Analysis Overview
SHA256
14e9641eb54a6a1636b8d20f59805bb4bed00aeb75e04ae8187d2b4c93611c5c
Threat Level: Known bad
The file 7c531d1fea8dadc8067a0862439b38e6 was found to be: Known bad.
Malicious Activity Summary
Warzone RAT payload
Modifies visiblity of hidden/system files in Explorer
Warzonerat family
Modifies WinLogon for persistence
WarzoneRat, AveMaria
Warzone RAT payload
Modifies Installed Components in the registry
Loads dropped DLL
Executes dropped EXE
ASPack v2.12-2.42
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-28 05:58
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-28 05:58
Reported
2024-01-28 06:00
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
150s
Command Line
Signatures
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5056 set thread context of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe |
| PID 5056 set thread context of 1948 | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 4980 set thread context of 4500 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 4980 set thread context of 5048 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"
C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2176 -ip 2176
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4888 -ip 4888
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2452 -ip 2452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 392 -ip 392
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3200 -ip 3200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3176 -ip 3176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4496 -ip 4496
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2528 -ip 2528
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4532 -ip 4532
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 396 -ip 396
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3368 -ip 3368
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4732 -ip 4732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1200 -ip 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4240 -ip 4240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 440 -ip 440
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1816 -ip 1816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3388 -ip 3388
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3020 -ip 3020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2368 -ip 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1680 -ip 1680
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4680 -ip 4680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2516 -ip 2516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 924 -ip 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2452 -ip 2452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1584 -ip 1584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4556 -ip 4556
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2024 -ip 2024
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2272 -ip 2272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5056 -ip 5056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3292 -ip 3292
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3400 -ip 3400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2308 -ip 2308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4488 -ip 4488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3480 -ip 3480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2548 -ip 2548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1436 -ip 1436
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3196 -ip 3196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4756 -ip 4756
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 652 -ip 652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2904 -ip 2904
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3508 -ip 3508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4888 -ip 4888
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4480 -ip 4480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1544 -ip 1544
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4056 -ip 4056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2804 -ip 2804
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3860 -ip 3860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3168 -ip 3168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3372 -ip 3372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4984 -ip 4984
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2540 -ip 2540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4340 -ip 4340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3364 -ip 3364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3812 -ip 3812
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1044 -ip 1044
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2812 -ip 2812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2520 -ip 2520
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1028 -ip 1028
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4804 -ip 4804
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1612 -ip 1612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3856 -ip 3856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1224 -ip 1224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1012 -ip 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2076 -ip 2076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 192
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4148 -ip 4148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
memory/5056-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5056-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5056-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5056-3-0x0000000000710000-0x0000000000711000-memory.dmp
memory/5056-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5056-6-0x0000000000710000-0x0000000000711000-memory.dmp
memory/4288-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1948-13-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4288-14-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1948-18-0x0000000000400000-0x0000000000412000-memory.dmp
memory/5056-17-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1948-19-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 6632cef9f03f02159ef1773ce38b0401 |
| SHA1 | f13e86e61015f28114a3da0865907377120b2200 |
| SHA256 | 59f4ac393b8a9668027411e67c74bafd5c8af681355cc84075083910a2f07625 |
| SHA512 | f670b9eba363962adfc7f67f11bcca0ed08618662791a69c87908b031ba7d92f7989ee50546300fd395b6f16486082c26ee4843b19ef1afc90aff24bd1f249c1 |
C:\Windows\System\explorer.exe
| MD5 | d9dee7c49668b7aa57da3f9f3eb0b458 |
| SHA1 | de3bb2b9d84072fa8d33ec73e3a4cfb7d560622d |
| SHA256 | 970254f1a9ed4653c4f19561d438c4ef290b7465ad1612e5eef73834dc8bf6ad |
| SHA512 | af9102fdf104fba991b6da95819e2e44264d45e20a5bff6fb8c419c040d89cdf0914a29e10ab6832dd15b71a5940a5a778cf042117f930cda97b9e6b3e97e618 |
\??\c:\windows\system\explorer.exe
| MD5 | 4e5b2cd28551717043b92b0c2dbd204d |
| SHA1 | d857a6f2f517f72bdc6de94a0fdcc5732dc65aa3 |
