8528305838cfcf4564758506b7879ade63184388c14528bf7
SHA512 7d671629dcb75f1a2dc796accf402f99ef455bb7aa58bdd01c26eda38af1b424b89f699f8a12524dee5716766650fe1422b8f65c4d649dff01d5c0a06672cf73

C:\Windows\System\explorer.exe

MD5 71cc4582e23859894cdf271c8864cd7e
SHA1 cfa38758c5eef58d77d11dc25ae2009f0b091e80
SHA256 2335ef55514832b9cf117befd56503baffaa60a2fe7a7fdc1bdf906e66c87de1
SHA512 337a7c14cfbd4c70bdffc918f5e08b1c09a956c42bfbd04ace0f98d5616dd3de5f26950e4cee84da5deb84c6e797a90dea0638bdd5a93579bd67a03ad0de7152

\??\c:\windows\system\explorer.exe

MD5 0fa40a45c884e9f13871684d9cdf1fec
SHA1 9175da1356b1a1727a8c1aa35e9a8270b03c68cb
SHA256 73cfc00f8f5e9df8ac411408bc6c7b7b1532c49600968a0e8929de7be8811a6b
SHA512 69409f6fade23e0a6feda28c781683f7f3be50b11c151ea617891af9b1444bdf7711eabf0444e28ea3bf7ee60f1f8b8165bf5559d54c55127a1205cee3de3d39

memory/2108-39-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

C:\Windows\System\explorer.exe

MD5 fdb3abe1d665333acd0f5f459411bafc
SHA1 cad131ff5bc98877d678ef86bfda6e77e6049475
SHA256 ed4635bebd686c4e0e733be5f12d7795caa199d3d5b3b77b399d47292389c253
SHA512 20d4b437e416cad30e2a9937c0dae194b291529af9941c94bcb45a4f3600b353dc83d8f40f5bc0bfcd6f02789bbffc82cdb54d092b42f0cbfaaed61d13fdf1c3

memory/960-46-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3492-48-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3492-51-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3492-50-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3492-52-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3492-53-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3492-54-0x0000000008C70000-0x0000000008C71000-memory.dmp

memory/3492-55-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3492-57-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3492-58-0x0000000008C70000-0x0000000008C71000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 aad0877defbf0b9cbd59fb5fb3c250e5
SHA1 092118fe1b88c3ffb00f0ba171ca9d02cafdf843
SHA256 dbbf259a6bf613cdf74355c82397b32c33e8dfcf3481bdbdd5ac2f8789f057b4
SHA512 a668a9aa0343034e226ea6a72521b4b4e90b1602febb27ab704c10eb400ec7a4305c3470a6ba2653aadfa8e2bdad201b7e51833ff7f85566a33f38899c9a497c

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 69781dd2543fdf58d405ad90a51ac5c9
SHA1 928d0ddc74eb09874a70c29de92cc23d71a7908d
SHA256 a5bbf2e0624e8656faecf98f0a2dfe9215355995c05d9464b01ccea24259badf
SHA512 abe9eaadccfc4b87eadd404418ba91aa863b74ef145acc12f0a847b48541773e3171551cecb5816c47c28683c3b8161740a8160aa708f6bb8ce4d9687cee5c30

C:\Windows\System\explorer.exe

MD5 dd18d26b60ca724ac435f818b747e4b4
SHA1 119270ef8c7308e1afe16cb8f1de2f6bade823ee
SHA256 0d86b3eff526984cc8c80fddd6021c9713e9739428ede50cf2e72506eef007d9
SHA512 9b55d89939c1f147f6ca66fdfad2cfc1e60de39f8f32d9998786c7c8fca78671270eb7435c694c233364d4f5778934e75d8df3214f5db3e6a1f4b9797fb89269

memory/1056-68-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3492-72-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4180-75-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3492-76-0x0000000000400000-0x0000000000628000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 428cc682a15a9db262c3e481ef1f147c
SHA1 8cdbe86d8f2c977972678eaff7bb97ca5cc8a6f6
SHA256 8d0d07d6be32c2eedc758eb05cdf2983da24f3bdc327a4d1cbfc58eb4608e44a
SHA512 77a94f8fe07313c464be7f5fb77945dcd9c6ad4aa2d6fcbc4214b241e5c19b2fdc9ae272f2c4643901481bf0e2809429c0a931bbbf18b6e2a50a1482d6a649a8

