Malware Analysis Report

2025-03-15 06:30

Sample ID 240123-2gks5sbeek
Target 70bb0cb883fff431982f79554ce8e027
SHA256 3904aeda3f5ce781de53b11513850ca321c896e25d4b88262f4a84d7f644df8a
Tags
rat aspackv2 warzonerat evasion infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3904aeda3f5ce781de53b11513850ca321c896e25d4b88262f4a84d7f644df8a

Threat Level: Known bad

The file 70bb0cb883fff431982f79554ce8e027 was found to be: Known bad.

Malicious Activity Summary

rat aspackv2 warzonerat evasion infostealer persistence

Warzonerat family

Modifies visiblity of hidden/system files in Explorer

WarzoneRat, AveMaria

Modifies WinLogon for persistence

Warzone RAT payload

Warzone RAT payload

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

ASPack v2.12-2.42

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 22:33

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 22:33

Reported

2024-01-23 22:35

Platform

win7-20231215-en

Max time kernel

151s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\spoolsv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 1684 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 1684 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 2260 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2260 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2260 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2260 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2060 wrote to memory of 2896 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2060 wrote to memory of 2896 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2060 wrote to memory of 2896 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2060 wrote to memory of 2896 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2060 wrote to memory of 2896 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2060 wrote to memory of 2896 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2924 wrote to memory of 852 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 852 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 852 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 852 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1912 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1912 wrote to memory of 1620 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1912 wrote to memory of 1620 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1912 wrote to memory of 1620 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1912 wrote to memory of 1620 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 1724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1724 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1724 wrote to memory of 2412 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1724 wrote to memory of 2412 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 332 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 332 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 332 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 332 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 332 wrote to memory of 1600 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 332 wrote to memory of 1600 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 332 wrote to memory of 1600 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 332 wrote to memory of 1600 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 640 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe

"C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe"

C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe

"C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

N/A

Files

memory/1684-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1684-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1684-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1684-3-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1684-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1684-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2260-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2260-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2260-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2260-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2260-23-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2260-26-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2564-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2564-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2564-32-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1684-37-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2564-38-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2564-39-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 b99b81f9caeaaa8908f9aef751b258d1
SHA1 bfe715d505d32cbe09ae7c4aadfbbe6b4265be9e
SHA256 db1f10b30209280dad0c66520330c183a9481d47cbb03c31659d896e87aa0241
SHA512 afa782b14c5ebcf720478c619df323ed48ccbdd5ff3b8950392ea4b1b30e4d242de5d75f1a28e80d022cb2ee434d41fe0f9e7ece75491dcd61bf7ab9de85afc2

\Windows\system\explorer.exe

MD5 5dcbc279a0744724cf2a288d7cfdcc6e
SHA1 1d90053baa675af7577f6733386bd5de9534f328
SHA256 03136d16c91fd3ed54c11484d70efae2eb29533536653825bd45906d557f56fe
SHA512 5e6b337711943ab242db9d1e69f22e8f289d67948c840d51c0ab514196a6dcba44147dd74ea879e1c3539f8a735dbc00f30c6e6d14e6c8fa79361d12569b5cc4

memory/2060-47-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2060-49-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2260-48-0x0000000002D30000-0x0000000002E44000-memory.dmp

\Windows\system\explorer.exe

MD5 04359c324c02984afb26a133774b2c69
SHA1 3dd38e4a7d3d4757221d8bb176b3092ecc82c59a
SHA256 d6e0de458a6acae9eb7a0e0ba92931600e19b90e65774558481285c01c0ea8d9
SHA512 0831b6b925086fa6246bddb7278ecc708ee7a446eb8d543314823bbb775ddf35e30fd929a43646bba6e99724dcc4cb612aff273689c5e2063a8b9a76dd7a0e78

C:\Windows\system\explorer.exe

MD5 9895ea52f737cb028c8760014e31ce29
SHA1 5aaeff866784d40caf7e24f650cb81d7c3eb3fcb
SHA256 aa5ae645508ba34ec3e46388352b53bc22974e49af769084707c15241acd7019
SHA512 0ab5b91d18d613b7d54ff81bcf960caafcc2b57d29cc20243993206f4cfc53fab95e025e8c1c5257063ec5d0c60f09fedd0c573e20870caac644ec2e034a2710

memory/2260-50-0x0000000000440000-0x000000000051F000-memory.dmp

memory/2260-52-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2060-54-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2060-53-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2260-51-0x0000000002D30000-0x0000000002E44000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 3d0ac05576ff3d7f12d82b9fb3fbdb8c
SHA1 bb2b64651f1fb8243c8232c2b4f907acd81fbc49
SHA256 a3c236d14459483531ac0023cfb0d394a2dfb267d6d89400c7b8438bafbf0478
SHA512 7ec1d07b2a9753beb8dfe53410e110e3418dae00185ed6fa6445a885cf0a905582be07f64f2f20d8bc3cd565c78ffba41d38c200cec5a896027a7aa6a240b9e7

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 f1f827859b614bde534b21e0c268dd32
SHA1 4aa4cd8316297a4855ec770a24ad281266535c5b
SHA256 41f361e78637142ae221ede837876fbec52c4976f565a63c25218cd201e729d8
SHA512 610675b3a8b452c240155a2dc822166c77158749e7b0f742e8aee2ab4da77364b5e6b69cddacc031e15ea8f19bfd768990273ea65a828ab4aa69dadb562a55d3

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 caec75364d239e5e56decddd4621f000
SHA1 91806b43c5f259eca80e54191114d6227ae49e6c
SHA256 21f4f901c53884886e56919e2e8bece1e4086aa4e13b480c3409828a7fcbf734
SHA512 aa42e0f67150c4b40da1e4aa83d948420553430e642fe0d3da44f998569663793da8f40ca3feaed10cc695ac523b3aab6c4722a23ad2bbc5446b309a67e85466

C:\Windows\system\explorer.exe

MD5 2bb8263e835b92af0b69f688a209ddf1
SHA1 9e15cf4230857e0ec17e99fc402392bc319bb69c
SHA256 1248ed11d94243acc7253b593f3f7b73595001a938ccfe6ac11705211b8613b2
SHA512 0f75038ab8609965430bf1b98c10c2b253cc0bcdaa6767db1a5b971ee44f4311441d44d678c47535113a25f1ccec853d387b78166ee3ffdfb3e901958703d091

memory/2060-86-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2896-88-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\spoolsv.exe

