Malware Analysis Report

2024-10-24 16:47

Sample ID 240422-eq2fxsfc62
Target e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38
SHA256 e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38
Tags
rat warzonerat evasion infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38

Threat Level: Known bad

The file e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38 was found to be: Known bad.

Malicious Activity Summary

rat warzonerat evasion infostealer persistence

Warzonerat family

WarzoneRat, AveMaria

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies WinLogon for persistence

Warzone RAT payload

Detects executables packed with ASPack

Modifies Installed Components in the registry

Executes dropped EXE

Drops startup file

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 04:09

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 04:09

Reported

2024-04-22 04:12

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 set thread context of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 1592 set thread context of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1692 set thread context of 2140 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1692 set thread context of 1092 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1988 set thread context of 1292 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2360 set thread context of 1588 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1284 set thread context of 3000 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2504 set thread context of 2996 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2688 set thread context of 1492 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3056 set thread context of 2104 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1564 set thread context of 976 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2172 set thread context of 3020 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2360 set thread context of 1828 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2456 set thread context of 2832 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2240 set thread context of 860 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2208 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 2420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2420 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 2804 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1836 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1836 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1836 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1836 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1592 wrote to memory of 1692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

"C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

Network

N/A

Files

memory/2420-1-0x0000000000300000-0x0000000000400000-memory.dmp

memory/2420-2-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-4-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-9-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-11-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-12-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-13-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-15-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-16-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-17-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-18-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2420-21-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-26-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2420-28-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2420-29-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-30-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2420-31-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-32-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-33-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-34-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-35-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-36-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-37-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2420-38-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2420-39-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2420-40-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2420-42-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2804-45-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2804-47-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2804-49-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2804-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2928-59-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2804-65-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2420-68-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2928-66-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2928-63-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2420-69-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2928-71-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 b9cabf433cb36f9f4afdda329cef4cd2
SHA1 6d6facd7b21b5c534da4349884b8e3d3f84eb164
SHA256 e02966c85377d5953b13c61a2b52009f72c029ed1cc0ae702aa0a041cb687422
SHA512 99e3e6fd3e98b3e52082940d99261a8e6e2a989b060a246cc440bd26122b1b1663b3bf8f464a31c8e0193c66c462284854650eb9153d0d1c289fe8f1d78980ea

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/2804-124-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1692-127-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1692-136-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/1692-139-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 0f6357a60bfd8fb2a54c6befb7f1850e
SHA1 1cb689ec9326b0c880ddf65454f5ae2c158e3ac6
SHA256 e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38
SHA512 eaeccb397b86d0c788c3ddde3c04066454d733b18227af8a1b9733e2dd1d6c287b1e097baa0ae0258167ca5d8520474bde4fd27d33ef5834cc2f13a85b47381a

memory/1692-171-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1692-174-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1092-173-0x0000000000400000-0x0000000000412000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 3de08bd4707968f2f2d600f9c881d6c3
SHA1 14b96a22dbf446d295ec822ef6dbcd90f492c7e9
SHA256 28e4d2d7e320f9e5e95cc0d1b0c42aca4d64b21696f61612dc59819a57bb90f0
SHA512 2cd5fb0ffc4745a28973dae1308dc6fe3cc9dc45cda8ad71be9141d1e526fdf61faba5e900d8a2344c73036acf0cd5e637ad05849727f41af3b4ee77ddf463b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/1292-225-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1292-242-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1588-292-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3000-336-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2140-382-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2996-385-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1492-424-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1492-445-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1292-471-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2104-496-0x0000000000220000-0x0000000000221000-memory.dmp

memory/976-539-0x0000000000220000-0x0000000000221000-memory.dmp

memory/3020-580-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1828-633-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1828-656-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1492-677-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2832-728-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-731-0x0000000000400000-0x0000000001400000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-22 04:09

Reported

2024-04-22 04:12

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Detects executables packed with ASPack