| SHA256 | 06036834369de85a995d6f9b5f2c7700002f7643e6d143b479a84ae5fa71e063 |
| SHA512 | 49abdfc5c6d8fe4dd8b2d9819d5f8ce3ba955b70b43e3de5b272176b175000dbdc5577328d9818045524e8be6d9ccf831851f9f4ec3cf23f078fffc31c9e5ca9 |
memory/4980-28-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4980-29-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4980-30-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4980-31-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/4288-33-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4288-32-0x00000000004E0000-0x00000000005A9000-memory.dmp
memory/4980-34-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4980-36-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 66572e8a1cd64d2827d5ef5bb56ed85d |
| SHA1 | 446e5c59c156e8d5353b9a518a2bc56a29b8257d |
| SHA256 | 976ab0fbe11d96e4c10c1c3fbd5416798e55d647243c97c5281092f8490358b5 |
| SHA512 | d6185676913ea70a18a7b58959b0540ccc5bd02a1908ba0500970e90225e13d134e59852c79d8abf6f97dad21e0b3fc98c24935fc7e17a39c479b147aad53ddb |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | d74b179ce593f43306a4cf4aef79b438 |
| SHA1 | 5b16e438751cbd37ed01817822b20b912cf2bfea |
| SHA256 | 86ed127bc76354c93868b7e3f283d4c720946c0afa6c3de754e48383d1e796d2 |
| SHA512 | 9a00b2d5e058945c4803a3586f66a3fc7a1be217e142ae0ada9363cc89f367d9da4e5eff1dea0fd8dc1a42315cceec2833711544ee60a2fac60eebbdad690962 |
memory/4500-46-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | ba09f1383f5f0306eb3107c9c78f7620 |
| SHA1 | fb9bb8583a282f39eb3c6a1a09a3f95beec93d61 |
| SHA256 | 0b7b40290d10a4e2f5659816e2d7f53f19667c1c318c19ace7b2a8a8b6f9c101 |
| SHA512 | cdfb75e28a01611babc5859ce6db0585f79d682f781babfd7ca34b8860f81bc6c906e22f111c8c4995bbac9326c631662eec773f2fa8a906debce3e943721aa0 |
memory/4980-50-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5048-55-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 25958de6c9fbd4c085592ccc9d85b254 |
| SHA1 | bb9311faf2ac9672b2b582c4ca12aac13f124d6b |
| SHA256 | 02b254cb54ee9b62051e91d7801e408d85e23545729c5b1b3f7a0971b10a3a37 |
| SHA512 | deffae271474564910d7522a27d989230939e52a48a5bc75c7fa56454be4cb2cda8b10d7c92da73148e736b5afda00a664a7a6a736849a45bf6459bb46277b8d |
memory/848-62-0x0000000000400000-0x0000000000514000-memory.dmp
memory/848-63-0x0000000000400000-0x0000000000514000-memory.dmp
memory/848-64-0x00000000009A0000-0x00000000009A1000-memory.dmp
memory/848-61-0x0000000000400000-0x0000000000514000-memory.dmp
\??\c:\windows\system\spoolsv.exe
| MD5 | bedcd9704189b11ff6fff2bf1daa1e58 |
| SHA1 | d1fe072187f05af4265dafa70de86a69950cb0de |
| SHA256 | 8daa0691fb578a54d19d746291a0cbf402490e56deaaf9daa4a9773d6781eac8 |
| SHA512 | a2697ff8248967c8b5dde68a94723377fc28c8f8c1787822d77ebc7e6c8c44e60be5a9c9a48be07341eac43c220c3bf85221bd197b694e85fe2c8b370130c389 |
memory/4464-68-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 143e44669d499180284d85061dc8f289 |
| SHA1 | 16d36114537e92cc94c6ac3c8d1f09966ceb1739 |
| SHA256 | 37cdaac10fc76f1fb22fc80d4405b5d2db22cecabcf4983e208d825152df897f |
| SHA512 | 0a98efc28169084f9f080b27a5322f988c2fd9fcce22e34c87646028f314d6caf6f0487ef376f803a18b9edd85702e4f9dab027db708be9fdb96646e213dd360 |
memory/4464-69-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2176-71-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 21eb04fdc3e1986973415601169890fc |
| SHA1 | 4539d885d66b53e21c59ceb66c523bbad4cb3a44 |
| SHA256 | 053f824059f2d4a98a74cf8192e5f15af03e2f3488ecb2a02eab325b350faee6 |
| SHA512 | 51011733583cfb3e988735f6e16bba88f6a8c47ba6331bc3041a88240d9283e4831e3dcaed639be4436aa177d969c033dda9c07566db8edcb2520a83e171b9fa |
C:\Windows\System\spoolsv.exe
| MD5 | 0b28d1d51111e1ea4b61a0fe6240bd2d |
| SHA1 | 080f730156dda4048cae0553ac2ec459d0cb1e93 |
| SHA256 | 984c1710367920c99ee9cf02fe008a693d374c67c886824ce3fe359259c76f94 |
| SHA512 | 08068f862701ccf483eff6f384483011d25683c8d0509a2cfe613465e0958dfafc910a686943d2f645a9447d01f8355748252ddd329c9cf8228fd5acb9dd5fb7 |
C:\Windows\System\spoolsv.exe
| MD5 | 7a7532f9eec9e7c1640955864693048e |
| SHA1 | a09ef56fb4f396df20ce153a6653a51f74f20285 |
| SHA256 | 57e8b3b4bc8386070ce6397d5e53e601f64e58a5ae441af34bfcab2e27180e8a |
| SHA512 | 42c96d52e3f7bb9fc3079ec17a13e0224a76f533452b0dc9367e0b7b5557f84320d41147bc8d3dab0bb5b2a828754aacac5b2fe8eed9262ab927599cc083b900 |
memory/4888-74-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 207b81bd303dae3956295b494fe93425 |
| SHA1 | 32fe3ffd3a3fb935dc753532248e451d2fb59aae |
| SHA256 | f94dd434b20b144b15b786c08c300787c9c24f5b6ead56680a7c71b7a2e68a07 |
| SHA512 | df0754b4e98ab7ba4f56bddd01a4b34c1424b3bd1fc9000c8f37ce7102cee8bc5d01a5eb32cc613f049b3608bd7c3f61a1ea7452c81b53adbd08dd875d54214f |
memory/4136-76-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 18ce6bdb3f1a2773e64b0a8a7c8661c8 |
| SHA1 | 9428e35e4278de33e681655871531f19173fe5e0 |
| SHA256 | bed9e52bc3903b17e266695f5d50c6f77a8a03581576ff9680157fe7be04fa9c |
| SHA512 | 59d4b7b4f1543154b5e5743810076367ed24ec660740a4e57d2e682f70cd8e9bc129ea97c98f39c05a68fa8a7a252ecb5627a064e0327ef9e1da17efff72cf04 |
C:\Windows\System\spoolsv.exe
| MD5 | 902942c45d3297ac0bde33fc41580170 |
| SHA1 | 16f7c0ac7f4f0833e64280d174dab8808dac1aa3 |
| SHA256 | fcc487ea84888a3380356dd03a27e4f7afb726a50641d4180093f28b30778b81 |
| SHA512 | 80e6b96d954a022eb42bb6b85cf9248db7605a12ac0e6824e3827c20ca27c62cabfc77f3bc648ac5eef1108e29dd7cd0ab32568145fa1169dd569b9e38350e0a |
memory/4500-79-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | aecdc768b9703013cabb5b284e1e2b81 |
| SHA1 | b43a0d9d7c2499a39e65d57daebbb0be5b08d01f |
| SHA256 | cb194997211392d6ac73d1559dbf9ce3bcc17f412a1a198a5dc1cb89fb9d33c6 |
| SHA512 | f39972c60e8c81e5853d8492a3b122f250aa2dc447390af437417966136793a4436c35070fc01215b10eb0de748d3fea5aaec444f4c019e273a7261b433fe48e |
memory/848-82-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | eb911616321eb19e789da0a5ea2dbc66 |
| SHA1 | 2df2e397ec8ae5c2d783ead3be17d7c752519c56 |
| SHA256 | 0e6366cbbc20dc698dd1c9badbe0e06fdca1c77f30447602df274d9376203228 |
| SHA512 | f7bb7d807ffec5c5c59758183e806cee96bc237c2006059c952b2ca3ea6b707c04e386cffc1de52113e410c60ca54b32673f371c00275b0ba4ad0414fa7371b5 |
memory/848-84-0x00000000009A0000-0x00000000009A1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 53cdc0226044120df99e4d01a502a8b4 |
| SHA1 | 1773f9664476ce86a07c1fec5c1e5ed382618fcb |
| SHA256 | 882e0c2965c1824d8f7fae04fa59675cadd53e81c2c663a01e587941bd1fcec6 |
| SHA512 | 027291ed964f91a6f1983d5982a9d2878eb2efc276d19c569d0e52a83b59defbc6cab2ef2f993d638d724919a2dabea4e6e7ba0751c7036571ed095df0d82983 |
C:\Windows\System\spoolsv.exe
| MD5 | 90c8dfcc30c29c2c51fd1c1c5599c3de |
| SHA1 | 893c8b18522b0299cc3d70ed0250d93bcbde8fbd |
| SHA256 | b3634f8b86aa03c916bc3ecfe7112824b70bddc0a5b439bd266f75b8fd7114e9 |
| SHA512 | b93f0c2f653d66f242d018254293b229340d81a11c04b73ff068bea2707ff82e7e790cc7015d571cb0724c896bdfa621e016da22adce88f5a0ca653d7f36d6bf |
memory/4496-86-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2528-88-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | a40b6a04ed8f42e3ba9de4468ee9a7db |