MD5 2422c0c4fe4d0c7036122afc8e358250
SHA1 0950f67bf2fca2692857a3d5990da6b02b692da7
SHA256 3c0ab43ee498839aa883a8f422cfa808b64f5eebc97e708a134c2fa9e21de1db
SHA512 5916917225312c2812a0c1760142bb16ad0432c178c2ff80e81f5b518bf6990619a9a235eb5f86d93736d65f13a943a4004b03dd3d83d6b60138e0a5e11626cb

memory/2924-94-0x0000000002F40000-0x0000000003054000-memory.dmp

\Windows\system\spoolsv.exe

MD5 02a6893fc734e26731b327e14392825f
SHA1 3c8547ece48deb41f4e6585f7f65c48ad38281e7
SHA256 474a18fd5b59f65587989c1b698a3b0dee61125d012d6b8fe8f82199280a421a
SHA512 7af38e27ab3d1d44dbde2c7da6c99507629faf7cba4898a8cf7a3b293f8d0b93e05ff34b66a6b5889fde4edb74d5a3ae08aba299501349708228776b7f325f1a

memory/2924-100-0x0000000002F40000-0x0000000003054000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 23d2f4f268a9fa5417a1311958901055
SHA1 8bcbce2dfabb11e00c30b17b4513b1d1ad647e0b
SHA256 46948aaef2490daec10c92e2d06134cf236babc1cd710accb51621eed402a710
SHA512 d7750cc836be3a5af90429280d01c3b8d0f7b42d2e08900bbd9115fccc552ee63b126f7c44ed36c7cd9907904bfc00a10c912519d36fba462fa2dfc640563fe4

memory/852-102-0x0000000000400000-0x0000000000514000-memory.dmp

memory/852-103-0x0000000000400000-0x0000000000514000-memory.dmp

memory/852-104-0x0000000000220000-0x0000000000221000-memory.dmp

\Windows\system\spoolsv.exe

MD5 18cea08be3b1706e5d210008142a2176
SHA1 716b3af33a17a841c29e45f6d99fcfdf1351deb3
SHA256 c0d73e37b3ee6e66ec4d48a871480e48014eac1ad39128032386a62bfc3e7a46
SHA512 ace46916001fea2136b4f18c2053854406fcff20b0a9958b9a696b81ef8ace1c350b897ed1e67b757d77ef20304b195fb99f6bd9e057f950202cdd2654b5ab12

memory/1912-116-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 f5e5f476a37fc0c4a82acd0c63c5b7da
SHA1 7c120a6e7861cef9c6d51a9f5c3619bb7006de33
SHA256 a5d9bb81ce6144a890e4ee3bfbe6d3b2345bbb3792789d92d280fb6abb89b5fd
SHA512 3a32553d0dba0375483a4ddc2a2d41f129104497fbb5a0ee9f8aa77622128b00fde4c1199ed5bd785071613ab93f10ff9bc2c231d1a576afb375e0aec3ef2532

memory/2924-114-0x0000000002F40000-0x0000000003054000-memory.dmp

\Windows\system\spoolsv.exe

MD5 85cf161cb515c75a27ccee5defaffc70
SHA1 46d11fadda97f0a14ba548fe6d187d73dd5649b9
SHA256 0b324ff3f8314287ccd015996cc0fa87e2e165bb2ef8977709fd79e62f75c19c
SHA512 20bf4173b0e4b4fe5bcbe4e4a47bad75bc2a8256ebb02d666bd87acce80c2a237a154b94edbbf5d4e370f8d3d06057f494cbd819f02da3ace801bf4f5ddb4e5b

\Windows\system\spoolsv.exe

MD5 096e0e4c487eae7bbd70de050cbf065d
SHA1 59afb93688f99b99642c0fe0a662a361805f8a65
SHA256 f9d0b134428003ef1ea975c03e631934a82d38e6d456fe6b0d39fedb4133aeb4
SHA512 e631cb891a0a9e67c4767fbe11bac7873de6c863111afd11d81863b43235f1d03dfbeb709d7d7eadc06ceb0ac580eac65541e67ae8018abf1b4823674f9b6401

\Windows\system\spoolsv.exe

MD5 69b5bd69d381d995944e76fe2452eda7
SHA1 1367081e960c257a6bbc4ab71bba2d37b4b38e00
SHA256 4af6ca5346d50135322e6476acdcaff7b4dfb4b6ed5e67c87775e8d7f9b39797
SHA512 8179f2d082cf0dcc3d57726fbc681f593e9540c55e7750762a12eaa7430b59d786074cbbcb259c8b13875fbb30f4d7747c1b650584a0d434222b2c02a3d4e34f

\Windows\system\spoolsv.exe

MD5 faaf82e1fa3c0bbfce46acf28b1c9690
SHA1 340b412bf3d9893249239a6738759dffaf5ea299
SHA256 3f42ef7ec0dc61bf1265a2f3ac4e6001f9aa42b4cd1700092d48bffca1fa35fd
SHA512 444619659e649c7a0c77c963b29a9f7de58674db8a39be68635ba06b284180b25afc1208f290d81c01eed31e0e4db59cc419f6b3bb69fb8882c5c7602a76c8b0

memory/2924-124-0x0000000000400000-0x000000000043E000-memory.dmp

memory/852-126-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2924-141-0x0000000002F40000-0x0000000003054000-memory.dmp

memory/2924-142-0x0000000002F40000-0x0000000003054000-memory.dmp

memory/2924-145-0x0000000002F40000-0x0000000003054000-memory.dmp

memory/852-144-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2924-146-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2924-151-0x0000000002F40000-0x0000000003054000-memory.dmp

memory/2924-156-0x0000000002F40000-0x0000000003054000-memory.dmp

memory/852-223-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2180-226-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\svchost.exe

MD5 31f71dade700c19399ec70b19136ab00
SHA1 e70cefed451f0c482819a90609f59d40c741ef27
SHA256 3acfdfc2ffa85ca7473b34edaa62e649301381dd3361c94e58822856e41b0b3e
SHA512 b4ea02c1017a45e6960745af046d5ab9fa29cc0031c16254abbf2205ef1efd550eb8e8b3ee5cb649cdb8a3d7ebc71e1e5c8e00874d433ae96326c2c888f7e7ed

memory/1704-234-0x0000000002D20000-0x0000000002E34000-memory.dmp

memory/2032-238-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1704-237-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1704-236-0x0000000002D20000-0x0000000002E34000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 22:33

