Malware Analysis Report

2025-03-15 06:30

Sample ID 240128-gn7w2acha5
Target 7c531d1fea8dadc8067a0862439b38e6
SHA256 14e9641eb54a6a1636b8d20f59805bb4bed00aeb75e04ae8187d2b4c93611c5c
Tags
warzonerat aspackv2 infostealer persistence rat evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14e9641eb54a6a1636b8d20f59805bb4bed00aeb75e04ae8187d2b4c93611c5c

Threat Level: Known bad

The file 7c531d1fea8dadc8067a0862439b38e6 was found to be: Known bad.

Malicious Activity Summary

warzonerat aspackv2 infostealer persistence rat evasion

Warzone RAT payload

Modifies visiblity of hidden/system files in Explorer

Warzonerat family

Modifies WinLogon for persistence

WarzoneRat, AveMaria

Warzone RAT payload

Modifies Installed Components in the registry

Loads dropped DLL

Executes dropped EXE

ASPack v2.12-2.42

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-28 05:58

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-28 05:58

Reported

2024-01-28 06:00

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"

Signatures

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 5056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 5056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 5056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 5056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 5056 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 4288 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 4288 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 4288 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 4500 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4980 wrote to memory of 5048 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4980 wrote to memory of 5048 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4980 wrote to memory of 5048 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4980 wrote to memory of 5048 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4980 wrote to memory of 5048 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4500 wrote to memory of 848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4500 wrote to memory of 848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 4500 wrote to memory of 848 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe

"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"

C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe

"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2176 -ip 2176

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4888 -ip 4888

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4136 -ip 4136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 392 -ip 392

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3200 -ip 3200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4496 -ip 4496

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2528 -ip 2528

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 396 -ip 396

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3368 -ip 3368

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4732 -ip 4732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1200 -ip 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2364 -ip 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 440 -ip 440

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3388 -ip 3388

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3020 -ip 3020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2368 -ip 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 1680 -ip 1680

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2516 -ip 2516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4888 -ip 4888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 924 -ip 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1584 -ip 1584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4556 -ip 4556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2024 -ip 2024

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2272 -ip 2272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3292 -ip 3292

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2308 -ip 2308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4488 -ip 4488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3480 -ip 3480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3480 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2548 -ip 2548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1436 -ip 1436

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3196 -ip 3196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4372 -ip 4372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4756 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 4756 -ip 4756

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 652 -ip 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3508 -ip 3508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4888 -ip 4888

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4480 -ip 4480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1544 -ip 1544

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4056 -ip 4056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2804 -ip 2804

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3860 -ip 3860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3168 -ip 3168

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3372 -ip 3372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4984 -ip 4984

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2540 -ip 2540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3364 -ip 3364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3812 -ip 3812

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1044 -ip 1044

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4784 -ip 4784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2520 -ip 2520

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1028 -ip 1028

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4804 -ip 4804

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1612 -ip 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3856 -ip 3856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1224 -ip 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1012 -ip 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2076 -ip 2076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 192

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4148 -ip 4148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/5056-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5056-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5056-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5056-3-0x0000000000710000-0x0000000000711000-memory.dmp

memory/5056-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5056-6-0x0000000000710000-0x0000000000711000-memory.dmp

memory/4288-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1948-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4288-14-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1948-18-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5056-17-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1948-19-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\explorer.exe

MD5 6632cef9f03f02159ef1773ce38b0401
SHA1 f13e86e61015f28114a3da0865907377120b2200
SHA256 59f4ac393b8a9668027411e67c74bafd5c8af681355cc84075083910a2f07625
SHA512 f670b9eba363962adfc7f67f11bcca0ed08618662791a69c87908b031ba7d92f7989ee50546300fd395b6f16486082c26ee4843b19ef1afc90aff24bd1f249c1

C:\Windows\System\explorer.exe

MD5 d9dee7c49668b7aa57da3f9f3eb0b458
SHA1 de3bb2b9d84072fa8d33ec73e3a4cfb7d560622d
SHA256 970254f1a9ed4653c4f19561d438c4ef290b7465ad1612e5eef73834dc8bf6ad
SHA512 af9102fdf104fba991b6da95819e2e44264d45e20a5bff6fb8c419c040d89cdf0914a29e10ab6832dd15b71a5940a5a778cf042117f930cda97b9e6b3e97e618