| SHA1 | 6db6b6eac81b26d353598cbc354fa76292a889d1 |
| SHA256 | e5aeef68dfd6399594a856c66feeb62d8d567f386ed11e63e8a6e80eed2244a2 |
| SHA512 | a3ef863289450b8f5af9c51907b3cea83f92b016e87c14a690d9e85d182d5fd88087b6debd85657199230dfaa22077e9da929e29ab7ca87fe54515a881fa152b |
memory/4532-90-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 474454af3101f2e79099e4051466010c |
| SHA1 | b4b41fdce57cc809d755cb2766b6e4976fdd3446 |
| SHA256 | 0d7c04c251df31ed40eb25c746de670d0688c431dd3eca4b2ab5ebd1223bc1e5 |
| SHA512 | 785f6e93deb1b07ae9d6b1d7c99cd5099a7ab364b53100142a66356187ad95c1792d04e8c9558644ada46dd19431ca79cfc758048d0bcafee7ee5e8d056781d5 |
C:\Windows\System\spoolsv.exe
| MD5 | 0aa7e03625af39aa37861d61ea7e24cf |
| SHA1 | b518036c5b30982364407104ce2bd0dd6210ea18 |
| SHA256 | aafc1c2c5fee18c59716ff85e9c8a8171f2c3f17a92eeb36dd33d5ee580e5a05 |
| SHA512 | 677e0548c10619f8d8b5b16e4e057fb853ac8e6067797577d4e2e4246fa1334795f243160e9579845666f7a5ed86de913eaba814ba639a7418e0eff08a5342e6 |
C:\Windows\System\spoolsv.exe
| MD5 | f517957eef2eeeca3489237c944aa8fc |
| SHA1 | 2c782f63c5d97fcf1f5c9a9afe080147572ab64e |
| SHA256 | deeb398350d35636a424ae4b00d49ce690cdd46297c7c04fa47d9a43a4a1f57d |
| SHA512 | 7cf6dc61ed8c17df6a9a4c99130b0f0bc1963e3ed14a69ef54161db9be877c65fcc67910a87ba3c1260ba617d2ee1cc249b905681078c2fe8875403e02d5025a |
C:\Windows\System\spoolsv.exe
| MD5 | db257b3c4aa118d5405a73f76db1f1a5 |
| SHA1 | 88ccd47cceb0d242f84c910f74a50648a77b4dee |
| SHA256 | a8f305d659c37d9cca7ba956959a15c3f43e327353c03cc76c4e94099eeefbf0 |
| SHA512 | 8b163497e8d17e411a589d17cfb8b5c5162781892ea2ec8840b11333ae94413461a05907fcb63ce3ffebeca11deb627f6a4e6c5469629818374546dee7f91477 |
C:\Windows\System\spoolsv.exe
| MD5 | 67097edd98a86ce36af2cf196940c5d5 |
| SHA1 | cc881ce1ceb31318e0bee849ec7059fdffefbdcb |
| SHA256 | 7aa3736b628c679b94eb697399957dc49f77cc26cefe4313cdb89d9c486e0a3f |
| SHA512 | 609817fe6f64668339b7e153279afd2bf4e46a4d7762e0901f4c7229b4ce9309fbecb3185253eb17ea9f304653b91d4419e28091627a8f977601b6d1489faad9 |
C:\Windows\System\spoolsv.exe
| MD5 | 2e55b4e303e6b946faa4213bb2a1998c |
| SHA1 | 66efd7c64320ae353554c84035a9e1c31ec697ee |
| SHA256 | 7f388d7e8e121b4bd37aee72017aa89af5fba5e1ed213a4e18441bcb333cafa4 |
| SHA512 | 1aac6dcdde1b5e293201a3418bed26d621d03415434d47b0f4f97d5ae636841221cb0b9b5e0dfacc1aca0025697f1f2d8db6f74e07c8cb4018a28b6c2ba46eba |
C:\Windows\System\spoolsv.exe
| MD5 | 5d10b067f1a522204c077200c8ca2ae4 |
| SHA1 | 58005d689420435f68c49d190cdb923d12a14af8 |
| SHA256 | 18acc99b0ca1fd80b87848aa5477b73db76dd00021b7dc0280624631eac9a5b0 |
| SHA512 | 3c87a273e44fd57688ee7fce6eb69c35bbe173c05af3e373086f2cacb5ffa172120ffa1b81dac0f171cd060702b911408062d29b7cb43cd651529ce39b2edb64 |
memory/4848-99-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 7d39849262a5b1611b42f325f4025671 |
| SHA1 | 79d64ca7af40aa693aff1be739e081c726f76606 |
| SHA256 | 03031b37307a8c05c64032b5b8bf3c2221530442a1300eaa335c831d9da282b5 |
| SHA512 | 5b5c95faaf5a6dbb597a82a9ffb56488a69e11873935dfeb9847a1c341f1dd13ce48d214f6aea1e06b3d77dda8eb7d14694b5489df216528bbf6301d47f60172 |
memory/2364-101-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4240-103-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | e1512edef4b4561ea8e52287fa168ed6 |
| SHA1 | 5e05047374061b8cea897431a3136765a0f6ee2e |
| SHA256 | ec2b8dac463e28b82d8d22cd026d55dc462cef756c1a5df0d1a38a9da496c9ad |
| SHA512 | 6643acfca81e26fef915d4996d03075276a2d57c7425be4915a1562e8184c63d00085c2ef7406124675af677f5b97716c80ccbd0147dec53bd7abb5b6dd62b56 |
C:\Windows\System\spoolsv.exe
| MD5 | ae49fac716827b25ce9b0b1d8f1a981d |
| SHA1 | 70dfccb5ccbeeb0d8f88807dda8dd3c9314ae489 |
| SHA256 | d8d6ec7b6bd346b416eab93e022dece16969af3a85b9849cec187f16042f9318 |
| SHA512 | 62d0c33a6dd99cbdbc233d8337bce4488456c41be77f9282ce0c6bb19ead5a8cfc40d56a538809ae95204b2965b5e3a26fe393762efa249feaaacef1e5b48be5 |
C:\Windows\System\spoolsv.exe
| MD5 | c4b71491fa43b28a24f649e18c5e7f3f |
| SHA1 | 505ef69d688eb8b2df40e2a484fb272c57112454 |
| SHA256 | c670e62c6c823d5f2e24a86d64460de7ea848a7c4f5c7b2541c3895e7595864e |
| SHA512 | 7148df6ae58a8e093ab0a2fce315de0029bdfd93f8fb713112e335a3b8fb0ef16e6ec9777a56be78f057b3f31461397948d8f8b7480e89fcf62d5248a794c9fa |
C:\Windows\System\spoolsv.exe
| MD5 | e9c8b77ed3758d3cbe9d60764a1764c5 |
| SHA1 | dbe95d1e89a206ca018a76554ff4a24a6f4fdf08 |
| SHA256 | 020158c0264b3bfebdeaf03af4e7ac6e6bbc76ec59049481f3593a43d2f3cf96 |
| SHA512 | 1d3112384380fac6373ab0659222fa707d7fa1d1f44b343f6293851f9c92f13b40aa08c85125cd02bdff99aea365c588aa435dafafaf7f5beeb07f5953ff081b |
C:\Windows\System\spoolsv.exe
| MD5 | c4f22a2e748e5c58cea2faa497730107 |
| SHA1 | 0a0a05bf1af847d4ee0e5089538faa2271d5f38a |
| SHA256 | 0eac8f9e773b34b8dddd147ee0b402707f3ff2b05d0c812f90b597fb1fdd49a4 |
| SHA512 | f626235fb07c923fb1226c7afdf09c6ce88ab145bb91e50c946aeaa84a18a18e506c10da9614a6c21b7460ea195b8a08e2f84a502d87c91b4758b1450e3dab3b |
C:\Windows\System\spoolsv.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System\spoolsv.exe
| MD5 | 026269be428e7fde61e41c305bdc350f |
| SHA1 | 5db4862b3b93f9f246ce900812429377a8ca6958 |
| SHA256 | 9818903b67a89d9c60d9cc260a1e80589491cecde7b72b26cf39373046b4cbe4 |
| SHA512 | 248a67cf1596bb4eb7e6bcfd4b54b33fedb86f7c1166e2a03532c4162918def9c3389a98fa6fc5a51e9b6a7039b09a3ecb255418f2392eb3a5b5a903c68f75c2 |
memory/3020-110-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 9441a5bac1a35dbe2ab3cb7e7adb9c18 |
| SHA1 | e26eb31b48dc25b4aec87b0a1f0fc6ba72c9f43a |
| SHA256 | 68a9a46819844f045c07902d8d93102805f457eec8a0638ad5b52f1c91452b67 |
| SHA512 | bbc1bb0f63088048b0703cc92b2698921eb6d1765af2baf5b0a1a3a19077315529c3f549468c171c46334f783ec7aca170c5592f5b26e59c542a7830f10dfd64 |
C:\Windows\System\spoolsv.exe
| MD5 | 62cab379c96473ac35a20ea202088354 |
| SHA1 | b3eb98e14e390757d3dea480888c75c47b816448 |
| SHA256 | f433ca2dd2ee6fad7627b27e523b580a8d5405018870bcef2b15abd881d253a0 |
| SHA512 | a292a19087f6df6545111c6e77f054cfcc1d10716a7d040950b0ca83354640972ef2c34e42514e6bfbbbd7a01a8a2eaaedff15d59bd379d2f8eb283a86fe1a37 |
C:\Windows\System\spoolsv.exe
| MD5 | 0268bd036379b7edc3c404806b86e5a9 |
| SHA1 | cc707268426ac7abcd29bdb3d01e59f45eb61f04 |
| SHA256 | e5e4b24b5f075014971087fafb379264f2ada2da15b4adc5adceb7422860a37c |
| SHA512 | 7fe1aefec00029662a37293544da44bea6b0ec365e712dba22ffef8b5f9c231b95160f7439992bb811873a76fcfcc614627b2d57ca0ead4a4fc1eef540876ef8 |
C:\Windows\System\spoolsv.exe
| MD5 | 357684a68676171420e7c41f34ca1ae5 |
| SHA1 | e78078059568881e6fd9e48c7312427abd33987e |
| SHA256 | 52ad94a32f97073a38f987b93ef7e128d0d6a0af29ae6cc289cecbe7eb218ca0 |
| SHA512 | 8e69b98d380fc56082d85ec885eb6b0440d2a695e40125703fbf58b08b95bee7e305c755a81ec38c1161350aeacf365d95d6ec25e3c9c91c2e60df86a81f91b2 |
C:\Windows\System\spoolsv.exe
| MD5 | abadf7489926bedcd222e00509adf527 |
| SHA1 | a26e03d3c61bc70db1ccfcb460519c9d2a8b785e |
| SHA256 | a68f09a278607cc2f308d499b8759315b64b760a6d63ddf863ab0eaaa26a5ad3 |