Reported

2024-01-23 22:35

Platform

win10v2004-20231222-en

Max time kernel

86s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe
PID 3104 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 3104 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 3104 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe C:\Windows\SysWOW64\diskperf.exe
PID 2036 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2036 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2036 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 184 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2872 wrote to memory of 4484 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2872 wrote to memory of 4484 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2872 wrote to memory of 4484 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2872 wrote to memory of 4484 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2872 wrote to memory of 4484 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe

"C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe"

C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe

"C:\Users\Admin\AppData\Local\Temp\70bb0cb883fff431982f79554ce8e027.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4056 -ip 4056

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4208 -ip 4208

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1936 -ip 1936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5060 -ip 5060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 628 -ip 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2772 -ip 2772

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1372 -ip 1372

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2096 -ip 2096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4268 -ip 4268

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1844 -ip 1844

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1020 -ip 1020

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 428 -ip 428

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1776 -ip 1776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4548 -ip 4548

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 432 -ip 432

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1320 -ip 1320

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2028 -ip 2028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1784 -ip 1784

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1244 -ip 1244

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2068 -ip 2068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1128 -ip 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1612 -ip 1612

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1684 -ip 1684

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1536 -ip 1536

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3036 -ip 3036

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3528 -ip 3528

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 380 -ip 380

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3552 -ip 3552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4156 -ip 4156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3660 -ip 3660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1880 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1880 -ip 1880

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2424 -ip 2424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1348 -ip 1348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4144 -ip 4144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 2052 -ip 2052

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 4548 -ip 4548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1016 -ip 1016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 320 -ip 320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 320 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2116 -ip 2116

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3348 -ip 3348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3544 -ip 3544

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 620 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 620 -ip 620

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 2676 -ip 2676

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 3164 -ip 3164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3288 -ip 3288

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4352 -ip 4352

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 2228 -ip 2228

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4520 -ip 4520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2208 -ip 2208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1280 -ip 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2708 -ip 2708

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1020 -ip 1020

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 3008 -ip 3008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3460 -ip 3460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 3440 -ip 3440

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3444 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3444 -ip 3444

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3080 -ip 3080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3196 -ip 3196

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2224 -ip 2224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4952 -ip 4952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3368 -ip 3368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1820 -ip 1820

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2540 -ip 2540

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 2176 -ip 2176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2672 -ip 2672

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 4424 -ip 4424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 1316 -ip 1316

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2472 -ip 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 860 -ip 860

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 640 -ip 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 368 -ip 368

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 1124 -ip 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 4808 -ip 4808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2900 -ip 2900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1784 -ip 1784

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 2168 -ip 2168

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 4516 -ip 4516

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2744 -ip 2744

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1308 -ip 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 3368 -ip 3368

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2584 -ip 2584

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 4168 -ip 4168

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 32 -ip 32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 4228 -ip 4228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 860 -p 1044 -ip 1044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 4520 -ip 4520

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 2216 -ip 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4044 -ip 4044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 5028 -ip 5028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3560 -ip 3560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1256 -ip 1256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3044 -ip 3044

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 3316 -ip 3316

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 3612 -ip 3612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 3460 -ip 3460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 4552 -ip 4552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 1152 -ip 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1152 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3520 -ip 3520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 904 -ip 904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 1508 -ip 1508

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 4768 -ip 4768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 1028 -ip 1028

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 4908 -ip 4908

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 5032 -ip 5032

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 2704 -ip 2704

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2676 -ip 2676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3288 -ip 3288

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4924 -ip 4924

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3036 -ip 3036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 972 -p 3528 -ip 3528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 1652 -ip 1652

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 2244 -ip 2244

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4932 -ip 4932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 956 -p 4268 -ip 4268

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 2996 -ip 2996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 800 -ip 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4832 -ip 4832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 3276 -ip 3276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 2152 -ip 2152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2440 -ip 2440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 3808 -ip 3808

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4328 -ip 4328

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2716 -ip 2716

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 912 -p 3576 -ip 3576

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3180 -ip 3180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 1156 -ip 1156

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 3520 -ip 3520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 904 -ip 904

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 3196 -ip 3196

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 4308 -ip 4308

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4768 -ip 4768

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 1128 -ip 1128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 4952 -ip 4952

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 4208 -ip 4208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1684 -ip 1684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4220 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 4220 -ip 4220

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3740 -ip 3740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4036 -ip 4036

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4052 -ip 4052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3896 -ip 3896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3344 -ip 3344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 4620 -ip 4620

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1368 -ip 1368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1380 -ip 1380

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 2708 -ip 2708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1040 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1040 -ip 1040

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1728 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 1728 -ip 1728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 2684 -ip 2684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1624 -ip 1624

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 544 -ip 544

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1160 -ip 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4356 -ip 4356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1184 -ip 1184

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4756 -ip 4756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4988 -ip 4988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4408 -ip 4408

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2992 -ip 2992

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2176 -ip 2176

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1064 -ip 1064

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 452 -ip 452

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2296 -ip 2296

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1424 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1424 -ip 1424

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4880 -ip 4880

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2416 -ip 2416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3924 -ip 3924

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1280 -ip 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 192

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp

Files

memory/3104-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3104-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3104-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3104-3-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/3104-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3104-6-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/2036-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2036-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3104-15-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\explorer.exe

MD5 01d2f6bb62ac2606c072789cefcdadc1
SHA1 bc7f062e20a58f530f6c351d88d92abc8ce33dad
SHA256 bffd4d35d664acd735b03ed939942d192b5f340c65012725ff662e2d3b69c6db
SHA512 4adbd859df29da7eadd67154f2e918e6cf3808f51416118fe726ccdd4f4355e278cf9abaa8fdaaccbb2c5b760a40ca349b890e809ab235b12b68904647ca0b90