C:\Windows\System\spoolsv.exe

MD5 d5f76784d1776b9bf00b7b7247652151
SHA1 4f990f8cc0529f789310780fa90a6cbbe02597c0
SHA256 4511b89e02e41ba7480e96e9834b4072df8328e8ba055ee346f9518a16863656
SHA512 7fe49d1bdab23e2b48cffd4439d58061d27ea04e2ef0e5f3d43b838a356f7270dd374515a0e01aac1ac5fda9cc9b68594c8a4df22c1125ebd2a9a36453d8e5da

memory/2420-84-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

C:\Windows\System\spoolsv.exe

MD5 bf83622517c71b6ba865c1052985fbe2
SHA1 1518736417d86a5883f9e6705c6fafd6db2d37fa
SHA256 ac37a2bdbfa073eb6be2b1dfdc56df2b702701f2b428295037ef4661f32e447a
SHA512 232de3471a618ded0129c6ba3e7b398057b40885f5bb64f8f8ddc9a685a3d32894728751bec078481a0a3c69b62fdf204cdcfdeb54c7d32b1aca81e421f06fdf

memory/2420-90-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3220-92-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3220-96-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 7d9d8394b9449ee9dd3fcebfdbacd4d4
SHA1 aa2763fb0a9b29a3fcd3c7d89f13ab4041e97df6
SHA256 7938117b9c0f55e8d3dafc7b4112e515ee53ed87c88e4a70a963bbc0e672975f
SHA512 8b2c0a401ec59b2137bc49ecee422980696816b32a3d88ac6bf9199f99fdaadccaaa00240c541f60db414af53da6e00b1085e543455516b13736d88011088692

memory/3220-97-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3220-99-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3220-100-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3220-101-0x00000000071A0000-0x00000000071A1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d64579985be59941da25529f147aab92
SHA1 47d17d23ee66de97c5ca876ae4cf11059f22e07a
SHA256 a5af8e8c59c1ccaf9c261c755ba4c896d70fb982275fa3754fcfdb26f024cd3b
SHA512 ce3e40096ade4afa69d4e19f9bc2105e1f9bb2e05d83d783620092440c4e0dfdc22781a76df2c47798758693871babaf3e46784ecfb9df4ffdc5a8ce03fd252f

memory/4952-107-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5132a41535fa8fa6eb41b01f4fd4988f
SHA1 1b2b166555fffa865acbf79afbc18c5cbc5ce690
SHA256 14d09cf51b9e64558bcfc362d8877ecf41bcca89801248623bc894cbcebfa611
SHA512 f23d6fbf7c0416182d58a0764b898eba33b51b867577c3ece861e34241c0376885f2399a33aa0080e43e097308ccce199f335597627f9d9f4e800a2620ed2407

memory/4040-110-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4040-111-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4040-113-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4040-112-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4040-114-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4040-115-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4100-116-0x0000000000400000-0x0000000000446000-memory.dmp

memory/4040-117-0x0000000007250000-0x0000000007251000-memory.dmp

memory/1404-120-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1056-121-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 50a557665c5bb4fa372fadbeba73303e
SHA1 df2eddc14a72381cc26c83268faa2f1806a58457
SHA256 26a053bae335fa424fb830ccbab450145b163c9d475edffa38384e3e623bcd5e
SHA512 59d16c7bad2cb69ab52caddac72a3518e81f7aed71f313c52c6b618eccbfcad5ec809503d8f0405102b8a89b1c08bcc695a01cc5b19f83dad0b07c945dae76ad