\??\c:\windows\system\explorer.exe

MD5 4e5b2cd28551717043b92b0c2dbd204d
SHA1 d857a6f2f517f72bdc6de94a0fdcc5732dc65aa3
SHA256 06036834369de85a995d6f9b5f2c7700002f7643e6d143b479a84ae5fa71e063
SHA512 49abdfc5c6d8fe4dd8b2d9819d5f8ce3ba955b70b43e3de5b272176b175000dbdc5577328d9818045524e8be6d9ccf831851f9f4ec3cf23f078fffc31c9e5ca9

memory/4980-28-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4980-29-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4980-30-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4980-31-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/4288-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4288-32-0x00000000004E0000-0x00000000005A9000-memory.dmp

memory/4980-34-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4980-36-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

C:\Windows\System\explorer.exe

MD5 66572e8a1cd64d2827d5ef5bb56ed85d
SHA1 446e5c59c156e8d5353b9a518a2bc56a29b8257d
SHA256 976ab0fbe11d96e4c10c1c3fbd5416798e55d647243c97c5281092f8490358b5
SHA512 d6185676913ea70a18a7b58959b0540ccc5bd02a1908ba0500970e90225e13d134e59852c79d8abf6f97dad21e0b3fc98c24935fc7e17a39c479b147aad53ddb

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 d74b179ce593f43306a4cf4aef79b438
SHA1 5b16e438751cbd37ed01817822b20b912cf2bfea
SHA256 86ed127bc76354c93868b7e3f283d4c720946c0afa6c3de754e48383d1e796d2
SHA512 9a00b2d5e058945c4803a3586f66a3fc7a1be217e142ae0ada9363cc89f367d9da4e5eff1dea0fd8dc1a42315cceec2833711544ee60a2fac60eebbdad690962

memory/4500-46-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 ba09f1383f5f0306eb3107c9c78f7620
SHA1 fb9bb8583a282f39eb3c6a1a09a3f95beec93d61
SHA256 0b7b40290d10a4e2f5659816e2d7f53f19667c1c318c19ace7b2a8a8b6f9c101
SHA512 cdfb75e28a01611babc5859ce6db0585f79d682f781babfd7ca34b8860f81bc6c906e22f111c8c4995bbac9326c631662eec773f2fa8a906debce3e943721aa0

memory/4980-50-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5048-55-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 25958de6c9fbd4c085592ccc9d85b254
SHA1 bb9311faf2ac9672b2b582c4ca12aac13f124d6b
SHA256 02b254cb54ee9b62051e91d7801e408d85e23545729c5b1b3f7a0971b10a3a37
SHA512 deffae271474564910d7522a27d989230939e52a48a5bc75c7fa56454be4cb2cda8b10d7c92da73148e736b5afda00a664a7a6a736849a45bf6459bb46277b8d

memory/848-62-0x0000000000400000-0x0000000000514000-memory.dmp

memory/848-63-0x0000000000400000-0x0000000000514000-memory.dmp

memory/848-64-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/848-61-0x0000000000400000-0x0000000000514000-memory.dmp

\??\c:\windows\system\spoolsv.exe

MD5 bedcd9704189b11ff6fff2bf1daa1e58
SHA1 d1fe072187f05af4265dafa70de86a69950cb0de
SHA256 8daa0691fb578a54d19d746291a0cbf402490e56deaaf9daa4a9773d6781eac8
SHA512 a2697ff8248967c8b5dde68a94723377fc28c8f8c1787822d77ebc7e6c8c44e60be5a9c9a48be07341eac43c220c3bf85221bd197b694e85fe2c8b370130c389

memory/4464-68-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 143e44669d499180284d85061dc8f289
SHA1 16d36114537e92cc94c6ac3c8d1f09966ceb1739
SHA256 37cdaac10fc76f1fb22fc80d4405b5d2db22cecabcf4983e208d825152df897f
SHA512 0a98efc28169084f9f080b27a5322f988c2fd9fcce22e34c87646028f314d6caf6f0487ef376f803a18b9edd85702e4f9dab027db708be9fdb96646e213dd360