C:\Windows\System\explorer.exe

MD5 99e728c0bef979d039d8eeef06626fbe
SHA1 2555f8c85e6b1f123ffa5ebdc06423797df8034a
SHA256 a4cffd4afc784b8ff0f273556acb27e348977ddd73224b21cd1b6fb6336df4c9
SHA512 cf29837ab7b3f83fd59f18eb5d87b6996332578ad30bdce88235e46bfaf20c9540c20afbf5aa2125ad1edc720802f6db6fb164b6bb2de710682a181ce1768604

memory/2872-25-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2872-26-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/2036-27-0x0000000000440000-0x0000000000509000-memory.dmp

memory/2036-28-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2872-24-0x0000000000400000-0x0000000000514000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 5efa637a1939e6f260a109e4765e6b01
SHA1 8c4042144bb8b15d88721b4cefade97eca04ff31
SHA256 a19f9a09e5677d442792f12650f734abe123bce28ad60e21787397f78d627a43
SHA512 576c7ea283273f60d9dd70048178d3ca44ee34244ec01a7d4a49896a317d41364b65f1e2a9526e87ffb57309ebbd97418963a474536222d9a626984451e92fba

memory/2872-29-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2872-31-0x00000000006A0000-0x00000000006A1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 8a72be074fd2dd918f3d23fe171818af
SHA1 fc6203f75629fb1b050acda979344ab11dbb19ec
SHA256 116ba7242c8a51dbc8640bc58acd624957b3aaad2b172ece777ba23b99cbacd3
SHA512 1ed995fbbb41cff2e2f4fc88253280b4e52d6a152abca382325a59c338c535a5c428f012cb00ca6485ebbaf7a8e066cd43d3fb41a5985661e1bec1951e12fa24

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 54fcd52fab0a61d3781211d3953dae28
SHA1 9bcc9757413f75e796a0f9f0be6fb6fff4af5a16
SHA256 3a75a79ff16d96a4f3a6af6bce974faf3e7544ecb109809647676c4960b89d53
SHA512 7f8a61780d84c9e7634fb97158a3f8720e70f479ba61e663390802b45a03d8ee2dfc09639cf9f540c791a945efdf2bac1e4f50a0c295a5ba21e771e623a40876

C:\Windows\System\explorer.exe

MD5 a0a84cfcf924b9b52d4cca7b3e29ac47
SHA1 3bbff65997bc24be36c40af4094fca0cc20d339a
SHA256 54e8466f298be2022e2f3d9f4f2115ce0ad9f5593e36f4c7dd11e7bd63f8fd98
SHA512 56a58d2a5eec04174dea0c8cfe29390c143a66df2dbdf8dfc91154d0a4a33d5b8f205b6cc7c643c69f2f014399cf97bd563dfc9b06e970612c3bca4ff97e0c99

memory/184-43-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4484-41-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4484-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2872-48-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4484-51-0x0000000000400000-0x0000000000412000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 faf7ba4ce264ad1adf53841aa487c49b
SHA1 e5058c56c3511b8125bfc85c6300e747fbd786e5
SHA256 9652ea8ded87818342341241ffcef10164abc835bcbf3871c862a325420704b2
SHA512 c4b20525eb908624fba89ef30a66952fb17440aa2dd3bb30bf51e984aed0c5ea3da015ad1482c4707c32985217941755f4e3895db434fe7ace592225925e08dd

memory/2572-59-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2572-58-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2572-60-0x00000000007C0000-0x00000000007C1000-memory.dmp

memory/2572-57-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c59d049974aad8e727d00dc42098165e
SHA1 a0e1f7893d6061b379ab64dc2c38f1e7e679b612
SHA256 85017b911d0718da4f149dc4fb136aa94de4da2219e83957ca796fc7ffdacc21
SHA512 16d706ab3acc7197dea7d83f9f19c48ecee005002d049a7c55a8cb193263e8736ef5ea9e53fe72dc28535d21a70b935cddc1a1cc3beb8635f835578ecec5b019

memory/1184-64-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0bdafe69e4feb89ad6843368c994a5c7
SHA1 bd9d07e375d5a64b8fb4611f47f56b572152d4d2
SHA256 4dfb28a3b57577791b446a7ceb3963797e42db40f86df6f63dba95fe4dcfa27b
SHA512 79677996132d75067b36f8e2e7b3bf85865f8b447e38b3d8e395a743e2b4271eca5d390d979c665e463205f8d83a40714fa8168e44893e4e1e976433ccf4b4b6

memory/1184-65-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ef30be618720569ad5480a64033c3406
SHA1 7a4b66b4a907625de618af02297cd73805ec2c20
SHA256 3bbb8a9992ea383d71789aeefe8d69f9929ac94e0e228f8d20d57dda3ad5f796
SHA512 defe5a3a251dd9f40d7d135adec0f0d3a99899a5807857c1300cabcffa35a5a9c5f363b577b2ab25ff29c68e1df507030718422c30c64310dfd00a2c89668dde

C:\Windows\System\spoolsv.exe

MD5 7b66a972c183fcc14789fb5c93773be2
SHA1 bffde62a05f3682a4902227d48841499fa8db13e
SHA256 1f6ce4b36035d90fdb8316e1d73666887b47520d2812e82fc7143abd1400a668
SHA512 06293b190b71c207cf6cd64dbbcfb6b93db3b5d4d16785ad02a5687796d7a3b230032007290576b8aad0d99ab4d1e3f532f04ff9a813336bf721dbcd8bc42059

C:\Windows\System\spoolsv.exe

MD5 8a9500a6cf63bf560e5ceb63cf87ad68
SHA1 cb6d952e3d543d8eaabbc9bb4387d4611819bc8d
SHA256 7930eea1bb75cfe616545dd24ab6e6ca904f993534e83585e7032081ff64f257
SHA512 b3838612003dd7acda15d18b28cc2edb55525788d4b901d959be85d3d47f39aacef52daba1a656bd11043d886979400bd14468d6efc1853cc1190458450ca64e

C:\Windows\System\spoolsv.exe

MD5 f16cbf2aac1abb0f9b53e3fc6bdb2191
SHA1 63826326efa5d232092e60e42ddd904f3dd09748
SHA256 363dfa0e13d0ac0fce8fc18a081198477f9212d3fe38de944e40334cfd93b7bd
SHA512 51304c6b53e15976fc41de0c2490416a44a0a3e91d2db118968ec451c51c1f0b1b43c0ae0ed4f42c61f0bdca39c97b02fe304826e2f286fb1a91cb8f92d1bedd