memory/1404-124-0x0000000000400000-0x0000000001990000-memory.dmp

memory/3000-125-0x0000000000400000-0x0000000000446000-memory.dmp

memory/1404-122-0x0000000000400000-0x0000000001990000-memory.dmp

memory/1404-126-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1404-127-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3220-130-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1404-132-0x0000000008B40000-0x0000000008B41000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 8b7ec4d3d67a165c2fb6e23a9b5c15aa
SHA1 c741fa02cfb8c2f628e06a0785215e4e6aa33354
SHA256 cd203d169ff5cad3a86d1ab95acf2fe27ae81882ad36036dcfe8514a921c796c
SHA512 15de131246ab26d054ab3f3090b53f48db3679a71aeadc9eb2fb3a2033fcb9e9841a683efcc2a933522b04978aacb4215bf22d6b617e4ff8917d52ef42826211

memory/1608-137-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 fba478552e3b8e6ad8346b0e4e757c24
SHA1 9545adebc305cec19a9b8b8a54a38d12cac72dec
SHA256 c3108888d80b4072fea9e6b7083d5661d4e069489ea3f025b596108d5deff248
SHA512 c13c00c9124ec833d98bddbde55916fa0d5d5c1dd4d360fe9673326612e62dc81ce63b31e0d3cdee92118a636ad771e1971200eab4a0209a3c5d66d47cd24d29

memory/1608-141-0x0000000000400000-0x0000000001400000-memory.dmp

memory/648-144-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3220-145-0x00000000071A0000-0x00000000071A1000-memory.dmp

memory/4040-149-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 3cb8a96d8ff37b4a10df1c8c7ba23104
SHA1 c5f228a5e43be961165b642b913ddec16fb002c5
SHA256 d905b1c4debd93da701095662c447056c5221fe6e94a52aec4519c98afd76751
SHA512 908bec60c3c4655e87b89289ed115f4ee0f61b58d7aff971c82cd4cdf095016982ba131de38c9f483dce8d1403825b1434c6ff85fa07f7708d426a4a1e3d2e31

C:\Windows\System\spoolsv.exe

MD5 1e7cd0aa1935cc675bd6acfc57bed70a
SHA1 abc3c6401e41df8676002edc8ec2b758198bf5e1
SHA256 054ec396f2ddbfb194b95a0013572629668c5f8419263fe787907c0eb6e369a9
SHA512 1ab15042626df8319652de5a68030801cbdd594df8fc66392ccda9503710330a96156257ed90d4b89e263282470625503b5a4c1727469c7e8d4efb494562c97c

memory/1608-152-0x0000000007490000-0x0000000007491000-memory.dmp

memory/3936-156-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2200-160-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6333d03c31e01b95b1955043aaaed397
SHA1 bb3610625e6b5dcaf5da66861b2033e696ace33c
SHA256 cd96e9a43fb5ca1fefc60c6d6aa6f0d4ac60a1d3bac0b27f9c04add1dad06043
SHA512 847f7517f61b8cf25f313a5d91ebf572c9c70d3177293713598f2e3b0b256f42f48ee945b74b147c87b74229f904d483bc30dc7d0ffad2653e1c8b65c68e0d51

C:\Windows\System\spoolsv.exe

MD5 76deb9d1b85a23807b407ebe2530276f
SHA1 07913935734c20f0f907ff028fa3e246eae80180
SHA256 5200376faa825e44044caafbb8dbcc8c908f68371dc41b5a72de52c3aa0d4911
SHA512 46a94185ce4914b9b943de89ccba742e832e31720d4deb88e10440ad0bb6361b3a91ac51fce95024db0cfde1c0549bcaa78522e0e1048e16ec3907f476703c2c

memory/3912-169-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2200-173-0x00000000071A0000-0x00000000071A1000-memory.dmp

memory/1404-176-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e230695c8508d1dd05da9b1f8150a0e5
SHA1 95deee881c579175356f93c5c6555197942f72ce
SHA256 e26848238e4a47ebffff6dcd5ea19c430f6d69b156558e49f35d79621e269f1c
SHA512 73c54ffdb9d889bd9bf044a4a7df744966b745490cd6fbd12f09fc50946c4fae4ba6f30a2c24e4c66b57e93392d07443e95e0aa290ac6ae05905385a170ee8b4