| SHA512 | b05987a38a66ba0b21306812684f6490c459cf4b02211910ad64f27e5cb5121926748adeaaa7f7a60ab56a3462f788aa4c6e99ea7a8c115608494c425ba5256a |
C:\Windows\System\spoolsv.exe
| MD5 | c1f6879abdabc47c1a015fc3af7c313e |
| SHA1 | 1b0db957b8ca9a63d9b214418754a3b1572c291c |
| SHA256 | 325a62c856f2db47c4c48b2e99e2b7f4f88256b92e13e46f0c82dc019dced138 |
| SHA512 | eb82ecb73215c3d364566b00d0a422c875cf11b308ab721d70792f5510d63f6895397687999246943cf4dd15e2d195a4e09e185b37906af94415f5ef218f8749 |
C:\Windows\System\spoolsv.exe
| MD5 | 22672156464e9a0973d6d6e2396fd69d |
| SHA1 | 2b298d70022d31c02e399bf38d6bc4a3cd84f209 |
| SHA256 | b6ef7c090e04e780cf2c5b4a5d8b7f0251149650de98e5cc9a2134f32c84c31b |
| SHA512 | 3a379244c6dca6d50ce9e94aa68813a84e5b0f3e0489666341cb59ce0352f87b3b071c335de247ad206b7dc516f20aabfd807377218d07265cc4a2fd261b6b80 |
C:\Windows\System\spoolsv.exe
| MD5 | 0465c7b6cc30f0b7f703f4b3e657fc6e |
| SHA1 | 500faf01aac9da347ab2931f34a18fd433b29b89 |
| SHA256 | bdea68c727b014aff2bb6eaed0af517eb5ea9d3c4220b3ad6676a8214cde78bd |
| SHA512 | 75819ab78357bf4b58d29446a9b81eb3ee995a1418b8fad4e59f34fd7ce805b14475c29a45a0034f6d974b0131809c2aaf7d49877b8b9085fab03bed087077f7 |
C:\Windows\System\spoolsv.exe
| MD5 | db8d39e1cea12994433510f85c219758 |
| SHA1 | b9bd512ffc8d59be6fc4aca00e76dc15bf2af1d7 |
| SHA256 | 99abf4d29f38c1663662c5ba022ddf6353927cc6877cfc174f758c4e6360c7f7 |
| SHA512 | 443c2081b208867c363c256f9c30e4ab8f89a3d3dd8c41cdacd915a074a09b3cd0ae76e607eaedbeb43def3255899eb58c4e7d5d4bfdc2889918e7d87e2486fc |
C:\Windows\System\spoolsv.exe
| MD5 | 0c20e4c2a92d86dd2c7941c4f72ac6a4 |
| SHA1 | 2353f110afd2a77720660182fb1f5db63bac235a |
| SHA256 | d5f0b0632aff0655ff34d29303ed6b1f3b8dbfb40e9ff7a12b3112ce010df09e |
| SHA512 | a2bdd934abbf1d97c0bda8af808460b6cc486c73d88a6add989cb91238635061c9eaf93d15831b535c37541d8c195a7d1cbcba67d47a671bfb2658f69beebfe9 |
C:\Windows\System\spoolsv.exe
| MD5 | 3b1a96cb0f3bf504fdf233aa51bca43f |
| SHA1 | cab7bf7622c278c8ae985526a668de74b08ba55c |
| SHA256 | 01d865f1333de66fbf81c8db5f69b4ef54ffa005ca70c65b1b3932371fe1c895 |
| SHA512 | 49605dae6b317fc4d71dd23d39c627869bb6713dbe90c8b4551caedd23aaad3a3cbeeabd1bd09723e36e88cea4ed1e4aadb9703300046ab57a2010901f25d616 |
C:\Windows\System\spoolsv.exe
| MD5 | 4ee817df9ccfa2e439b96662f2c2cd4a |
| SHA1 | 13ef49c77e1ff65039a5d60f9efc630dea3bdecb |
| SHA256 | f6bd22a077d6a53e874446b0ee690aeb5a5e559fba2357d6c05753cb21f00985 |
| SHA512 | d8785b1a37b50e88623fa416bfb2d74547730768de6326614842d20324cee79e0b4c34081cc954f58c17737d94f2994abf93a6ca8248262d5d83bde9eadee91a |
C:\Windows\System\spoolsv.exe
| MD5 | 863e32a75109d62b4a93a2c584f62557 |
| SHA1 | 8e5cf08d52684c6c8ec6b05edad9c06f56cfce88 |
| SHA256 | 0b779c300cf75fe1bb06ab20d94493181de43909fa598638fbbf4b5bba14043a |
| SHA512 | 2ea889653806f4291870b1b416951e6a964b2f39d980d06df9fcf1dc0a5f5ca2242c66854c7b12c831d34e7cfe0e59bf34dc6b3d8a5e5f766c52b66ff7f16082 |
C:\Windows\System\spoolsv.exe
| MD5 | e5b15a5727c8197e1982db4eabdecf12 |
| SHA1 | 46866a52769008b9181618e891a67bcc0fc60ce8 |
| SHA256 | 20ea4611043ccc69210977feb8158bb9a7fb494ca5e7d621ae7d13441c58fea8 |
| SHA512 | b3586b6739dbb37bf51b0f7ba2cf9f0d292af56ed817d338fd476cf18c44786699673ab7052a18f1c371f862d40e23b0279c7b9624e2e471f1ec1165ca06bd62 |
memory/3292-127-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3864-129-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 972ba801a8189221630d7b0f727f0254 |
| SHA1 | 7ebabe6d5ab0f20841eb6c580d5f5d178f52cd81 |
| SHA256 | 1052e3253e2fa1e31d78321e65152806d3296e878cef7faa33ccccebd26c83b6 |
| SHA512 | b64a8aa0c0224928feb47e5de60f1aef9eec218de8077d2cc634ed94b586b626c70f139b19844d217ce74a6f30b998e7f3fd5080b48a51542532324222ee4f72 |
C:\Windows\System\spoolsv.exe
| MD5 | 5646692df5d8ad309e7a3053da56de18 |
| SHA1 | 9a9fd4be445f817ccca587f532ed77e1adf15c82 |
| SHA256 | ca4772c0359c3d60b1cc9525645dd54a86197b0ade380534bcb91f1a1ccf2122 |
| SHA512 | 387018db81cab9e3490adc28d7d33871e78c218d2e0b6297b3266006430c4ce29af887a17b62398f2ca4b6a72accbd3eafbd96f4c571e9227e6c38430f2347ec |
memory/3400-132-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | f5ba614ff455b052678d27e9db4dc5b4 |
| SHA1 | fe734952c4ece5d362c05c35b5fede6c8de07dd2 |
| SHA256 | 9e9c7c0c76effed9e59183ec6c890935e6e94b009b5d94ab477357831d54faab |
| SHA512 | c86aa19a4f3743e2a6f4d28248e72922d726ffd7f2fe35c742c07e803ad7c889ae8141586b4d6834745f9ae3aae305f841191b814d1f4748a0b15d8e2c09fbde |
memory/2308-134-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | a693d59cedf373a7699ece62e07f0fc0 |
| SHA1 | 08212ab05338eb0aa9400b5498ada23beadffe88 |
| SHA256 | 22ce85f09e07d0d9cca4804d1ab4c63b7ae31ad37eeb2d793fad2ac42d81225a |
| SHA512 | b854cec8a56cb7fe442a64301c62ea167a86b231d386fd649b94e5f590112ed28e73f9628444a079a5265d3672cf52bfecc9ece9021c725d64e9c8c55a702703 |
C:\Windows\System\spoolsv.exe
| MD5 | ac4f82c062e52ae3e426ad58d6d34f87 |
| SHA1 | c4d09d2d5b85e85b5ccf0a6040791e624a063585 |
| SHA256 | 8587a98256934e44bea3ff0c94ff311925ed4d528a24afc526938f15e2e3e427 |
| SHA512 | 5ab3f487fad8ff19e1b35b9ddfabb6424d9c716b28a219d5d6facc2ea6abe39e4b70a28ff808d19e7a4875347d09f3c4910a4e3752c9a53175c87a87e522299b |
C:\Windows\System\spoolsv.exe
| MD5 | 1c99b5e97d08d731ef3d2bd7fb506306 |
| SHA1 | 010985207bd18b82c130b517ad643b0e1ffff061 |
| SHA256 | 72022240b0d58559707a9138773b385f675f6684b97b8895e8ed87bbc4746126 |
| SHA512 | ccec0d9decc18886b2743d8c11f0a29bcf9edc751fe6b14dab99e0936859c6776ea9e2282920d5d45e1936132328a02e04764b42085fb0fc762a6b7d7390b731 |
C:\Windows\System\spoolsv.exe
| MD5 | 51b30772aafe44146e0e1e5671204ca2 |
| SHA1 | 38c1469293d29598be7f983d439d9a6ba76a06ad |
| SHA256 | 4ae3a32d77dcf6ec495d3657fc9dd7e431e758ddc5fb89b6bfb72d8b42d6d535 |
| SHA512 | e0fdc473af62fab60521593dbfd85023e0be55ffac7db1cd4d3fbbbda94d561e5e698eb6fa8474cd7b9746342689a16ad126e9aca2ac55cfa42c2989e7d829b6 |
memory/1436-139-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3196-141-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b88654b0fdbdaecca00b15d125e9980d |
| SHA1 | 7916f2b1faf79de243e48913e565edef4debb28a |
| SHA256 | 99ab9fe99fb11540a8ba555b402cb190ffe57be62ff1c5f0f3df18bd32b0f067 |
| SHA512 | 2c1a9e0f21386ac2fd3a34be73353e0d8d2c88cd2da8d1a0eea4dba34658e41a36dd83ea5af3d88a378a80f1e981e9b6975b366bf8c190c2fb0be66fa9465b15 |
C:\Windows\System\spoolsv.exe
| MD5 | 4cb9dfb0e24235547e4984a5197a00ad |
| SHA1 | 4bc6fb921b64d98c936f04359c56a38e9e8eed5c |
| SHA256 | 293c6477ef150b4ffb4bd3321fd1e4f183c2a951220dbf3eb7d3bc8c505e5253 |
| SHA512 | ef6b341af8cd0d56c570bd20a14d99593cb93b682fc04d61688c9fe87eadffbc0972a3697ab185ee0233f20d7d8213d26f060a1daf22f4d7d6e45ce7b91f8ef0 |
C:\Windows\System\spoolsv.exe
| MD5 | e8aa10b47c2d7241103e7d1c46b9f58f |
| SHA1 | 97e414561cd11cd87279018ab695ed4c7751db98 |
| SHA256 | 19bdeee0f5a6d2a0f39b1363654cc071ddb1e4666225c3dfd7d68343a6750e99 |
| SHA512 | 94d0243a4156d64186695a805874b368ababa9ab8790becdebad802d260f5b2bebc17808865f9d77d7e457c93ec28a683a400bcd8da8955b762a08d19cae9220 |
C:\Windows\System\spoolsv.exe
| MD5 | dd6c915e892ef5754ecf66fffe76430a |
| SHA1 | 7b5339f9cb7de08e1336521cca5f4c4e5aa06499 |