memory/4464-69-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2176-71-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 21eb04fdc3e1986973415601169890fc
SHA1 4539d885d66b53e21c59ceb66c523bbad4cb3a44
SHA256 053f824059f2d4a98a74cf8192e5f15af03e2f3488ecb2a02eab325b350faee6
SHA512 51011733583cfb3e988735f6e16bba88f6a8c47ba6331bc3041a88240d9283e4831e3dcaed639be4436aa177d969c033dda9c07566db8edcb2520a83e171b9fa

C:\Windows\System\spoolsv.exe

MD5 0b28d1d51111e1ea4b61a0fe6240bd2d
SHA1 080f730156dda4048cae0553ac2ec459d0cb1e93
SHA256 984c1710367920c99ee9cf02fe008a693d374c67c886824ce3fe359259c76f94
SHA512 08068f862701ccf483eff6f384483011d25683c8d0509a2cfe613465e0958dfafc910a686943d2f645a9447d01f8355748252ddd329c9cf8228fd5acb9dd5fb7

C:\Windows\System\spoolsv.exe

MD5 7a7532f9eec9e7c1640955864693048e
SHA1 a09ef56fb4f396df20ce153a6653a51f74f20285
SHA256 57e8b3b4bc8386070ce6397d5e53e601f64e58a5ae441af34bfcab2e27180e8a
SHA512 42c96d52e3f7bb9fc3079ec17a13e0224a76f533452b0dc9367e0b7b5557f84320d41147bc8d3dab0bb5b2a828754aacac5b2fe8eed9262ab927599cc083b900

memory/4888-74-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 207b81bd303dae3956295b494fe93425
SHA1 32fe3ffd3a3fb935dc753532248e451d2fb59aae
SHA256 f94dd434b20b144b15b786c08c300787c9c24f5b6ead56680a7c71b7a2e68a07
SHA512 df0754b4e98ab7ba4f56bddd01a4b34c1424b3bd1fc9000c8f37ce7102cee8bc5d01a5eb32cc613f049b3608bd7c3f61a1ea7452c81b53adbd08dd875d54214f

memory/4136-76-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 18ce6bdb3f1a2773e64b0a8a7c8661c8
SHA1 9428e35e4278de33e681655871531f19173fe5e0
SHA256 bed9e52bc3903b17e266695f5d50c6f77a8a03581576ff9680157fe7be04fa9c
SHA512 59d4b7b4f1543154b5e5743810076367ed24ec660740a4e57d2e682f70cd8e9bc129ea97c98f39c05a68fa8a7a252ecb5627a064e0327ef9e1da17efff72cf04

C:\Windows\System\spoolsv.exe

MD5 902942c45d3297ac0bde33fc41580170
SHA1 16f7c0ac7f4f0833e64280d174dab8808dac1aa3
SHA256 fcc487ea84888a3380356dd03a27e4f7afb726a50641d4180093f28b30778b81
SHA512 80e6b96d954a022eb42bb6b85cf9248db7605a12ac0e6824e3827c20ca27c62cabfc77f3bc648ac5eef1108e29dd7cd0ab32568145fa1169dd569b9e38350e0a

memory/4500-79-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 aecdc768b9703013cabb5b284e1e2b81
SHA1 b43a0d9d7c2499a39e65d57daebbb0be5b08d01f
SHA256 cb194997211392d6ac73d1559dbf9ce3bcc17f412a1a198a5dc1cb89fb9d33c6
SHA512 f39972c60e8c81e5853d8492a3b122f250aa2dc447390af437417966136793a4436c35070fc01215b10eb0de748d3fea5aaec444f4c019e273a7261b433fe48e

memory/848-82-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 eb911616321eb19e789da0a5ea2dbc66
SHA1 2df2e397ec8ae5c2d783ead3be17d7c752519c56
SHA256 0e6366cbbc20dc698dd1c9badbe0e06fdca1c77f30447602df274d9376203228
SHA512 f7bb7d807ffec5c5c59758183e806cee96bc237c2006059c952b2ca3ea6b707c04e386cffc1de52113e410c60ca54b32673f371c00275b0ba4ad0414fa7371b5