memory/3152-180-0x0000000007390000-0x0000000007391000-memory.dmp

memory/3912-179-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5c83714ac14719212a07ae34af6d13ff
SHA1 8f9c61dfc39cc7de96ad6413583508ec0ee48f82
SHA256 dd02fe039367f687f68ad880128a57bb6eae9df3bf4f9957b7eb3ef70b2a4624
SHA512 2cb0f4f732444d8fd66b2fb75e16d1b48bed923834badd931157155d59ffcd71521d0b1f68d3b299080a5e102c76df5e5c45ba1acacd8805f481116e40373871

memory/908-188-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1608-190-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2580-193-0x0000000000400000-0x0000000000446000-memory.dmp

memory/908-194-0x0000000007490000-0x0000000007491000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f962405ba617e0e33033b9e8d974d8d8
SHA1 436d5d85cc73b56946322cd19dbc4eae8bd406cd
SHA256 c3ae9c9797af62b0050236bb0db104eabfeb7c8567e09b87791fd598081e735e
SHA512 972d7c7956c3318e589efe96c8dd89e22c3c2ebf56f59353e437b895c0e4362229509c26f7f1fc2422895a79f7a7d7853fe8171223a4b51986179fff9ec0b438

C:\Windows\System\spoolsv.exe

MD5 963c5da593c5feda86337648bd9af538
SHA1 4dcde838389bce56117edfac7ed52d11568d4aff
SHA256 7988a6d0b4c755947c39509474d39b73a127694ea6b0de674d312ae1d5129cfa
SHA512 191bd96700ccaf2af216870b37d561c1c9e2effcc9ff74490ff7599ebaa8f8696fddd3e9d5cc07ad5985c766dc1616fa36c34cb351f3a52627bdf7295bcaadd2

memory/2200-198-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3264-201-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4712-203-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3264-206-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 995caca41a6720ea36b02876ce712e9d
SHA1 f481d6040268155fb791151c69ea372e27c05e80
SHA256 6afc700879cc6a44b7447381bcbd685bc4eb4380730eda03ab18d20acc1c92f2
SHA512 fa8d495bee5686bdbb120c1478e0936f61b2ce8e721afb628ad267c84aad492f223bed88bb9ebb673b6142a8a4a3f5c40c9082c4be4462c695a8d881c0e77ab5

C:\Windows\System\spoolsv.exe

MD5 8f8b06f1261687f2bbddd260f8f905e2
SHA1 8ad81df5cdcb574c64aee591b8292c9febcf35c7
SHA256 cea05085407edeca71f83b58e2e579bf3f932fe759bf28ea68425a9b8d1272ca
SHA512 d9365201b948a775a86dc8d441f34eba8cf801572347ba0c49cf191e668dc57ac2bf79a0476ca8d7893b1bdb35e4af6d6b0367e531b1092bb1ba30033c8775ae

memory/3264-215-0x00000000074A0000-0x00000000074A1000-memory.dmp

memory/2336-218-0x0000000000400000-0x0000000000446000-memory.dmp

memory/3876-221-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 bf5874b19afa20fa3bf0e902da2302b4
SHA1 ca004c361dbe017dc97f1d423f381b30bc204b91
SHA256 5dd9a4127ced859e3cdc4eb023bffa4f677eea7721f5e499bf19efcb95d25937
SHA512 ec2d720260668f20b76937781bb5995350a63684fa9c475af512b6f06ae23d90d0fa8f34b4864924ce0bd614a447095e555262a5a3ae3ec699c8e891581cd641

memory/3152-228-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3876-226-0x0000000007520000-0x0000000007521000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b66c95e03333690396f16d3d699508b7
SHA1 f497909cd7754e4de2ebcd95fedcceb2d7a2d464
SHA256 7d30703c67fc845d3fd11ec96f3625cebfa0ef05b2d58bcec198f90473e61556
SHA512 ab3cb9556888b0c95b9b4337ddaba4366c2f30600a1bce7cc30b6ee761b850480a4a906d791470e445ca1fb7a6666d01957954111f8a78733b8bf413a9fb54bf

memory/2652-231-0x0000000000400000-0x0000000001990000-memory.dmp

memory/4292-237-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 d3e9e93b727ee83e2b8b06110d3017c8
SHA1 3a084b8eeeedcf37ec1b49e22f72c49f0a92e4e7
SHA256 8c2224254e69c6279e3b661f438742c5c448267e3cb9966e0df11b57b2d03c96
SHA512 5da30337261b699fd0abf617e9c133fe875bf5275e472e90a54eaa95409e313ef3487fcfa8911c4c26af9f134f29f28c875ee17c221a32182ca1bd377e7c5b5a