| SHA256 | 935f3ff49e1d5fbd6de55fc0fa8b5e9a29d5d806b83a34be04349baf1f59ff6a |
| SHA512 | 15d830d95143cd37b74040684c4a28fccba9df568678c487e8f6a6878b58e400d60851e6c5ae374a5919391b1cbeaf0805e4bc13f899fcde590d7c7dfebf0c70 |
C:\Windows\System\spoolsv.exe
| MD5 | 470f8d6071f3900ef4f64807782fab89 |
| SHA1 | 4d42348ea1de8cee942f41a5f575864f2f5aa174 |
| SHA256 | 24de0fe6108a5a908e6c7c2f79373472c80c08ceb615307fdc13055f10281e6c |
| SHA512 | 95455460eadf02c4a769ab56f440e201a85d18a3dbb75bb7c6d53465142a3742acc600fcebf3133de4f6df94807e71f4d034bf78e21a4f6653710bdb6d688d62 |
memory/652-148-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 1b995e9bfdf2cc5cc40981a00560c132 |
| SHA1 | ab85efa2c739a0d31546e5db6e0a3e6e4ff50dd6 |
| SHA256 | a9d4c957b8eb04533e7f13d4d5f5c487eec7540d3653235399711626e4ee865b |
| SHA512 | 308a3ba0dfc9f85586b1a002a2d7f669d565d6207e6a5674b21405ffafd4d86954dd36b88bacc79c9b8ef8fb6d16960fa39007e91dfa6ede46a6f6fedc098a06 |
C:\Windows\System\spoolsv.exe
| MD5 | f023fad956e347d13de618aebbe70b66 |
| SHA1 | be720e9cf101d167bddb25fb30a86e48987bea5f |
| SHA256 | da26fd38786ddb2f82a98dffa90010bb08651266dfbe8068a4aa2c9a4e045031 |
| SHA512 | 4d6edad090da800d7eb2e547ab6e128f86292e24fe19ff55d965210b7363ab924792186a45ec74fd2c5522345412e49af8d1c6e7e243d4fef3811e6cee217366 |
C:\Windows\System\spoolsv.exe
| MD5 | 0a29315f18409cb8a9c821993fdacdc1 |
| SHA1 | d19fca5efdc94fdf9007d9995f421369a09c9567 |
| SHA256 | a968533833c9c8aa5cdd45d0a511179e03b27ae73e41ced0d46a63850c1f7f02 |
| SHA512 | 5c548596768c11351c5706f9fc94eca2d187e129e8f85849a578f8142fbf0a33dea2986cf6a3abd82234eff46e45c1805a60fe9b2b8acca13799243e639f60bc |
memory/4888-152-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2804-153-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3200-167-0x0000000000400000-0x0000000000412000-memory.dmp
memory/848-168-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4140-174-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2256-177-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4140-175-0x00000000025F0000-0x00000000025F1000-memory.dmp
memory/4140-173-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4140-172-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4500-178-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4140-179-0x0000000000400000-0x0000000000514000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-28 05:58
Reported
2024-01-28 06:00
Platform
win7-20231215-en
Max time kernel
133s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2532 set thread context of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe |
| PID 2532 set thread context of 276 | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 2928 set thread context of 516 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 2928 set thread context of 2844 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1088 set thread context of 1584 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
| PID 1088 set thread context of 2224 | N/A | \??\c:\windows\system\spoolsv.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"
C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 36
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
Network
Files
memory/2532-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2532-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2532-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2532-3-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2532-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2532-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2708-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2708-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2708-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2708-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2708-23-0x0000000000400000-0x000000000043E000-memory.dmp
memory/276-25-0x0000000000400000-0x0000000000412000-memory.dmp
memory/276-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/276-29-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2532-33-0x0000000000400000-0x0000000000514000-memory.dmp
memory/276-35-0x0000000000400000-0x0000000000412000-memory.dmp
memory/276-34-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | 09a3326d9b2a18571217ca9625e97ed0 |
| SHA1 | c288b4c84b2e5887c3de7b10f7fd776e42fc208f |
| SHA256 | 162238d541e8bbc5c08d3c4af7c1b3e0cd0c8dcd22381b1db3dcdb7db28043da |
| SHA512 | a2c28ccb05e3ec4808ca42bd4431dca5bf4b290555fceb15a10dee0a48613aa7cdd2a4f7390f27acbd04197110115a20098e022a5c8ad5931b50c19437f71b71 |
\Windows\system\explorer.exe
| MD5 | c59ddc97800c5d6b3d98c79aab521c56 |
| SHA1 | 634ce5bd60df2ad0e3b276a3e6a68ac362a04ce5 |
| SHA256 | 3da86bfb86778aa75b017a415216e37c7bf629f701cb4548fcc11084f8966884 |
| SHA512 | bf26e34ce9c80bf29be09e211e2e11f22e07b78745181d09d8c7171bc6d7905a0d897689230e8bb8933368ed83b49c0ee57dab7322467907fe0697471f7457b9 |
\Windows\system\explorer.exe
| MD5 | 8613866395ecb485b5e65b645c6a2075 |
| SHA1 | 2d9fe5aab53bd0e21dd0f2bd7a03898f7723ca00 |
| SHA256 | 89818ea4c8396f22374ab9068f9652b85cc1fcf352edeb7995dfac23d179d8cb |
| SHA512 | 0f6215eaa6d95064aadbc8a2ec1b88c07fa6519c4996341494825497f9403aeb7c9d29ec5fe2c566938f474f3305a0346a262d132e5ca6c1cfb4570f959b5d9d |
C:\Windows\system\explorer.exe
| MD5 | 44aec6b1d43ba50fcb7ddd568aaf01ca |
| SHA1 | 9a3e9d63b8bcc1e8250036b95dbcccfa44b959bf |
| SHA256 | a4dfd07389e151c1d51ffba649058ef4b39d76684424406df83c7c4cf80dfe94 |
| SHA512 | 7513852883cbd2c38fb0110aafcd7547c9f23f3511da76a779855390e0004871d9d4ee5b3d7abc0bf1c7dc1212f38e974321cf8e4a9842f9d7a55c2a79e70a21 |
memory/2928-49-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2928-48-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2708-50-0x0000000003030000-0x0000000003144000-memory.dmp
memory/2708-45-0x0000000003030000-0x0000000003144000-memory.dmp
memory/2928-51-0x00000000003A0000-0x00000000003A1000-memory.dmp
memory/2708-53-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2928-54-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2928-56-0x00000000003A0000-0x00000000003A1000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | 84583f078c647c69a4106f27a6d92565 |
| SHA1 | 4b666f49755d5fbaecacf91272014ad82990d05b |
| SHA256 | 74bb65d5de4a0efe859d285f102d17cf1193be9b8f87e6eca93cb65d9d5018e6 |
| SHA512 | 98a439be4b0261aa023b3dbd709780ca72372d426675348514cd0ee534e6e131dd932fa58d7d3f9108e5620371b4ea0b2aade4313d8348213ca99c39b36be2cb |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | be7c39fa5c6e3fa5da3d5ca5d484e8dd |
| SHA1 | cce73bc7427d0c6bc05ae3f4c962b9d78481b28a |
| SHA256 | e150e08ec485d6e248f7e2d81aea8b6afac95ac088dd16df78c2ac44caf1c543 |
| SHA512 | b3554c5eeeae7dd5b170fd5b3e6a4d0be45306316b01b51a8c5332a54d060d130355d5b67742e2a1e965c29518a08e285f62f61487cb10dc0478d52f043f5513 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | fa2759c9c4cf27a0e834c63bc058940e |
| SHA1 | 2897c7af482df3dd2a55bd2339aba5f59c250faa |
| SHA256 | ad12b51f957d82d70e02197ca8b273c40446458aae7f701d0be0b592d3a9a9b2 |