C:\Windows\System\spoolsv.exe

MD5 ec69dd553a9f5793599d4390a554cfb3
SHA1 54ef8cbee49589ef094cf4352543e46066ee40e9
SHA256 5f9056af2f7d27efb1cf4687c8dd5e78fd78ad5545326305989dd12ba9b34ea3
SHA512 6a19f8bc13723e318e3812ce89c71d3522de5d5f6107a3477e4de7dd8b1dc2dab06653d53656a56b9291913bc1dfe2724dfa5324cdf99106da8f1d2558222a0a

memory/184-72-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 ce116c972200602b6daefa1aec3da631
SHA1 878ea472be93a3a903e6a63bd8c8de88f7ea76c7
SHA256 4a5d066b58ae5f3aadfc2b53532fba570bf5bdd69bfdb78c9868706253ae87a7
SHA512 d1d4b04893d4ff749dbbf078d017037c6033ea591e04d1b0a75de9a96f40dbf3f6f2c9698eee116caa39c0f3bf5d133fcdac7ada509d3999c6d91439ad364831

memory/5060-74-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5bdead5f14cc0fa3ee4ec05d364f57a3
SHA1 d31093febe8d6d24dcefb26b1bb3ad7c0f31cc9b
SHA256 59b821e04c098d83d89ce3e8c55e91621c194d4bd70cef2c804e11ce8fb60c5a
SHA512 be181a32f0d73c5b22864b50e6ba5a07b6a590a7cc5b600f88f0fa0bc127d4df3e50e35f34456dc6081d338e18433f4d2d7efaf01c7ecb347d1aa04a1c892e98

memory/2572-76-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 63d6e3966ac5de1a4dfba3dc34a5bdad
SHA1 0754f5b882db3660870831497c3e4e42c12055e6
SHA256 1ec3648a0e35a0dc35768f35511d2707abb0929b0eb036101474de775fe5c9c8
SHA512 09a10842d8646081215fdcfe31faf651baa0545ea6439fefe7f98647d5e10226e0b06611fa610a903bea4e3c2b70747fd915be6f5cf01286f7c826f965ec4f6b

C:\Windows\System\spoolsv.exe

MD5 dcb86778f643c169aa10be9c990d04c1
SHA1 582d16f4773e8c29e75211204779fa7fbe757f8e
SHA256 b2151dce83c2b95cf810ee884daebf4de5903743105271105a464517f8961198
SHA512 48f25792ac49a8f37a035b4c935c274bdc5a27e3e798c155f656a0e067caf979660ab74d90f2138a5af3ddb05c520aef77ec2c9652dfbc6eff924417e34c5257

memory/2572-78-0x00000000007C0000-0x00000000007C1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6f2e83f5030a394c6cd15418618bb8a2
SHA1 a6eda38fc95ff0aad1f9f72c421417368609a03c
SHA256 4e5ddbe83f1a75029999ccf610872e17df9eb85da2bb578d1fe22a777b88dc07
SHA512 f718cd00946c9110d7b4aab4f2cda0382f914995450b88dc162340cbd9421a88b4cd5bb427e02e7a6ab44c31646520fb4aa140270c97f43d890d97e51f3cec6e

memory/2096-81-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 7af8a74a272fe25baaeb55c2cf3f64bf
SHA1 d899174d55e0139e8cbeb55347c35c2eb713d9a6
SHA256 415d30c7d281f65a1aaabf4b913b8622df02782904bbf6110d68b344575b3624
SHA512 53d893e6f61ec75864fe0d58c2d451dd23b636f910665a3df9472f0102026c95533a8024d80b1ed47ce9e2e5bf928184499675f225b0a9da1383279ac757050b

C:\Windows\System\spoolsv.exe

MD5 ba3aa2f5c90429a82214c009505e01d4
SHA1 eda54a8666ca85102499bb304326d944d7216a56
SHA256 e3b9f337b847245c43563bccb4656af6507415e24252cdcb281bed11ce187d7a
SHA512 7d08a8e210ea8904a3475b58882affdd3d5c0e37491224ff8c47f92e18c32ec53f08a8a7a94bbe2db31d1ef3871151e8c6ee61c971b65082a9d71ae2fa95c828

memory/1368-84-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 981bf0d23431d7a45b355c1063c788b8
SHA1 a76d126d99c445cb7c234c574e8f064c05a483ad
SHA256 e9d3e19dcac45d64c9c5d4b51b38f49df6b532995917c6c42fdcacc41230e4c1
SHA512 fd3f9c625cca23621ac1232d382918fb7f1be53dd0a422f43611d9d178a066f3208e6cc8d5c850e45ecc545d2de79a2eea4be4410447399326707af9faabcc0a

memory/1844-86-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0c20e4c2a92d86dd2c7941c4f72ac6a4
SHA1 2353f110afd2a77720660182fb1f5db63bac235a
SHA256 d5f0b0632aff0655ff34d29303ed6b1f3b8dbfb40e9ff7a12b3112ce010df09e
SHA512 a2bdd934abbf1d97c0bda8af808460b6cc486c73d88a6add989cb91238635061c9eaf93d15831b535c37541d8c195a7d1cbcba67d47a671bfb2658f69beebfe9

C:\Windows\System\spoolsv.exe

MD5 b4c5be40808b5e7c3814b7ef67fd450e
SHA1 356adb5bd70bac75d621093844bfb0853704cce5
SHA256 e9e7daf01f6cf2c3b0024797ea5cf60c697085b847095b9458d33dc05e998865
SHA512 d42b94db37ecf370d01d9b5f6827e3e6cd8bbef6fa042b13c55772be5388089c1447aa81e96f224b9573fdff7027fdefcbd10c7044824cd6840f46059b81b352

C:\Windows\System\spoolsv.exe

MD5 8401ec2d99390f81334c7f08169e1698
SHA1 19f6f9eabda18d21cf8275e66814bba5a99372ef
SHA256 a6105ba93f1ba6da9b0dc353c8b091fc8ade460b3767b4dd958fb76b55e43323
SHA512 0301ed57403d65e5ac87a632b46068ad41d153fde305514c092ca838013dcdb789d28c666d41aa9c6bb6d8cc5347e129b12c52b335e7358a79f5532a01df9a75

C:\Windows\System\spoolsv.exe

MD5 9f5fb539b43075038491e004b95bdc21
SHA1 03ad4a528c191d0806125abd57a2ebcbc3ccdcb8
SHA256 865e3b94fc08f33896f97be9bf850fb31a4e45936f940104e9465846819dd197
SHA512 7788d25964a65b306bf9772123d924f860359556c366495c7c03322987d5dbe26bc82c6aadfab5ca554c0956aac9126188665728c635f5ee553eb1e069b5c2de

memory/1776-91-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2e55b4e303e6b946faa4213bb2a1998c
SHA1 66efd7c64320ae353554c84035a9e1c31ec697ee
SHA256 7f388d7e8e121b4bd37aee72017aa89af5fba5e1ed213a4e18441bcb333cafa4
SHA512 1aac6dcdde1b5e293201a3418bed26d621d03415434d47b0f4f97d5ae636841221cb0b9b5e0dfacc1aca0025697f1f2d8db6f74e07c8cb4018a28b6c2ba46eba