C:\Windows\System\spoolsv.exe

MD5 dc815de4b487814c1b0bb56bf277b796
SHA1 5bbf793a954aeecbea08bf8ddbe536433ab1f73a
SHA256 5c0a14b2f818f0b3e620fdda4e165bb6abb9252172190c64a89a86c58d09592d
SHA512 b87e2f5243e0105cae92be92ff3cae89d76e1f1dd79e36f793e38a5cd00423c7c66ad3e89f3dc1052aa128068d53ff8bbde5cec872802c680c0d310bcebd9742

memory/2652-243-0x0000000007290000-0x0000000007291000-memory.dmp

memory/908-241-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1600-245-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4548-246-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ff7e197341d102a403182abed0f01420
SHA1 6f5ba1bbac72024079444439b42027de07933cb8
SHA256 4be8c61d7f8725dafb650e127cb3f68668968a21f61761c7d39fb25f62fe89ad
SHA512 65cf6e46cf4c831eb85c970142a907c530b1b19f2bf1cd23a0622167b2c23277889fbb0590ef11ea16012eb409e8faae4f3112ea22c92bb289e3b8403abeadc6

C:\Windows\System\spoolsv.exe

MD5 173bc7ae8306d4b43f0089621e0706c2
SHA1 841b1a4e9cae7178c9908694634535a22c32a374
SHA256 df472823ebf930546a2cebc3be6977f1f1fcf091a02c3501a67b5324ac9bb433
SHA512 77c08d1c70fd4fc1f1d99d99509fb0ee3a123863bfc75b4bf38bab7fa7666ef8c1868c2a2990eadb28d0ddf1f58c066cf10e55ef63da6709afdf011a393f7305

memory/388-260-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 72899266569cd75b7f56ee876d0771e4
SHA1 add0613f71b699eee2fedc17289d671e2c7eeac7
SHA256 3910f0cebbf5d8da894b6e9cf1a72c4b542b4dfb626968252b6f263a8a40ff01
SHA512 d98cbafb4eccf398b2675262f64355ed072704c2ddeb64f4421e433b76ad9e28734cbb7e59029c5d2ee01bac70119e4a30706c2ca6900705de0bc6b68d31f58d

memory/1600-272-0x0000000007150000-0x0000000007151000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9047901f6be1841c6be69b587f9a9bef
SHA1 225663bfbb66f7d3bf47aacd3aeaf8d36419d4bc
SHA256 463bb774f64935229fd7657449f2dc4e2f50899a4497edf1b5cbae31b1fe016f
SHA512 7978402b9265ec861fe73df7d31cb7a7b8c6c2287e7661a28dfb036e22f283ae101bde13a4a4dcf975634ac76b4753fdbd474607d966ad380b05be87b696a20b

C:\Windows\System\spoolsv.exe

MD5 6b3159725f8ded76b9d763714c81fec4
SHA1 acac0941e662fb6d380f170d641a7c877817b8b1
SHA256 770c9920adec258ed83f717e263313b498a36b332ab9e7e55258a0c6f80d97a0
SHA512 68a33d8d3fd6e89d00826473b23468b7d8babad6398df1f3e933ffe94d8926dbcc26aa8fffcd7c3df316b326fe1b79c8e6ca9f593035a67c9d2628e6fc2384b8

memory/3264-277-0x0000000000400000-0x0000000001400000-memory.dmp

memory/388-278-0x0000000007070000-0x0000000007071000-memory.dmp

memory/4956-269-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b5095eb2e9a67d7e96d9036871b9b2d3
SHA1 87d08e892bf6140403eff1f4be9890fc4bec67a0
SHA256 1e9568d57c2f9a42f2e09d05bbefbe0efd1d0c2ebdab1830f77efdfe00a109f4
SHA512 efbd461665333d1f1b7f7607a7b62d55ac9db81b5d5244cd1ab8423d2160a29465689745fe4836496fef2ca6f19d9008db97e2aed789bb77dac45982838100aa