| SHA512 | 8551e7134d0ba0919dfa145ebc4ecd43cfa23d8e5060cf6d1c7a44f58423216fdae679cf9c84ed965dd1ab9dede02a9714de4204db6b348905c3aa5772fb2b63 |
memory/2844-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | bf4c70ef68c5f11722680d8374a6d70c |
| SHA1 | cdfd893534e34111c0fcfad66c8b13619b653aa5 |
| SHA256 | 3d570f97b2e0cfcd293f361244e8a41dea0c071f798a1782a1fbb2392df258ce |
| SHA512 | 81a9250aec2e068498cab3bab887642bf1ae765bb4e1d591c43bcb28966684670de8e98b9023aef103472670d90e4d88719f51af9e667524278e66faeaa994a4 |
memory/2928-86-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2844-89-0x0000000000400000-0x0000000000412000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | e662a84c75876126ede6b9e4a6f61381 |
| SHA1 | d8a0bf3ed9d80bdee7fdd3fb194f6baf40acd683 |
| SHA256 | 63cd83fdd66a65e8867b2f0365f20549a092a487745c650120d4c3c655931c65 |
| SHA512 | b792ff0922a85fb7a18aa3a0e408ffcff13de672ffda551eececaa264095ccab548fc258e4d2dbe6c4b581d5df216c929912d02f7f1cc0800c00aea23618b2b0 |
\Windows\system\spoolsv.exe
| MD5 | 53f9b43bd5d7bec1ca2108e5729672d3 |
| SHA1 | 5bd844074fcb9df8326b108b0f382050277841d0 |
| SHA256 | fc4f5c03f6f8ff79c41ef77c25edcd46afad6f138af69668facd75d384accbba |
| SHA512 | da26c2318c10085a187e8fe865d0a1a3cb99e0ffaf87b8f4aa9a0bbda85737e8bc38abd194a0ff8eb4671e6d07c1d5ab3e41ac773f26596cf18de0c94bee9820 |
memory/516-102-0x0000000002E60000-0x0000000002F74000-memory.dmp
memory/1088-101-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1088-100-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1088-104-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1088-103-0x0000000000400000-0x0000000000514000-memory.dmp
memory/516-99-0x0000000002E60000-0x0000000002F74000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 1497c6affe7a1a887b7d05e01e3948c9 |
| SHA1 | 959c3ecd262c0310b4b3c368fba71d063009173e |
| SHA256 | 183198a38da66771bdb10008ef81f129e28e1addf63cf02ec3f75982c1f3b638 |
| SHA512 | b0d242e88bbbc28494720e109bced32b7ee82d15c576546b34e7cbb02fb8b6881787a9b0c95da82a221780448d6b4edb91a4569283721d217b7168db44d2be9b |
\Windows\system\spoolsv.exe
| MD5 | 76ae2fcf70ddc8ce23a9f9c4a5917707 |
| SHA1 | 85ec45c6ef96490f21e4f759e30a9edf6d1bb34c |
| SHA256 | 7eb8904bf64958dc4774de2c8b451c1b78ba3e8dd815c6cb35f1de4d9aaba9a4 |
| SHA512 | 402277eebe2986616aee84b7696fa86589fa33ca77f2e291abfc93fa37e527264d17ccf9613e4ecb03e90b0d7555633decbbfb67d8cf197361ea9448fc9e825a |
C:\Windows\system\spoolsv.exe
| MD5 | 33d4c40f85f7a3124953077cc3723c26 |
| SHA1 | 999c4324906aeb1274fc6fcac57837dcbb8672fd |
| SHA256 | ff84872fc0c3b59c8b139c2c62ba0856e7c6387c0a86b5fc056da1bfc7c3af61 |
| SHA512 | 229f12b84e8eb92e5f0c40df427d218e6cc323400ceead65173923c730c3d1c9fbf3768542328434b39cbee4405d305fdf91580c0fd6b503e9d816d068003b41 |
memory/2076-115-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 71eaa1ff93350777dd3a5954c7d20df2 |
| SHA1 | 578e7f84e29ed353223dc3119782a0bdd23422d1 |
| SHA256 | e8736c5a11655f11c2da659767848d95ab2b74480ca8ce4ccf882278ea22093a |
| SHA512 | fbefcfb8d0cca39da03ec3184eccd53dd20da5c590c92bdcaeb2ceb0336d39e1b1763edba6d744bf1627ed81454b0ee8cd82322d1e26304e6f182d1df33ad637 |
\Windows\system\spoolsv.exe
| MD5 | c355ddbce970ab30d2c239ab6fea5ef5 |
| SHA1 | 00def063849e2978f89cafe2c09449156e2539fb |
| SHA256 | dfe43b20d1e79e06be1220ddd41a0ce50dcc1cdca571948388038e16ddfb3850 |
| SHA512 | 1c174b8b6f34430ac265c798d1afee8eece0f807c7d7122360cd698e9f625fe81242e5f1f968ec33b025f3c91df937856e806b7c6dd548bcd29ab6f57a9e714a |
\Windows\system\spoolsv.exe
| MD5 | bdc85dcd311d227cde488e77c77c1f0a |
| SHA1 | ef0aa715a470ace8f1428920020b3f9006c54207 |
| SHA256 | d8a7a6f39688e037d7301fd856f951b8e8044b6dbe11482062c5dafc325f2162 |
| SHA512 | dfd1ea84b8c2993cfeaf32d10156c3545af93356e50e104d85ac9ede93e3ed7354ba0bb9e51e53852feac3314dd09452eb3e71183ae25fe2a45ea041dd5736c6 |
\Windows\system\spoolsv.exe
| MD5 | d89abd1d7e3dac710791e989ff974237 |
| SHA1 | cf898f89305a6a2b374a0fe7312ac3b892c362cf |
| SHA256 | 7a1868daa9550a07b6eb0e6576d6b11c65eff57536b4abc70e360a15a843144a |
| SHA512 | fbd692938f460c0c869a5db110ee78ba7fee0c5e6ec764bb90e774acf4fdef3464aa20f7163e068eed7b4b7f78f44c7a06cc86926e0bbd6697b1e1bb6b989b49 |
\Windows\system\spoolsv.exe
| MD5 | 88ffe99be2ac98bcd69c4742f02e148e |
| SHA1 | 7d6086c6a71509cb6114d13a876563cfc8afb3d2 |
| SHA256 | dcca35f740c968931d85a1eae3e8c37005dadb8e3874b752678f39946844db26 |
| SHA512 | d75c70bc94f0ec6fd67edd24d33734264a0d795118aa9a0238d2ab83a67aa81e9314ff065a0cdacbee499290e6152abda84d5e7a22dfe189d27f27aba03c8ca7 |
\Windows\system\spoolsv.exe
| MD5 | 89f96734289e88cb9cc029a1a208c35e |
| SHA1 | eb85c3068391281e50601220413469402e2ec570 |
| SHA256 | fd18489b702e09a4fd852b4bb2538e2602fbb72d091f407e3b260c2e2f451603 |
| SHA512 | 720e4f7f13fcd73ec7095ad038dddbcc6074119de1dec99aa8f00d42926c9e486637d48ac88f29593cc472624844368274de4dd3d59649bfd6a4b5fb031f8d00 |
\Windows\system\spoolsv.exe
| MD5 | 96eee645a8fee55e5348595fd9051c16 |
| SHA1 | 12c10cecfd2a4807d107bdd3d824fc866b34d18c |
| SHA256 | ac43525c2997aa1c6dabfdceb42519f7b2ef49a7c0a8f8b4b17da4fce97f8bcf |
| SHA512 | 186e1456e673152e20adfdcc732ea92d129fccb244baa48cf6f6fba080b59976bc6dbcfe92c4de821ad4590b93e1fc6a6261cea8efa2f24b8996292d3d0c3060 |
\Windows\system\spoolsv.exe
| MD5 | b0259eb1c8acbe0200c892accb31439c |
| SHA1 | a2e101e14cc4448abb6bd550ea715dce463c15dd |
| SHA256 | f675ef07b592d85d279649df99f2e9fd44a2aad4754a89ec677275eff42ca97d |
| SHA512 | 6c74107b7624f9cde9e52d32dcd615c1378416600ce517d0c2305cefc9f6ee768523e7360de05bc9c17934918224ef771c0039fb2113a96134e9128709d60c0e |
memory/1088-124-0x0000000000400000-0x0000000000514000-memory.dmp
memory/516-123-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 2da8528eca27afbbc1f3f9d34f240f4c |
| SHA1 | 6560fb69b9688ba069c336e5daaffeb6f003ccf3 |
| SHA256 | b2988fe6bf2188d28670d9ea508e68526a20a7d6c75e2097308a942a57605e8d |
| SHA512 | 2fcb51f17903d29ead91382ddd14f2331e9621323df1f889c599cf26488e0440cfe60d9a45f821214de61f4014f278e8a2d048c7ea369da292bdc428e46bedf7 |
memory/516-133-0x0000000002E60000-0x0000000002F74000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | fd4db2278130d54302919f1b884b3e06 |
| SHA1 | 1098491f917e1cd4680c425a0b64cabca82f4cc6 |
| SHA256 | 0cdb9b7670bd2e5b68092555826c5545c2889c491a9c3778077623344fb6fd14 |
| SHA512 | 94ce12ae1b443d4f2cdcb2a151c566ea845a3967afb4a5d45a59a3a30556215435c14d056b01bb861d32ccafa1c382d3529350abfe7fc8685cd1816f3542fd55 |
\Windows\system\spoolsv.exe
| MD5 | 0cb8bc89380b929f828e3fb59eb10923 |
| SHA1 | 62007f479a9628a590dc50c6257d570a5699742a |
| SHA256 | 309bc43332b27eef19efe427f375d10425604aa2c33534fabdc26dddeb137b3a |
| SHA512 | 06b9e3eed2af917c4c37396e8b9379b29ba8ce999b62baaec95020cd15984e33a4e0dca0b067133b790cdb3818f5f6e7c7fb0742ca535f069488fefa87d00db4 |
\Windows\system\spoolsv.exe
| MD5 | b29791a5fd5542a081850f031c765c47 |
| SHA1 | d8a50b6067b83da6c8dedd728f0accbc59043ceb |
| SHA256 | 2b1faf0ae7c74e377069b59f943509a09ffa6cb0f1ff8c7817f57565eb94c044 |
| SHA512 | b7b04090970d5cacfe70d7dad7c23d15d94fd257b85da34db068dd7a43b47f67c0851cfca5747905511e71a9b23ee137c586a95931f10d81bf1d400afccefe22 |