memory/848-84-0x00000000009A0000-0x00000000009A1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 53cdc0226044120df99e4d01a502a8b4
SHA1 1773f9664476ce86a07c1fec5c1e5ed382618fcb
SHA256 882e0c2965c1824d8f7fae04fa59675cadd53e81c2c663a01e587941bd1fcec6
SHA512 027291ed964f91a6f1983d5982a9d2878eb2efc276d19c569d0e52a83b59defbc6cab2ef2f993d638d724919a2dabea4e6e7ba0751c7036571ed095df0d82983

C:\Windows\System\spoolsv.exe

MD5 90c8dfcc30c29c2c51fd1c1c5599c3de
SHA1 893c8b18522b0299cc3d70ed0250d93bcbde8fbd
SHA256 b3634f8b86aa03c916bc3ecfe7112824b70bddc0a5b439bd266f75b8fd7114e9
SHA512 b93f0c2f653d66f242d018254293b229340d81a11c04b73ff068bea2707ff82e7e790cc7015d571cb0724c896bdfa621e016da22adce88f5a0ca653d7f36d6bf

memory/4496-86-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2528-88-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a40b6a04ed8f42e3ba9de4468ee9a7db
SHA1 6db6b6eac81b26d353598cbc354fa76292a889d1
SHA256 e5aeef68dfd6399594a856c66feeb62d8d567f386ed11e63e8a6e80eed2244a2
SHA512 a3ef863289450b8f5af9c51907b3cea83f92b016e87c14a690d9e85d182d5fd88087b6debd85657199230dfaa22077e9da929e29ab7ca87fe54515a881fa152b

memory/4532-90-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 474454af3101f2e79099e4051466010c
SHA1 b4b41fdce57cc809d755cb2766b6e4976fdd3446
SHA256 0d7c04c251df31ed40eb25c746de670d0688c431dd3eca4b2ab5ebd1223bc1e5
SHA512 785f6e93deb1b07ae9d6b1d7c99cd5099a7ab364b53100142a66356187ad95c1792d04e8c9558644ada46dd19431ca79cfc758048d0bcafee7ee5e8d056781d5

C:\Windows\System\spoolsv.exe

MD5 0aa7e03625af39aa37861d61ea7e24cf
SHA1 b518036c5b30982364407104ce2bd0dd6210ea18
SHA256 aafc1c2c5fee18c59716ff85e9c8a8171f2c3f17a92eeb36dd33d5ee580e5a05
SHA512 677e0548c10619f8d8b5b16e4e057fb853ac8e6067797577d4e2e4246fa1334795f243160e9579845666f7a5ed86de913eaba814ba639a7418e0eff08a5342e6

C:\Windows\System\spoolsv.exe

MD5 f517957eef2eeeca3489237c944aa8fc
SHA1 2c782f63c5d97fcf1f5c9a9afe080147572ab64e
SHA256 deeb398350d35636a424ae4b00d49ce690cdd46297c7c04fa47d9a43a4a1f57d
SHA512 7cf6dc61ed8c17df6a9a4c99130b0f0bc1963e3ed14a69ef54161db9be877c65fcc67910a87ba3c1260ba617d2ee1cc249b905681078c2fe8875403e02d5025a

C:\Windows\System\spoolsv.exe

MD5 db257b3c4aa118d5405a73f76db1f1a5
SHA1 88ccd47cceb0d242f84c910f74a50648a77b4dee
SHA256 a8f305d659c37d9cca7ba956959a15c3f43e327353c03cc76c4e94099eeefbf0
SHA512 8b163497e8d17e411a589d17cfb8b5c5162781892ea2ec8840b11333ae94413461a05907fcb63ce3ffebeca11deb627f6a4e6c5469629818374546dee7f91477