C:\Windows\System\spoolsv.exe

MD5 180111f500b54de1a067cef6e0dbde1c
SHA1 52c2aa6c8438de82398aaa1e7a14a003a1793742
SHA256 0957eb46d92895d45ad341eedf917b8428e0043786e3ab86b81615515f782f66
SHA512 2b34ed7a8b232b0e9930d22b3fbb86fe20f55245daaa6b11f61ed8e11c0214f29dbf5451bfba345d32509eef61dc7fbc00682227696f80615c725b93646194f8

C:\Windows\System\spoolsv.exe

MD5 e0da1afdb961d1bc9bbe6e7770f01388
SHA1 d76f1e99f534ecf3aa343ec5083c32af3a5310fe
SHA256 9bea9cab8052a1ce9e3d02f35a1093b91e245b00adc4f4292bb15693798fbb19
SHA512 2428d0d3b9daa4f30e5bf2237a1aace772915b32017e4a0c375dccd67ff6be8b20a1359370137ceda7c791db6212a69e6c847e2f82b3f616448de36b9c5722db

C:\Windows\System\spoolsv.exe

MD5 5768bb98a470465896af20b23367e0e5
SHA1 eb483b63993888cec31c4e10bfbb272ae99994ba
SHA256 e17b660c9de21bcce080b50a8fabb609a3f7d767e01e6cec31662a936bfa74d4
SHA512 1ae0a6a0ca23f8b8bf3cfa8cd2643b35612afa7f03bcc6bffa6de7145965ca7b45392f547f97f7c909b1b914c1f6c18985b64d49d5dd961f0911afd4bb2899ff

C:\Windows\System\spoolsv.exe

MD5 6e9b5bd0b799a59c2adbd09b858859e6
SHA1 739424ecb7048f3c7b50a133e9ebd71dd3abcbba
SHA256 1776f8fb36c830202155ef7fa144b079a42a859d78cb56b8c81a934740db8d6a
SHA512 18e2308fb9a2df10cdb4c52a7e8422c4f4f0725a26c2d44e2e1a28a8f71b899d79dfa560dad8840a1244bb1e474433187c89916ccf6d2632bcb65289b95ff080

C:\Windows\System\spoolsv.exe

MD5 cd09d7a2be60931d4cf33dfe63100532
SHA1 e6f942f8660d5fd3ee222928102ea390021c0367
SHA256 b9a1629361aeb3baa956b7cd1e9692fd1c132fb635ffd6cf473041a6b22e6dd3
SHA512 577ffdc88763d026e836047e45941ddd44f4311c631aaf415fbf2b19d6f9847f631b51bbc47cd3f02fe868582faff9ecf59c223d8e8c59a988cdec74a560b485

C:\Windows\System\spoolsv.exe

MD5 e8f83f95084d7753663b364b36748a6c
SHA1 f8dd5ee9260b1a0b13bb1df962a27425ed764df5
SHA256 d4bc0a6b1b9f8417f87ba91d1d904561b818e67efe79089299989bb5599eca92
SHA512 4821146c507ab985ac89d00eb01f93adec564bfd201360b04fbe41f31b2e9aee7e90e999ce071289291933a1761c3d16a135a0f341eb149546226337d22650e6

C:\Windows\System\spoolsv.exe

MD5 5e452419d05a24ca08cc152a1da91936
SHA1 70ae20ec7ab841ea36e1b361689e23f597ac2577
SHA256 8b1c6a2e944a0a6548e757e37c153b37c71caa70a773dfa854debda91beb64c2
SHA512 44a8649202bb0149187939313b5708671438912360fb719b9d618047c704ebde2b55ee2a686bf785c231686bbeb38b801f2e95ede1b40e774f0081501477400e

C:\Windows\System\spoolsv.exe

MD5 56c956bd3fb3457c31f4755c82e44e4b
SHA1 97663ef055eeecca4b7648c145a85ae090ac70f7
SHA256 06be331c589ada7f8688624381f53f51dcfcfb631a32fa48723c15cb74022cb5
SHA512 31a485fa44dfcba6ff86d541796491fd9b27b0491304f64c74ce9f963d4195be9fc754761e7b7792cbcbf9264773b8cc6ea9927e846d5e93240944fc7934bb72

C:\Windows\System\spoolsv.exe

MD5 607f03b53abbd784b48958e5173d82c4
SHA1 3f7ea17312c624b9979d9244bbf0894b0de55d70
SHA256 d2744d29c563370142599c1e1ca0f304cb696f19eb69d6f5847122b5454fff8b
SHA512 0c3547e504a239b3dc1e2d92749590b687a41781a91031330d72d5db254cf9b1a325220eeb78f6d99567510e07844719e8fa8be60aefd7d3429fcc06a362ccce

C:\Windows\System\spoolsv.exe

MD5 fb17b09df66a7a7b29c8c7680353065c
SHA1 a8b91def1743975626eaa739f88c9c59b8104c83
SHA256 d7f80359538ccd07f5b3f07277910bfaaa17369cba0dae919801b931b1989e1c
SHA512 26070036237f6a70f9f2a56d37b91666fabb122b52238bd936f05a20bfdfd7d2e8eb1d95431973da7a13fa88763dc657775d03de08e78600cdc6f822d426a9dc

C:\Windows\System\spoolsv.exe

MD5 7819c901ce928d7fda29a8315b9d1151
SHA1 dc6d91039028a1412aee8de36d70dbef0e58abe4
SHA256 9f4b911afe506b15d84a80d4079bb7252ffee75a47c06e764dda227e0b804a2e
SHA512 b792716eaeaeb1ae0bc1b00923967e4e45fef95e301abe1b3a969d912f8f7815cc5a6a23966fe0e640dd0a2397c5024efedcc99d7c0efac228d728ee94260d8c