\Windows\system\spoolsv.exe
| MD5 | ea300e7197bb47bb11d499f425d343b0 |
| SHA1 | c44aa07492edbfb576bb718861d9c33a3887fc57 |
| SHA256 | e1dec2ceb6cbc962e433a268a9b862ea5a8913b40a21e57697eb529c7c85da62 |
| SHA512 | 4ccec5c428c376b807f40b39f070d18ba10bbea185a2d41eb936a93fb3a61eda2de80a54a62f1cfa81047ba61f537579715d8969887b5fdef262bae23ce8d181 |
memory/516-142-0x0000000002E60000-0x0000000002F74000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | d03507af62d31e1d1065268dd0ca7e0c |
| SHA1 | a02f243f0b97df84cdc54cbf1bfbfc543300df67 |
| SHA256 | 856ea66672bb73e77815e7372d76a40aa78f8298bf4c2945372d48fed382972a |
| SHA512 | 33fa8cded09975175f30062d892330ec72e3e4a95f7f274d339b59714823c6af4d3f9ecf717672c763ddd94b5bb66c2262da1663641e5d2b6e0be9e61c94aca8 |
memory/1888-140-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 331d0456232929baad3028ae6b1cddf6 |
| SHA1 | 2613f58c8df432f0726b900c7631c4cefaf88a47 |
| SHA256 | e9604f88db330a8da085e7796481c9b9c3344db3c27598b6f884affd737ba6ce |
| SHA512 | 76c194573eb1bba48ea256d8f891f2deb4d1d4c49cc2c5fbd89eab40e6419000d4aeff36d9eab28a5df846b0a1b5155d4b99d084418eb267e8c69c63dedc91c8 |
\Windows\system\spoolsv.exe
| MD5 | a05e075b7cf52667e1833b9f977aa975 |
| SHA1 | c28a66bfadd1b09d08c45ed1bbece6634844edd3 |
| SHA256 | 783768184ac0c409344d9d20211f6a90ce22290f416dc1872404eb01810d035a |
| SHA512 | 738a7e7b6ba43aed278fe07689d99218d22731e1b735d7062e2f17ffd1a12078c3829af5b785cd75a4b38a4675b1dc77073c415115a9ca7ab351d71d32b868a4 |
\Windows\system\spoolsv.exe
| MD5 | 4f55bf24ba6f6416ed78b148c90cf0b6 |
| SHA1 | bb69176eb9ba293513ec3aceaa8976201ace4c5f |
| SHA256 | a442eff62f7086cbe27e2ebfafd210381442214c36733c7e009ab46a1997548f |
| SHA512 | 8cbb7d7b87cdeecde62a203b733b889fb8414f473d4cb658f320f8bc1c1a92e5fe208a76cfd1554d81daf7c58d179c0a989db9c1fd677ca2c7af764759968de7 |
\Windows\system\spoolsv.exe
| MD5 | ce408c0f625bdcf0b1feda607b6cafc8 |
| SHA1 | c3f19da24e9c130670f98d63df37487c2e08fe94 |
| SHA256 | f3b7ab06fb58113cf0a4ed5b4c1f3b1f36c6b5ceb02c4db7916468b602675e8e |
| SHA512 | 0d68f3a14478bec9d150c838eabac078ef97ae21dba458aa61787b6db66d62fa964ac84c1296ac94011a3b303d05b3e8e19c0bba2791cb9eaddf652f9bcf6fae |
memory/516-143-0x0000000002E60000-0x0000000002F74000-memory.dmp
memory/1088-144-0x0000000000220000-0x0000000000221000-memory.dmp
memory/516-145-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | a2d6e47fed9d37f5984051de10c1284d |
| SHA1 | da034211f2ad66680805d4f13336c29e0b318cad |
| SHA256 | c1d7646206494e9bb80203a3430274f7d0f7f4bb967b859245927034c1fa39e3 |
| SHA512 | afa828ac4c0f0498d1e058c67d55ad9fa233ea811e8e44e09df78cfe2311bf686eae6985bac5a6914a538c6326705de5fc74820446845dc90e6d9840730a1396 |
memory/1804-155-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | cb20cc345b38408b7baafa8d540c473f |
| SHA1 | e8f37f6f04ed2e9c32a84d610f10042d26b89195 |
| SHA256 | 481b08918c506918f35b71700da74ffe050777bc308b25c4da273dbfeb1be6a8 |
| SHA512 | bbc5fed8a691277b3fec7a48d7323e145377c98faa89a45a92de344af47f5c662f5f2f663cd8d02c9e31d460682be8e9d196867ed3be72c19d497b1945761295 |
\Windows\system\spoolsv.exe
| MD5 | bdf855dabc4194d4e9d6a734347755d8 |
| SHA1 | 438331c7cb53b7fc5f057dd596c505734412e5d9 |
| SHA256 | 770074efdbd1990f89300cd42fc9aa54107a4e10f43c33f0930a1cccb76961a8 |
| SHA512 | a440eb0815a3c5f784a1bb18bf4d0ed9a5031ce34df64e2e88b3ce3010c2dacbefeab2995b8549d7450e520323fa5ab382bad147c0fb1da7f0e8f69794c6407e |
\Windows\system\spoolsv.exe
| MD5 | 93b46f93b100671317c8deda10b9bd0d |
| SHA1 | 802919a33275c8448f7d76ea59777709c97e8c52 |
| SHA256 | aa3e59d36980fec52c97938cbeeaa1933b73774fe234f8addfe53b80f9db7b51 |
| SHA512 | b11378a6481c9a6c1c49441a56971f88411b3bae8248916181332ee6c6df353a15b7590a2138d41cc911dd9562c4c3e6078a743aa8b7d9a91b881c77f04c9353 |
\Windows\system\spoolsv.exe
| MD5 | 5d37340e692ae9032ecb87de65c5efe7 |
| SHA1 | 06894e9c14e7f35045d9a6e69ee9ce04e81d35b0 |
| SHA256 | 266d367c23587ab8d4c4f99c655ddb87021d96516963453012c3b1f848b61a08 |
| SHA512 | d79a1d0fd66c09db6e607743fc14b64a556f725076cc7ca7090ce52becbaf584b4cad516c92d39c46597c3a8bf8ecdf3851d104e451a3fb6a1b910d9ab4aafd1 |
\Windows\system\spoolsv.exe
| MD5 | ba3359b66710aeaf3352da441a14e1c2 |
| SHA1 | 71bd048a3ff4fbcb68c17befac457d7aa8049366 |
| SHA256 | 9c0b19b805f5dbbb72e98d1cbc7166ffbd7d5a97c108e958023816d5f5fcfada |
| SHA512 | 72902c87044e83db7c29cd11f9ec9f58514a25731e8c50f340e88e5dd5dd6c5a8c15b2b7bd1568d45ae7f80edd57e490abfaa9a871907722b5dba8e9465a0d2f |
\Windows\system\spoolsv.exe
| MD5 | b639fe37db65f9d8f53aefcf54c82cbe |
| SHA1 | f954970abd294a17d7b10a7f80803b29418e3f75 |
| SHA256 | 9ee8a502d2499a8d72e9b310ac09650af87c28816414a834e73f859c5eee37b6 |
| SHA512 | 3740dc279a8e306e73230db20ea67441139d567310a35c5703c38ed20ee78923c6427b770671506115a14a804d14f07326a4a8b82deb42fcbafa83b34b8ed902 |
\Windows\system\spoolsv.exe
| MD5 | 8397be05bee5e9d062c0bc4e0d805246 |
| SHA1 | d9899970b6de98a52bb540a6d5f749cde0dae3ec |
| SHA256 | 0a11278df768b2ee84117360be11a33b2cdf655d6c27fe2110ed0fee89066cd8 |
| SHA512 | 83c9547a3e177f9650c97d928df8f6c1e0a5ff43b060cf5e29d4f0b9de4b491c72cc395e0de26c3557b33f46db4acc55313bff161d23ac85835006e7313b3ec1 |
memory/516-165-0x0000000002E60000-0x0000000002F74000-memory.dmp
memory/516-174-0x0000000002E60000-0x0000000002F74000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 91731dcdbe7f709244de7175c93d7e81 |
| SHA1 | c6c4c764abe8d0c6c686f5cb6660824a5ef01b46 |
| SHA256 | 3d3cfb6ebbbf8f0ef3b559decd228544a2e85a4fa3d1df94b20fb41c716cfe58 |
| SHA512 | 7b5f336b3b944f718a3969f98a3a85a7e4e634168164b150ba6b2175f20a22ef26dfdeefc661014834dc2f78f3df36081b83da9c0be873d398010459ce81d560 |
\Windows\system\spoolsv.exe
| MD5 | 7e47ccab3aea2f89b999bc6a4150dc68 |
| SHA1 | 525ddc0d8932115dea9cf89106093afb9ef5c2ba |
| SHA256 | dfbc33ec840fff56abc2c36ef45f2b41418c4bf456d6a754b422e080c1197d4a |
| SHA512 | ea0fdcb80a884e3f2bc689b29ac53b2323f99ae7435bf5b5999b644e66d937f3caa6616e7c360381806cbc465c9f607905f150832ddb7d187f811d135047d803 |
\Windows\system\spoolsv.exe
| MD5 | 89a14397da32f7cebc5d70b53bd230d1 |
| SHA1 | 4c4a17fd8a2c9de394d4b45466eb9f866e7832cb |
| SHA256 | cd5bbbb4bd2a08161e9ec6c1fb4ccfe1fb51417b3002331096eb182c50ff9ed8 |
| SHA512 | ec13b22636e2b3790f85cba255f69afef17772806e0c72c43771f8f443ba74633088e5297fe90ac360dc7a0561f6ede1e6964faae0aa8ea13452b168ffdab4a9 |
\Windows\system\spoolsv.exe
| MD5 | 6788148be861b8cd86525ba3ad913e56 |
| SHA1 | cc1299d67708a4cfc951f7933bb7c4e991db6818 |
| SHA256 | 6618a9571dc64cdc265a0eab54b23d1030397b8a0458465b714d96a36a540fdd |
| SHA512 | e7e3ae10c132fec2c048e9a1cd422d0af0e9199b6f5390468bd9ee90cf1fc2f1e983c271afe1ba2ce02e86e5b34541aed76c8d136119e1ec7827b22d7390c0bf |
\Windows\system\spoolsv.exe
| MD5 | db8273cf8e8685dd112095fe83308338 |
| SHA1 | d6d2dbc0a03621bfdfa91bcd5ba4524f2fea89a1 |
| SHA256 | 04b78d5b5b15708275ef7e08a0da498d122d765c43b4ca1b3ccbda8d494ba3e5 |
| SHA512 | 5b372fe9b92796ba8709393f3ea0c77c4134a70bd09304772a7fe041ecd0264312da087cfd33f046001020e8d57a38c3e453b096c9283f349c68d59b4035edbd |
\Windows\system\spoolsv.exe
| MD5 | 3feccfe7983411ba349f002c5d77cf98 |