C:\Windows\System\spoolsv.exe

MD5 a6bfb7c5e6bd538fb5ca5410027e7817
SHA1 e036830040c995fa71395803ef857c8198a780e6
SHA256 4a5d6056a4788cdaf1bfe217548bcd087a8d3467c5c6882ffc5384c30f4f79d7
SHA512 4a5b26f9f3c44fd577a9645399a85656dba5b8acd74b0a5165f115dcc6b12379365628ecf87e3a7714e235620061585646c8d346120194c187e94b784d9e5bbe

C:\Windows\System\spoolsv.exe

MD5 d85ae03e6a9b79205a29de1651b40c4f
SHA1 d90856c796b5bb8c8d5c5eb6d4844e975b3dd079
SHA256 4a8365f696ac2a8c7f8b0e011128ef296ec55a8fa152ed65c3e53ac30ea36a7a
SHA512 9733e0833c221dd90e0b27ca861eb7b7569acd11edd665d0a93a147da0d1bc7638d33148cb5c0f55b00468854bc2a90fcc05c463c1bf9a77f2767aa528f252c8

memory/2840-297-0x0000000000400000-0x0000000000446000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c667cee2f2d1ab7d07868ed6260b9618
SHA1 30a9417187059c37a8ed9726a39311080accbc23
SHA256 da3998514f90aad565cdc2492d6e62005c6132588a61ab8b6b06976d384a48af
SHA512 d3b67056e3b5887bc6ab2b87fb96d928126473e32f339c3e8c5ddd201c32b70829affaa51cedfa6e2d63ec774442fa1bb77f7559fe5be21cb435982f6063eea7

C:\Windows\System\spoolsv.exe

MD5 2ddf6df817160984e047117d0375347f
SHA1 11f608ef7e7133e40188df577b54111c9f95cb06
SHA256 dfeea6c6621cf9667cc5cef6825757b7f36d967f0916e5d04e24d2e33ffeda21
SHA512 10d95ebf6d36881613e6bd5180a0cfd617fb31324724e3efdb14d1cb39fc9f6634fbbda1a3e2b28b06ac0efe82ad0f6cb1f944db13543902eeffa4befb767215

memory/4664-300-0x0000000000400000-0x0000000001990000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 16bd25a3c6d3025ab13249e2c61d981b
SHA1 342fa28f45ff0c4f7c58441bff92d9ef6930ad36
SHA256 2068e913253c1ecd5a6efc1da8450282824979323a77b46b4730d7321e564764
SHA512 2fc5cc233cd133671c505da1b2048ebabb75a31b2baab2037a3bc9654a211e7d44e11fc5ab94b99cdbfe13a31902531dd538015d98ecf63f885506f0042f2059

C:\Windows\System\spoolsv.exe

MD5 3cfdf2ddf2e502abaf85d91b18546efe
SHA1 6eb2f2367135a2543258051cefe5c5aee7c32201
SHA256 08b22cd89d1eecad9c21d8cf5ff3262b5475827dcca2a7a74b9eed12fd3d805a
SHA512 ee7b44cd0899ec745f452ad03edbddac133ebcce90d8f3918fd60ff343e62d77ae3b368d29d5ba20d31e7849bbb15739cb1c09a32a680d164423b16cfba61d74

C:\Windows\System\spoolsv.exe

MD5 09a7b3c6426c87e7372356ba6a38fcff
SHA1 0c990b3990e67a9643328f4e721ecc7e15f01651
SHA256 fe6f28958d4a0f073ce4d94f5ffce64fbd050323b22d22e4f182d318c747b108
SHA512 b61798995c35a116e7a06eec53d16b732420e425e5538daf0f853528b948876174ddf9ae86187d5fab311c0d6746ed7d93d05288e90be4602bcd79bb694424c8