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3408 set thread context of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 set thread context of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 1136 set thread context of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 3956 set thread context of 928 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 5112 set thread context of 2948 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4276 set thread context of 400 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1896 set thread context of 2312 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2444 set thread context of 4648 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2028 set thread context of 3000 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 888 set thread context of 1064 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2248 set thread context of 4880 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3284 set thread context of 1364 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1180 set thread context of 4820 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1572 set thread context of 3564 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4564 set thread context of 4744 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1372 set thread context of 4148 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1676 set thread context of 212 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2436 set thread context of 1568 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4164 set thread context of 4424 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2248 set thread context of 64 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3420 set thread context of 1496 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3160 set thread context of 4164 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 2500 set thread context of 1604 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3060 set thread context of 2440 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4476 set thread context of 2608 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1668 set thread context of 4064 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 3684 set thread context of 4540 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 1796 set thread context of 2828 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe
PID 4820 set thread context of 3168 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3408 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\cmd.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 3408 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe
PID 364 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 364 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 364 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe C:\Windows\SysWOW64\diskperf.exe
PID 2956 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 2956 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 2956 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 4608 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4608 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 4608 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 1136 wrote to memory of 3956 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

"C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Users\Admin\AppData\Local\Temp\e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\explorer.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c echo on error resume next:CreateObject("WScript.Shell").Run "c:\windows\system\spoolsv.exe",1: >"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3332 -ip 3332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 504

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5732 -ip 5732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 504

C:\Windows\system32\dwm.exe

"dwm.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/364-1-0x0000000000400000-0x0000000001400000-memory.dmp

memory/364-3-0x0000000000400000-0x0000000000628000-memory.dmp

memory/364-4-0x0000000000400000-0x0000000000628000-memory.dmp

memory/364-5-0x0000000000400000-0x0000000000628000-memory.dmp

memory/364-6-0x0000000000400000-0x0000000001400000-memory.dmp

memory/364-8-0x0000000000400000-0x0000000001400000-memory.dmp

memory/364-7-0x0000000000400000-0x0000000001400000-memory.dmp

memory/364-9-0x0000000000400000-0x0000000000628000-memory.dmp

memory/364-10-0x0000000000400000-0x0000000001400000-memory.dmp

memory/364-11-0x0000000007140000-0x0000000007141000-memory.dmp

memory/364-12-0x0000000000400000-0x0000000000628000-memory.dmp

memory/364-14-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2956-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2956-21-0x0000000000400000-0x000000000043E000-memory.dmp

memory/364-24-0x0000000000400000-0x0000000001400000-memory.dmp

memory/364-26-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\explorer.exe

MD5 8f9036848c941d9c071c6ae3a05f1385
SHA1 9e1d9d35651f952790c83131f2baa18faf41d7c3
SHA256 a353309b7a169321d8fea58a73e7f2568c27c3b489846688bb4bc0ded0f2ddd3
SHA512 5794f4d1841d340530b4b98b2c5e12e2cef516c00760294c8e3c1bb1505c4e8fb2b1725d1ab1866d4cdcfe785a41122aab2f2443457105a85a3a1bed37af3bba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 8445bfa5a278e2f068300c604a78394b
SHA1 9fb4eef5ec2606bd151f77fdaa219853d4aa0c65
SHA256 5ddf324661da70998e89da7469c0eea327faae9216b9abc15c66fe95deec379c
SHA512 8ad7d18392a15cabbfd4d30b2e8a2aad899d35aba099b5be1f6852ca39f58541fb318972299c5728a30fd311db011578c3aaf881fa8b8b42067d2a1e11c50822

memory/2956-39-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3956-41-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3956-42-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3956-44-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3956-43-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3956-45-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3956-46-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3956-47-0x0000000008C00000-0x0000000008C01000-memory.dmp

memory/3956-48-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3956-50-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 0f6357a60bfd8fb2a54c6befb7f1850e
SHA1 1cb689ec9326b0c880ddf65454f5ae2c158e3ac6
SHA256 e068e8ea336618075b13a205370021b3aa1dde4788b4b7e9a262b18303af3d38
SHA512 eaeccb397b86d0c788c3ddde3c04066454d733b18227af8a1b9733e2dd1d6c287b1e097baa0ae0258167ca5d8520474bde4fd27d33ef5834cc2f13a85b47381a

memory/3956-62-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3956-63-0x0000000000400000-0x0000000000628000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b035857beb4444920778085e2cdabee8
SHA1 e265f7671870b9c6dd1c1e764ad30364b23eccb3
SHA256 b01173847cf6f37eb6a93bb47121d0e2c16d2be12f0288e2dcf2a64bab2093d4
SHA512 e0a2c6cc4e79fb6ee621f4490b7145e538b1359be1f65b8fe2db312dc60a065166d8fe19e2f15e738eaeb3232614650ea4541908631b0d6ca7cb9cc457b2f055