| SHA1 | afdbbdaecb01ff63cabbb2943060396b0d821ba2 |
| SHA256 | 6dfcc9b76fb18c3a3a375c569725ef856e5b023652b7e1e7843f429e9650ab02 |
| SHA512 | f58f265e2d27c645a3378216d7e7121bb09f19a01105d3d6f2db3d3fe0a578489c9dee5b8c96193a732745dc8a2b8d9cab9b474e9860313b392883108b69e3cf |
memory/516-175-0x0000000002E60000-0x0000000002F74000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | d7e94fe396fe083b5c9d9ccdb0b3f3ca |
| SHA1 | 27db488942b950169af61a3c0e8c72f22e763327 |
| SHA256 | d8c169469cd5b5bf6e9b46dc520724b3a6d9e7c4aa6225064b5277610b6095d3 |
| SHA512 | 833a6647886d66392c776d012024e7403c60dc3be459303ec78488e3e6129bd25eb5f65593dec53644f8527a5c4eca0e51749daf195532b8f632a9da07414526 |
C:\Windows\system\spoolsv.exe
| MD5 | 2046eb3b47ae2b8dac250d02548e8b43 |
| SHA1 | 2240feb6d5aa3ed61d2fe23b126cff35e24a9fc0 |
| SHA256 | 9942fcbb5230ae9d91a885a757e0ee714548791be96d34d460d190de733da9fe |
| SHA512 | 5bf042e1056f7aabaa509808d5cfef742e6c27a2638072b7101a95f032fa83d12fa1f2384301578a30bc3502016a89ba20c179fa0152a7d2b47e930fb3c7ef5d |
\Windows\system\spoolsv.exe
| MD5 | 073e8d987e080c5b0a84b25c36ae1516 |
| SHA1 | f596da58d6e75890f310ba2ab6f6e12d5bbb9708 |
| SHA256 | a4e6f5916846ee79684a3b25965acaaa821f01a6dfdcc8c05957cad453ebbe72 |
| SHA512 | b4cb5495ed3926d98c7d76c2e82f32740212bdb5784acc2809ac73a3619a535cb135403e29ccb529933ca5e25acbdc503acc4d900fbfa98e1af0a1916673bf00 |
\Windows\system\spoolsv.exe
| MD5 | acce0e1160e34710e64781a829e9c081 |
| SHA1 | b4db132c04e2de82588e2699dabe1caeb5c07dce |
| SHA256 | fac8dcf1532def030b600f5d055be351b5e1c281c03a3970b3c0f44666b37d2a |
| SHA512 | 3d21b5c82f06dfb7509d6d11151142fb6ad5ed48d819e499cddc1724c429e3d528bc3878911e1c173e654d06eb54f1a44d5bd7c4b54dd151fa3b66ffbaaad96b |
\??\c:\windows\system\spoolsv.exe
| MD5 | b08a7af8f7f2c5041bf50401cfcc2884 |
| SHA1 | 75687ec8bccbba37d2aeba800fa4b5bed8153c20 |
| SHA256 | e8586680467d0ee79201f7a9f7c6cc8c87143428e2ab6cb7e6ee555703a87130 |
| SHA512 | a312ff076d4543e7059c23b814704fabcfde887c430a8f7edd38cbb7d6e03149204839a401ddddf1a01e887ff70eb21ddf1cec92f1b7b4a8c82bf80c9d7d39e9 |
C:\Windows\system\spoolsv.exe
| MD5 | 151421cefd53a9d97dc1b189f6696be9 |
| SHA1 | 8862b763881ac5d1e6ea30ed93f19df8e655397d |
| SHA256 | a350c7cd27cae3708f5d7fd6b914a32326b39e59cc055b2e7fd2dabd745bfa82 |
| SHA512 | 79dc1144755d475bae05aa9364fbeb7dd92b1672c47deb4c035b7757a4164d8110307f398fb78f86c0e90917b5cb70331f33f72826468b94a13980031da22f5e |
\Windows\system\spoolsv.exe
| MD5 | 7908c40c05c7d23dd903b17d597b6764 |
| SHA1 | f28c8d36c481d1f6bcb19f5c1665cf8efe78788b |
| SHA256 | c9dab040cd05e2d3a2ed33b4155e1e3566431e3fdd66cfa29d224d32045d2efd |
| SHA512 | 2e9801cdebcbab3c2f47f9a3abf9019ed6e9422c637c665bc7fbe947048462c4fd689d57303d36980912b62eb3ddd8984acc217a505ac38d1300b0d89087e44a |
\Windows\system\spoolsv.exe
| MD5 | 2524e9c6d090647fd170d99837b28322 |
| SHA1 | 638903307afffe527d824f599c22ff927480a39a |
| SHA256 | 07d9e642fb18f435f630a324d09dc2bc9f24040e7548bbbf65177f8eafdb5912 |
| SHA512 | a750302bd38bda79a5c1c6abb0e345902358a42f8cb9080239224c74e7469421f2f69ae0f7ed83bdc162519725ef9732e7fd5f818144dce51254b24abd50f71a |
\Windows\system\spoolsv.exe
| MD5 | f033c108c174416dc4691c5125878b64 |
| SHA1 | 514b97b3332e3d0a34a2a1527c064b4d79e65153 |
| SHA256 | bde595babdbe2a1ca14a52863f7999dc6b1c38969274ed53679e25672ba1c30e |
| SHA512 | 6db164b05c8e2da90f611fbfc2f8b3f1b0ae7e06eb1753eb4f4e29c0e04c4f589daefdfcb94131a87bcac874ddc94a8b4ef3b0f519cb5434e165b6a0b19209bf |
\Windows\system\spoolsv.exe
| MD5 | d810b73a13ef34e6db61e83031abe3d6 |
| SHA1 | 3556f0a5fffd72074f8e73b8a8b7c4e906c544dc |
| SHA256 | 6c0c42e68080f5911791a56389efdd47580baad4585ee8843ca6fb1a322cf799 |
| SHA512 | db0cba67fcfe83a35aea12dc5c2a200ed673816391f0c043baecc9efc9826879f3f1a72362adaae97701620094c626a4ed569d7a6a0f649182064970edd88d8f |
\Windows\system\spoolsv.exe
| MD5 | 1715f1de1233c5e8f1891e6896897b6f |
| SHA1 | 9d04127a8576641686f2d169017f5d127a352edd |
| SHA256 | c7047324b3deaf59b0f922a7f4a7dbc1f2723d2b867f6d1dac4e847d0e7df80c |
| SHA512 | 2bb4a05ad187c55095df6b001e00d620fe126d61810ae37310690ccb7967cc4d762a1459784fcf12bf4fee4ba9f786a8e84f61cff3029548f42c1775a9a4387f |
\Windows\system\spoolsv.exe
| MD5 | 48f1ce045526e56e710b19a404676742 |
| SHA1 | 63decf85e9f9aa7e652853e193f08e8f8ec30c43 |
| SHA256 | fd535c29dd72ba2fc54a55cf1137d17245c1d0509b828d64da1121805a5f52d4 |
| SHA512 | 03175e262296a7388b9f15dffc8500b62474823c1c39e7c941a07df0ea4765a5df8059205837522ff8e68ef0426c50851a8fcb2c39bff6fd3b26637b99e40eff |
\Windows\system\spoolsv.exe
| MD5 | fbdda33e8a2a1533c80b89c92208cd22 |
| SHA1 | de236f43bc89f2fca9f3d51b183050ee7f83ee3f |
| SHA256 | b064acf52d6641580eba876fafc89454a6cdfa5ee2e0d2ae63ca2090ffcb8dcc |
| SHA512 | 6e1a57ea3e5c62cbda10a43dfa918a3b86e067c01a2b0495c785c9352fac477b509c149903a95f25ef4b2467c42e11f331bfad9f42587dec2e54c5c4eceddefc |
\Windows\system\spoolsv.exe
| MD5 | effe54d72964d4b16fd0887ca6c6fc1c |
| SHA1 | ea1e89e550fd40f76142f157ffc6e545076e9305 |
| SHA256 | 612bfcd85a96061d2ae11121d8a26071b5bd54663dd0aec345c0c8f10ad4a591 |
| SHA512 | c922c001d77f75e4bac73b804287de49ad5c58fee0c068bb36543ec2dae7f82edc3bfa1d0d682feca2eab0bd3be9829c44ed0318cbb5fae858feca70382f5aab |
C:\Windows\system\spoolsv.exe
| MD5 | b2e7c3dda4b9883daa4d13ab508a2f9c |
| SHA1 | 4d49fa21a1ed50138d5b095811ab15316f734f70 |
| SHA256 | 20840adb780205669c876b89fcd4177bc2f63212df8c4b68d46745470e27af30 |
| SHA512 | 4b089c115ce6abea179fbc7f158f088c9ed9445f2fd054fdb19feea6b42b9122e16a7e905415b97205cbbf2154eedf083fdceb2083d8498a4dee08f4c31eeaf2 |
\Windows\system\spoolsv.exe
| MD5 | 985099140bcd84bf0db731a49dac595c |
| SHA1 | 7c50084987186e18d100e7571f803f1a89fdae56 |
| SHA256 | c674e9aa36405ba704381009f292db48adeebdb31baab257c067bb1e1f2c4e80 |
| SHA512 | b6832f9d6b218839becdabd5d0d984459eba8d78708c56d3c12c745807f2606b3aea21ccf9294638e70fc4906a8cfe0897956d9063805d2a5ecb17132594c8e4 |
\Windows\system\spoolsv.exe
| MD5 | f4b502475e47de262209325e42f75f1c |
| SHA1 | 18ffbc9985a0e4920fde4ddfc8223b5ca57d9cba |
| SHA256 | 76d315a4be5b36b42ff106a4b89ba154d748542df1ba8ba8cd9843ddec34cf71 |
| SHA512 | 654c9d68be0cf1fecd159b739ce276d8a88809aa36f11edc8f73875265d94e43162905a73af97dee346b1a6c0e3bd9a7a49acc5bb2178f32798d904e19f9b5f6 |
memory/516-189-0x0000000002E60000-0x0000000002F74000-memory.dmp
memory/2224-225-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1088-224-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1584-234-0x0000000002D60000-0x0000000002E74000-memory.dmp
\Windows\system\svchost.exe
| MD5 | 8dff3fab93d405238dd0f25378446765 |
| SHA1 | ec679acfff8eaf66c8bd5369dc46f58b39723384 |
| SHA256 | 1b509837f423a381161796ef27243b44f1831a01db44f531244e9f19d0e0163c |
| SHA512 | 881b0ce1d46f26388e63fadaace30f792149f6487876f178b1525c39f4efc6a26655618a1d9f4cf8ef1631564e7f559240fa7e245fc6aa42022962f2b9ea336b |
memory/2860-237-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1584-241-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2860-238-0x0000000000220000-0x0000000000221000-memory.dmp
memory/516-243-0x0000000002E60000-0x0000000002F74000-memory.dmp