C:\Windows\System\spoolsv.exe

MD5 67097edd98a86ce36af2cf196940c5d5
SHA1 cc881ce1ceb31318e0bee849ec7059fdffefbdcb
SHA256 7aa3736b628c679b94eb697399957dc49f77cc26cefe4313cdb89d9c486e0a3f
SHA512 609817fe6f64668339b7e153279afd2bf4e46a4d7762e0901f4c7229b4ce9309fbecb3185253eb17ea9f304653b91d4419e28091627a8f977601b6d1489faad9

C:\Windows\System\spoolsv.exe

MD5 2e55b4e303e6b946faa4213bb2a1998c
SHA1 66efd7c64320ae353554c84035a9e1c31ec697ee
SHA256 7f388d7e8e121b4bd37aee72017aa89af5fba5e1ed213a4e18441bcb333cafa4
SHA512 1aac6dcdde1b5e293201a3418bed26d621d03415434d47b0f4f97d5ae636841221cb0b9b5e0dfacc1aca0025697f1f2d8db6f74e07c8cb4018a28b6c2ba46eba

C:\Windows\System\spoolsv.exe

MD5 5d10b067f1a522204c077200c8ca2ae4
SHA1 58005d689420435f68c49d190cdb923d12a14af8
SHA256 18acc99b0ca1fd80b87848aa5477b73db76dd00021b7dc0280624631eac9a5b0
SHA512 3c87a273e44fd57688ee7fce6eb69c35bbe173c05af3e373086f2cacb5ffa172120ffa1b81dac0f171cd060702b911408062d29b7cb43cd651529ce39b2edb64

memory/4848-99-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 7d39849262a5b1611b42f325f4025671
SHA1 79d64ca7af40aa693aff1be739e081c726f76606
SHA256 03031b37307a8c05c64032b5b8bf3c2221530442a1300eaa335c831d9da282b5
SHA512 5b5c95faaf5a6dbb597a82a9ffb56488a69e11873935dfeb9847a1c341f1dd13ce48d214f6aea1e06b3d77dda8eb7d14694b5489df216528bbf6301d47f60172

memory/2364-101-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4240-103-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 e1512edef4b4561ea8e52287fa168ed6
SHA1 5e05047374061b8cea897431a3136765a0f6ee2e
SHA256 ec2b8dac463e28b82d8d22cd026d55dc462cef756c1a5df0d1a38a9da496c9ad
SHA512 6643acfca81e26fef915d4996d03075276a2d57c7425be4915a1562e8184c63d00085c2ef7406124675af677f5b97716c80ccbd0147dec53bd7abb5b6dd62b56

C:\Windows\System\spoolsv.exe

MD5 ae49fac716827b25ce9b0b1d8f1a981d
SHA1 70dfccb5ccbeeb0d8f88807dda8dd3c9314ae489
SHA256 d8d6ec7b6bd346b416eab93e022dece16969af3a85b9849cec187f16042f9318
SHA512 62d0c33a6dd99cbdbc233d8337bce4488456c41be77f9282ce0c6bb19ead5a8cfc40d56a538809ae95204b2965b5e3a26fe393762efa249feaaacef1e5b48be5

C:\Windows\System\spoolsv.exe

MD5 c4b71491fa43b28a24f649e18c5e7f3f
SHA1 505ef69d688eb8b2df40e2a484fb272c57112454
SHA256 c670e62c6c823d5f2e24a86d64460de7ea848a7c4f5c7b2541c3895e7595864e
SHA512 7148df6ae58a8e093ab0a2fce315de0029bdfd93f8fb713112e335a3b8fb0ef16e6ec9777a56be78f057b3f31461397948d8f8b7480e89fcf62d5248a794c9fa

C:\Windows\System\spoolsv.exe

MD5 e9c8b77ed3758d3cbe9d60764a1764c5
SHA1 dbe95d1e89a206ca018a76554ff4a24a6f4fdf08
SHA256 020158c0264b3bfebdeaf03af4e7ac6e6bbc76ec59049481f3593a43d2f3cf96
SHA512 1d3112384380fac6373ab0659222fa707d7fa1d1f44b343f6293851f9c92f13b40aa08c85125cd02bdff99aea365c588aa435dafafaf7f5beeb07f5953ff081b