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\x.vbs

MD5 13222a4bb413aaa8b92aa5b4f81d2760
SHA1 268a48f2fe84ed49bbdc1873a8009db8c7cba66a
SHA256 d170ac99460f9c1fb30717345b1003f8eb9189c26857ca26d3431590e6f0e23d
SHA512 eee47ead9bef041b510ee5e40ebe8a51abd41d8c1fe5de68191f2b996feaa6cc0b8c16ed26d644fbf1d7e4f40920d7a6db954e19f2236d9e4e3f3f984f21b140

memory/2948-81-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2948-83-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2948-82-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2948-84-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2948-85-0x0000000000400000-0x0000000000628000-memory.dmp

memory/2948-86-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2948-90-0x0000000007510000-0x0000000007511000-memory.dmp

memory/400-95-0x0000000000400000-0x0000000000628000-memory.dmp

memory/400-96-0x0000000000400000-0x0000000001400000-memory.dmp

memory/400-98-0x0000000000400000-0x0000000001400000-memory.dmp

memory/400-99-0x0000000000400000-0x0000000000628000-memory.dmp

memory/400-100-0x0000000000400000-0x0000000001400000-memory.dmp

memory/400-104-0x0000000007030000-0x0000000007031000-memory.dmp

memory/2312-106-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2312-107-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2312-109-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2312-110-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2312-111-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2312-112-0x0000000000400000-0x0000000001990000-memory.dmp

memory/2312-113-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2312-115-0x0000000007390000-0x0000000007391000-memory.dmp

memory/4648-120-0x0000000000400000-0x0000000000628000-memory.dmp

memory/928-119-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4648-126-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4648-130-0x0000000007160000-0x0000000007161000-memory.dmp

memory/2948-135-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3000-139-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3000-144-0x0000000007280000-0x0000000007281000-memory.dmp

memory/400-145-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1064-153-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2312-160-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1064-165-0x0000000007140000-0x0000000007141000-memory.dmp

memory/4880-170-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4648-172-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4880-181-0x0000000008D80000-0x0000000008D81000-memory.dmp

memory/3000-185-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1364-196-0x0000000007480000-0x0000000007481000-memory.dmp

memory/1064-202-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4820-205-0x0000000007280000-0x0000000007281000-memory.dmp

memory/3564-212-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3564-215-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3564-221-0x00000000070C0000-0x00000000070C1000-memory.dmp

memory/4744-230-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4880-227-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4744-233-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4744-235-0x0000000007480000-0x0000000007481000-memory.dmp

memory/4148-245-0x0000000000400000-0x0000000000628000-memory.dmp

memory/1364-248-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4820-252-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4148-259-0x0000000007030000-0x0000000007031000-memory.dmp

memory/212-262-0x0000000000400000-0x0000000000628000-memory.dmp

memory/3564-267-0x0000000000400000-0x0000000001400000-memory.dmp

memory/212-271-0x0000000007180000-0x0000000007181000-memory.dmp

memory/4744-282-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1568-290-0x0000000007140000-0x0000000007141000-memory.dmp

memory/4148-304-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4424-305-0x0000000007180000-0x0000000007181000-memory.dmp

memory/64-307-0x0000000000400000-0x0000000001990000-memory.dmp

memory/64-314-0x0000000007180000-0x0000000007181000-memory.dmp

memory/1496-321-0x0000000000400000-0x0000000000628000-memory.dmp

memory/212-323-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1496-330-0x0000000007180000-0x0000000007181000-memory.dmp

memory/1568-429-0x0000000000400000-0x0000000001400000-memory.dmp

memory/4164-437-0x0000000000400000-0x0000000000628000-memory.dmp

memory/4164-440-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/4164-438-0x0000000000400000-0x0000000000850000-memory.dmp

memory/1604-464-0x0000000007290000-0x0000000007291000-memory.dmp

memory/4424-462-0x0000000000400000-0x0000000001400000-memory.dmp

memory/64-472-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2440-473-0x00000000071A0000-0x00000000071A1000-memory.dmp

memory/1496-486-0x0000000000400000-0x0000000001400000-memory.dmp

memory/2608-487-0x0000000007190000-0x0000000007191000-memory.dmp

memory/4064-500-0x0000000007510000-0x0000000007511000-memory.dmp

memory/4540-587-0x0000000000400000-0x0000000000628000-memory.dmp