C:\Windows\System\spoolsv.exe

MD5 fd6a7ae6efdd4613f387af832d4f022f
SHA1 9f2e584c3d80e9438f431cf36cadeab9bc7afdcd
SHA256 f8aaf3b2b599cc9de74fbb8691da9fe8e1749cb8452f6c8bad1ea044b5d89d7e
SHA512 605e0945196fec1848ee687b9c52d7ce942ba260de9ead7d2d3030f25b7b2e68698f7b1b0ad82ee06553004cdc6616e2c0101773087c084780d9989db8270b78

C:\Windows\System\spoolsv.exe

MD5 2bd81f8ec10438c465af48a55f7dcb5b
SHA1 a0f9aea762966ee0addf8a37f9bbb484b13eed1f
SHA256 03e7054dd4ec7cb0a2cb53fecf561c886d0ce8907e057786e840372eec93afc5
SHA512 34d47ef73b7b6d691ab776a94adf957bee93e4d39f91c8ebeff6d634ae38584967188aaa27d699decd17a1addf5872d10b0d248cdd2b11cd266ed75881e1e5ea

C:\Windows\System\spoolsv.exe

MD5 c08e3de0f4dd75bd37ffe405d863ad6f
SHA1 98422d88f5a930d095c7536d375913e07e3d39f8
SHA256 9124fc0aa94e018d3280d9ea0d2e86eb6132f3dc605ef540a9fb617f0912e001
SHA512 7c6cbe5416ac11d0ea2841e9c74bb4cd759de97689c0baf31985bcc0c6f18a165cbd3c13f41970171851d581e47281f55f2616a223101ff45d858236b13d0f5f

C:\Windows\System\spoolsv.exe

MD5 63a3a954864aca34f057c15c02be6590
SHA1 cf3ede97211de5a9a72bc81639fcf0eeda600bc7
SHA256 2d535fd771f6d837d4f98c4230884e25723c7b592c5c63bd76510c16d59efa04
SHA512 e295181e438faf76fed0fbf482b563ca95e9579404a6abfe97089a62a9ad270edd68058a7b7ac578c3bd156bde01564acbab0f9282e30275177a3f2b443c36af

C:\Windows\System\spoolsv.exe

MD5 7fd74c1f46d490fac11fb1dcdaf3cd3d
SHA1 0a65e5e583c9a4c7ec981371401a8bed57078ffa
SHA256 b8e135f5a7855b661d193942932bf9b5588964d5e6f660278004a40be8325224
SHA512 5785a9340076f5bea847fb62dcb51407cc53a36e0c5eb5da2a2844dc573efbba8b697fab6ae97fa49bc9cc7c5ac84bea15bb37ce8d1444d78069341e322ab2fb

C:\Windows\System\spoolsv.exe

MD5 17c31cb7ad10c27b2cea9360d6c70a2c
SHA1 a875214efaa9ff587f134210173159ea287478c0
SHA256 63308a4dfc891e04e4a6f7c56a0dd97191ee7535b129c124ccda116e3f2162d8
SHA512 d4ea3431237bc6dd1177a0ea8014e4a266aa0bf23a2114a38af21e0aee3a3d277fdcb01a9cf95b3c68ba0bc7d76b4db4afaef14fa96770124e0f364a9e81c5b4

C:\Windows\System\spoolsv.exe

MD5 1dfb8c9373e65d8f3885359015c7cf54
SHA1 3554302584f899733f6f99f27ac15fb51dfd7183
SHA256 57102bcbbd53a489c697f3429cc4036160398e857001128d570e13cb0f21f593
SHA512 98ccc28bc6cbcb96121a61b14927d10a33d4f5b29a19bd950087bf8752505732d744769cd7b3f3ab85c5d6564342069071564692f9d222618fe81804af8214b8

C:\Windows\System\spoolsv.exe

MD5 113183def317d6bebc3e747da8642b3f
SHA1 7fcfb6215e2a4e5c1f5d30237237df873e22e033
SHA256 57719d6e40152a7042b8b7896ce8f821ebe01198ec01f19572d575eaad8e28d5
SHA512 1013f3095f6e1434253f49aaf17de41e892e79d6d610e6bfdfd44037559fefe1cbbb3698dd29b77c24f9ba07e8ea859bfd6035a7d2bcb64edbdd849f5e7431b2