C:\Windows\System\spoolsv.exe

MD5 c4f22a2e748e5c58cea2faa497730107
SHA1 0a0a05bf1af847d4ee0e5089538faa2271d5f38a
SHA256 0eac8f9e773b34b8dddd147ee0b402707f3ff2b05d0c812f90b597fb1fdd49a4
SHA512 f626235fb07c923fb1226c7afdf09c6ce88ab145bb91e50c946aeaa84a18a18e506c10da9614a6c21b7460ea195b8a08e2f84a502d87c91b4758b1450e3dab3b

C:\Windows\System\spoolsv.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System\spoolsv.exe

MD5 026269be428e7fde61e41c305bdc350f
SHA1 5db4862b3b93f9f246ce900812429377a8ca6958
SHA256 9818903b67a89d9c60d9cc260a1e80589491cecde7b72b26cf39373046b4cbe4
SHA512 248a67cf1596bb4eb7e6bcfd4b54b33fedb86f7c1166e2a03532c4162918def9c3389a98fa6fc5a51e9b6a7039b09a3ecb255418f2392eb3a5b5a903c68f75c2

memory/3020-110-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9441a5bac1a35dbe2ab3cb7e7adb9c18
SHA1 e26eb31b48dc25b4aec87b0a1f0fc6ba72c9f43a
SHA256 68a9a46819844f045c07902d8d93102805f457eec8a0638ad5b52f1c91452b67
SHA512 bbc1bb0f63088048b0703cc92b2698921eb6d1765af2baf5b0a1a3a19077315529c3f549468c171c46334f783ec7aca170c5592f5b26e59c542a7830f10dfd64

C:\Windows\System\spoolsv.exe

MD5 62cab379c96473ac35a20ea202088354
SHA1 b3eb98e14e390757d3dea480888c75c47b816448
SHA256 f433ca2dd2ee6fad7627b27e523b580a8d5405018870bcef2b15abd881d253a0
SHA512 a292a19087f6df6545111c6e77f054cfcc1d10716a7d040950b0ca83354640972ef2c34e42514e6bfbbbd7a01a8a2eaaedff15d59bd379d2f8eb283a86fe1a37

C:\Windows\System\spoolsv.exe

MD5 0268bd036379b7edc3c404806b86e5a9
SHA1 cc707268426ac7abcd29bdb3d01e59f45eb61f04
SHA256 e5e4b24b5f075014971087fafb379264f2ada2da15b4adc5adceb7422860a37c
SHA512 7fe1aefec00029662a37293544da44bea6b0ec365e712dba22ffef8b5f9c231b95160f7439992bb811873a76fcfcc614627b2d57ca0ead4a4fc1eef540876ef8

C:\Windows\System\spoolsv.exe

MD5 357684a68676171420e7c41f34ca1ae5
SHA1 e78078059568881e6fd9e48c7312427abd33987e
SHA256 52ad94a32f97073a38f987b93ef7e128d0d6a0af29ae6cc289cecbe7eb218ca0
SHA512 8e69b98d380fc56082d85ec885eb6b0440d2a695e40125703fbf58b08b95bee7e305c755a81ec38c1161350aeacf365d95d6ec25e3c9c91c2e60df86a81f91b2

C:\Windows\System\spoolsv.exe

MD5 abadf7489926bedcd222e00509adf527
SHA1 a26e03d3c61bc70db1ccfcb460519c9d2a8b785e
SHA256 a68f09a278607cc2f308d499b8759315b64b760a6d63ddf863ab0eaaa26a5ad3
SHA512 b05987a38a66ba0b21306812684f6490c459cf4b02211910ad64f27e5cb5121926748adeaaa7f7a60ab56a3462f788aa4c6e99ea7a8c115608494c425ba5256a

C:\Windows\System\spoolsv.exe

MD5 c1f6879abdabc47c1a015fc3af7c313e
SHA1 1b0db957b8ca9a63d9b214418754a3b1572c291c
SHA256 325a62c856f2db47c4c48b2e99e2b7f4f88256b92e13e46f0c82dc019dced138
SHA512 eb82ecb73215c3d364566b00d0a422c875cf11b308ab721d70792f5510d63f6895397687999246943cf4dd15e2d195a4e09e185b37906af94415f5ef218f8749