C:\Windows\System\spoolsv.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1684-105-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 301bac80930c3f1d147f2bba7d827889
SHA1 a55a02de9e6004b8845af2332978f174444a18be
SHA256 6b18f9389a31bf513da3cb6ef2d172462ea20767ec837c86a194fb0a31238696
SHA512 9eba60e506757072744f4de0a346b8be3f217238f925338061831927d0ae5fb19bd080e97c4e7d40c0f66c0b08e64b2b75f5a54c62566d156f17695a18a1912e

memory/3288-108-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 998059970d8495c1f00886065a2b87f9
SHA1 fad798f9a3ea273208a062d5a56b825045e99ac9
SHA256 84f87c2d361c020802f4c35a69b9a445feebcc4fc1159d0e699696f8853eaa00
SHA512 50291f8f232e4e33fb4164c554d1e4d26948f38cc88d08de558aa2c67cf23f87e2b5cee2bbb1af5cc869fec4a10604a5bdf6529f70bb64b6b2f7dd55d50c1b37

C:\Windows\System\spoolsv.exe

MD5 f707e64e6a71d7788d0db7f23485890d
SHA1 6be3d0078bc3c0f36ed89876e6fed33796d8d345
SHA256 7fb541203ecdc0efb115d4964f0a63843e34dee9e9a2ac3b972572cb624de5d0
SHA512 295a5e2e085d009b56edf55ecefd43558cbbab8933a531bda91d1e269cc9c8982b3c376b75cdcaa0fae1c45275e522a5808a31dc6b0bd2f33cbbdd2851c04439

memory/380-112-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a727497e88a8b72983ac39c724308d82
SHA1 1f15f266681e0b4622081994b2141540cf5d2be2
SHA256 5aca8ddd4bdd4920178ae97cd6989e8570a2deb5ee43134a1b150b08773329ba
SHA512 95d9edf191449e118e21170e5871a98ed002b7a0fae7d638408c6159146def0abb989ea6827c362cb26807d5e58cab25f5d4deb6e96b8f33e95ce6d2955547dc

C:\Windows\System\spoolsv.exe

MD5 b5f46ce65f1af7794d3e11488348f9da
SHA1 96568dce50062bf49d30aba55c2264e467cdd63c
SHA256 edf53af551bf67bf2cc1b9e38637c2a570a97d2b39b81b914853e68e6357200c
SHA512 f2eb9b13496e34ed03b62b9e90fd165d6ee8be9369aa4515db02b9856df9dbcc3ebbefc4b150d9402046b23542589c85737f17ac14899fa99126989a042ae860

C:\Windows\System\spoolsv.exe

MD5 cc6a36d55213d98a0591197bd23d9003
SHA1 7213cb1cd354d2b3f765cda1fe3d4043891c9033
SHA256 8c96e948d6c1a0e851c8c1e6b7a39a2948de5faa9bcc74be90cccf58dc4f5472
SHA512 40c85ce3c6c97de1dc2fd3258f3dfb8ace6849783ebea96a47a9d7866161959d9e456a91726951172b63ca94b5b374557463b64b2da46c71d9b27c58b908d46f

memory/3660-116-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c678977a18186bc1fe498d01e2208c39
SHA1 9c0ab7e8aa93711bdd50553ec1f1796e2c81a97f
SHA256 6899c857769b09f85cf648bd19a1fbc76a23b70292937459f87eaf953f966778
SHA512 5fc563e9d24762a0e6f431f31f0bdc85fb21e37ac5e4130af0d50251c72d15b2cd1c54179aa8e354dc50ec91782947319292443f53bbee8f10f107fe906aa72d

C:\Windows\System\spoolsv.exe

MD5 29566d91a078d391d4ed94fb85f97b33
SHA1 7eaf4a68f106be6cef5f3ff38388a7e4ef898020
SHA256 67f3dccc7344e11d460ae742184118bf1a52beb88b689178d6ea817a07f46f36
SHA512 0bb575a2a0a8364c4ad1a1d1d9d29160a5a780deeaa4ce4b11d941982a3cb448acddc6603a8f3072e471399aa0246ff967b7e5119fb35f507336ea993449b4fe

C:\Windows\System\spoolsv.exe

MD5 d09e8dc61b49cbb0b1c7ced2a2d5ad45
SHA1 6c2cc4127a95a3e2b94ab9c9713810a77aaa4d8d
SHA256 d997e6a2af8d75b6e4b20bb32f15f8a5651c7d158a7f3d5760a7a3a2ae62515b
SHA512 9563526ae519f909c8c8ef2d112d126e5c2716bbbeb7103b1a39c6b860ce9dcfe144af9ff5c16da4e296293ceaa47c620ca859c0e2ce1f6fbc2374fbeadd7b14

C:\Windows\System\spoolsv.exe

MD5 894e1e0958605efaa04f8e8a256641fb
SHA1 4125361a7ab018e6f3a5579b44687ae5ba82ddee
SHA256 a792fc0dcc6474f9797d2f86e1e03360197036825dcafd5904ac0d389d14503c
SHA512 f9fc6051009e91cf98fbbe2653504d0c9961c591de70f43eb8e85b2aeac659cecafdfdf97d69ce3f97774e4e6713348909e7b8e73c91a73c2465c99c7dd0b194

C:\Windows\System\spoolsv.exe

MD5 960a477b858431485de64d31dbae0d6e
SHA1 2481ba78a82c8b2bb85210f797024c05e925cd27
SHA256 47bad6883326f0a502c608a3dae5d27d1d06ce21cffff4daa429609950500ebf
SHA512 ceafa77e51c822a2c0a6882deb28e0a9e88118ecdf5876cca4ae98f3f1af11f715735362ed599da484ee15ea83e7bfc0c64471c1e87af8f157eb57e4e83066d0

C:\Windows\System\spoolsv.exe

MD5 9a0f1fa64e09e6974781d7e9da874f3f
SHA1 a186f8237592161c730c0821210669b6018e0c59
SHA256 e81389fed51a4e272e31c7cb06d2d42201640c920e4036ec0b8f3ee4a1f00882
SHA512 d0d7e212d2123e95cb7d9286d8592b0d914c7cd22f7a9b97faeda5703ee0499936bf5329396e20701c1f82267a7f5a835fc7fd1eabec0c8220bb58fd91365cc8

memory/4144-125-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 900865efb38ceb6c80d652e34e60f782
SHA1 2d2fbe45d5e699ff5f8caf396af54c28514d6601
SHA256 f903a021513ea78cc0426b49167a64e32909fdd89bfb51920564f5d4a06ee932
SHA512 6cabb9e9e1b8b3c73e9a8696e943d84bc761ca706a9f535615af05346d84f6521b7bd9f50af63b3181e8736d50ddad057dd384100004cecae68b9bfa97f8dc9d