C:\Windows\System\spoolsv.exe

MD5 22672156464e9a0973d6d6e2396fd69d
SHA1 2b298d70022d31c02e399bf38d6bc4a3cd84f209
SHA256 b6ef7c090e04e780cf2c5b4a5d8b7f0251149650de98e5cc9a2134f32c84c31b
SHA512 3a379244c6dca6d50ce9e94aa68813a84e5b0f3e0489666341cb59ce0352f87b3b071c335de247ad206b7dc516f20aabfd807377218d07265cc4a2fd261b6b80

C:\Windows\System\spoolsv.exe

MD5 0465c7b6cc30f0b7f703f4b3e657fc6e
SHA1 500faf01aac9da347ab2931f34a18fd433b29b89
SHA256 bdea68c727b014aff2bb6eaed0af517eb5ea9d3c4220b3ad6676a8214cde78bd
SHA512 75819ab78357bf4b58d29446a9b81eb3ee995a1418b8fad4e59f34fd7ce805b14475c29a45a0034f6d974b0131809c2aaf7d49877b8b9085fab03bed087077f7

C:\Windows\System\spoolsv.exe

MD5 db8d39e1cea12994433510f85c219758
SHA1 b9bd512ffc8d59be6fc4aca00e76dc15bf2af1d7
SHA256 99abf4d29f38c1663662c5ba022ddf6353927cc6877cfc174f758c4e6360c7f7
SHA512 443c2081b208867c363c256f9c30e4ab8f89a3d3dd8c41cdacd915a074a09b3cd0ae76e607eaedbeb43def3255899eb58c4e7d5d4bfdc2889918e7d87e2486fc

C:\Windows\System\spoolsv.exe

MD5 0c20e4c2a92d86dd2c7941c4f72ac6a4
SHA1 2353f110afd2a77720660182fb1f5db63bac235a
SHA256 d5f0b0632aff0655ff34d29303ed6b1f3b8dbfb40e9ff7a12b3112ce010df09e
SHA512 a2bdd934abbf1d97c0bda8af808460b6cc486c73d88a6add989cb91238635061c9eaf93d15831b535c37541d8c195a7d1cbcba67d47a671bfb2658f69beebfe9

C:\Windows\System\spoolsv.exe

MD5 3b1a96cb0f3bf504fdf233aa51bca43f
SHA1 cab7bf7622c278c8ae985526a668de74b08ba55c
SHA256 01d865f1333de66fbf81c8db5f69b4ef54ffa005ca70c65b1b3932371fe1c895
SHA512 49605dae6b317fc4d71dd23d39c627869bb6713dbe90c8b4551caedd23aaad3a3cbeeabd1bd09723e36e88cea4ed1e4aadb9703300046ab57a2010901f25d616

C:\Windows\System\spoolsv.exe

MD5 4ee817df9ccfa2e439b96662f2c2cd4a
SHA1 13ef49c77e1ff65039a5d60f9efc630dea3bdecb
SHA256 f6bd22a077d6a53e874446b0ee690aeb5a5e559fba2357d6c05753cb21f00985
SHA512 d8785b1a37b50e88623fa416bfb2d74547730768de6326614842d20324cee79e0b4c34081cc954f58c17737d94f2994abf93a6ca8248262d5d83bde9eadee91a

C:\Windows\System\spoolsv.exe

MD5 863e32a75109d62b4a93a2c584f62557
SHA1 8e5cf08d52684c6c8ec6b05edad9c06f56cfce88
SHA256 0b779c300cf75fe1bb06ab20d94493181de43909fa598638fbbf4b5bba14043a
SHA512 2ea889653806f4291870b1b416951e6a964b2f39d980d06df9fcf1dc0a5f5ca2242c66854c7b12c831d34e7cfe0e59bf34dc6b3d8a5e5f766c52b66ff7f16082