C:\Windows\System\spoolsv.exe

MD5 e4ae8b3daac1db64e2bec49f55738465
SHA1 acbd307438f412b4ae1ee6034131c5ab7e3a59ea
SHA256 e1880847b7907a88b631ccacbae741aa0de061c0da6bc0459ade403ffcdd9525
SHA512 42e32dcca5a0d445809a52c64895f7a52f153d7f4285df0a6ff0334302304585f6bbcdff8531950cabd0ed02d1cc2a1267be70bcc069df130b945955549b1d23

C:\Windows\System\spoolsv.exe

MD5 79a43c4ac073536ad5085228c3ed5bd7
SHA1 dcda068b4b3cf6aef880d2808d74bf8c9639670e
SHA256 49bbb44653baf00e71ceff4ef44d6f024a37c3498a46e3b5500a0362b001c45e
SHA512 dd95b77cd227059dd8d93c4b10fcd0815c9cc76f981672aa6a6201c1af3180f4c97b86277632307ffc82252a36c3f23a78cb2e75c67492f08e5756b7c7fedc32

memory/2400-129-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 c0295c3379d7bb09e2ac2fd202258c46
SHA1 45e9107a7cb64a45f05875bb40b7831a14bff599
SHA256 2eee7513a720be46ff31bcd504ae440a3469c310f41b5adbf1d66a22294ec986
SHA512 51f1d48a43d2d1587e0545c3db4c8085b1da39a02cc3110b3d27157c33843045998622801350642f380eb56d19d7b755a93ffc0eb47fa83fe9ff35564c22331c

C:\Windows\System\spoolsv.exe

MD5 c7405eda692038c9b91156012aaf7a23
SHA1 3ad926dfff3e58dffaac4126f46e89891ac6e5b0
SHA256 c1c9a51b4770300297819a6764e22b606742bf2b5bda3c3498c6e03cde72973e
SHA512 b3ec32e739530f7085570a71ce6d1103dc1d9c291e8a8ac94151a4482662d5b1609dd2b74d85b7344f5e66e074f4b4ddd7c46768176234e5d011bd9d762eb6f2

C:\Windows\System\spoolsv.exe

MD5 134599adf9beb104cf34c10be2022d05
SHA1 c3d0891b1ace1b7929611bf1beea678958ea952d
SHA256 d73f094d182cf33cd276e9427d3617837ac36cb024c5e59ba03197d8cba09f81
SHA512 292abd3316fa29b395a6958133163248cb01a3f93dc37ad84cf5720fffee582d7280568cfb948afe32a5c74d7ced87601387468497e0a6484e760a203439e7ce

memory/3196-133-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 832268106fb461732fdf36e56fada04c
SHA1 553962a5593c405d99cba054d8fd5f38046094ad
SHA256 f6fd94acb21455b71d7af22cba08c1cc5ce40049818fb6c5aa70618e4afce0c5
SHA512 5aa1b81da1edccd326309adf84c1446376cd7c7cb26af6220e4dc812eeba8646ab3070ad7ce01ff8edfd4c971ea0075d7ca99ce62df53251c1626749991f6d6d

C:\Windows\System\spoolsv.exe

MD5 bc6485f2555d3e4da6ae7d7e138b9ffe
SHA1 d08015826269518aa0ba8418f4e6b2d260fc5d0f
SHA256 323649ae10bb8469ec55059579ebc9d90edccb60249fa5f5c202a45fcac195f3
SHA512 3a4a01407516d0ed9b643f5e9ffc403e2ecdf7465b811ee09e889668304783f181517b0ca88d5d97a10b8956cd555c70b85740d909febb0a5c2eecb4dee69db6

C:\Windows\System\spoolsv.exe

MD5 57fd3e49c02c05bcaaf2b815a83e733b
SHA1 1d27e2d9f7b801085caf49442a6a3b1a707b46f7
SHA256 e39764c9b52ac13367466cd3aec9480a296ea21982ecc5f0c454ac56845b424b
SHA512 07d3ed2288df2ca1bfc33368344bca35437daa179db896b05dcb6220b192528284b7d32abd766beafe87f1a5c86c03d51a364c7602d5f70156400aad4fab96a2

C:\Windows\System\spoolsv.exe

MD5 e5ac9f657be7aa76234577b5c1a10f43
SHA1 e9b4b0e314854f93b5bbacfa6bf7710d43c8f141
SHA256 1ee4e06714698d13d2be9eaa86d5717cd151bd4a34b2f3342d6a2a7b85cb5573
SHA512 6b04d1904514d3db54b05c1aa292a1c92f5dbf1442701548f20cda1fd3c01b786e98d81d98cfc63a2d3f11b3eb6dd6d2690ab5a97e0822ad94082aabb373647f

C:\Windows\System\spoolsv.exe

MD5 a511cd70edbc60147a3959de15721714
SHA1 de73d66bd267c68e3691569d082c3846fdff3b82
SHA256 8e018684f22a5de54569c2df83454404dbc63d28de4366547cc8693be020f40e
SHA512 b83675e217c1e787a7acee5df59b95ec620e84f53e09720a4b4198591df36227b406223a111a2c1e70279983eb02021389e67257375d16c9dec76a056c69e127

C:\Windows\System\spoolsv.exe

MD5 b639fe37db65f9d8f53aefcf54c82cbe
SHA1 f954970abd294a17d7b10a7f80803b29418e3f75
SHA256 9ee8a502d2499a8d72e9b310ac09650af87c28816414a834e73f859c5eee37b6
SHA512 3740dc279a8e306e73230db20ea67441139d567310a35c5703c38ed20ee78923c6427b770671506115a14a804d14f07326a4a8b82deb42fcbafa83b34b8ed902

memory/4044-139-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3008-140-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3440-141-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2224-142-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1820-143-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2540-144-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4516-147-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4052-150-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5092-151-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1424-154-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2692-167-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2572-163-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2760-171-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2760-174-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/2424-176-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2760-173-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2760-172-0x0000000000400000-0x0000000000514000-memory.dmp

memory/184-177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2760-178-0x0000000000400000-0x0000000000514000-memory.dmp