C:\Windows\System\spoolsv.exe

MD5 e5b15a5727c8197e1982db4eabdecf12
SHA1 46866a52769008b9181618e891a67bcc0fc60ce8
SHA256 20ea4611043ccc69210977feb8158bb9a7fb494ca5e7d621ae7d13441c58fea8
SHA512 b3586b6739dbb37bf51b0f7ba2cf9f0d292af56ed817d338fd476cf18c44786699673ab7052a18f1c371f862d40e23b0279c7b9624e2e471f1ec1165ca06bd62

memory/3292-127-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3864-129-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 972ba801a8189221630d7b0f727f0254
SHA1 7ebabe6d5ab0f20841eb6c580d5f5d178f52cd81
SHA256 1052e3253e2fa1e31d78321e65152806d3296e878cef7faa33ccccebd26c83b6
SHA512 b64a8aa0c0224928feb47e5de60f1aef9eec218de8077d2cc634ed94b586b626c70f139b19844d217ce74a6f30b998e7f3fd5080b48a51542532324222ee4f72

C:\Windows\System\spoolsv.exe

MD5 5646692df5d8ad309e7a3053da56de18
SHA1 9a9fd4be445f817ccca587f532ed77e1adf15c82
SHA256 ca4772c0359c3d60b1cc9525645dd54a86197b0ade380534bcb91f1a1ccf2122
SHA512 387018db81cab9e3490adc28d7d33871e78c218d2e0b6297b3266006430c4ce29af887a17b62398f2ca4b6a72accbd3eafbd96f4c571e9227e6c38430f2347ec

memory/3400-132-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 f5ba614ff455b052678d27e9db4dc5b4
SHA1 fe734952c4ece5d362c05c35b5fede6c8de07dd2
SHA256 9e9c7c0c76effed9e59183ec6c890935e6e94b009b5d94ab477357831d54faab
SHA512 c86aa19a4f3743e2a6f4d28248e72922d726ffd7f2fe35c742c07e803ad7c889ae8141586b4d6834745f9ae3aae305f841191b814d1f4748a0b15d8e2c09fbde

memory/2308-134-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 a693d59cedf373a7699ece62e07f0fc0
SHA1 08212ab05338eb0aa9400b5498ada23beadffe88
SHA256 22ce85f09e07d0d9cca4804d1ab4c63b7ae31ad37eeb2d793fad2ac42d81225a
SHA512 b854cec8a56cb7fe442a64301c62ea167a86b231d386fd649b94e5f590112ed28e73f9628444a079a5265d3672cf52bfecc9ece9021c725d64e9c8c55a702703

C:\Windows\System\spoolsv.exe

MD5 ac4f82c062e52ae3e426ad58d6d34f87
SHA1 c4d09d2d5b85e85b5ccf0a6040791e624a063585
SHA256 8587a98256934e44bea3ff0c94ff311925ed4d528a24afc526938f15e2e3e427
SHA512 5ab3f487fad8ff19e1b35b9ddfabb6424d9c716b28a219d5d6facc2ea6abe39e4b70a28ff808d19e7a4875347d09f3c4910a4e3752c9a53175c87a87e522299b

C:\Windows\System\spoolsv.exe

MD5 1c99b5e97d08d731ef3d2bd7fb506306
SHA1 010985207bd18b82c130b517ad643b0e1ffff061
SHA256 72022240b0d58559707a9138773b385f675f6684b97b8895e8ed87bbc4746126
SHA512 ccec0d9decc18886b2743d8c11f0a29bcf9edc751fe6b14dab99e0936859c6776ea9e2282920d5d45e1936132328a02e04764b42085fb0fc762a6b7d7390b731

C:\Windows\System\spoolsv.exe

MD5 51b30772aafe44146e0e1e5671204ca2
SHA1 38c1469293d29598be7f983d439d9a6ba76a06ad
SHA256 4ae3a32d77dcf6ec495d3657fc9dd7e431e758ddc5fb89b6bfb72d8b42d6d535
SHA512 e0fdc473af62fab60521593dbfd85023e0be55ffac7db1cd4d3fbbbda94d561e5e698eb6fa8474cd7b9746342689a16ad126e9aca2ac55cfa42c2989e7d829b6

memory/1436-139-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3196-141-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b88654b0fdbdaecca00b15d125e9980d
SHA1 7916f2b1faf79de243e48913e565edef4debb28a
SHA256 99ab9fe99fb11540a8ba555b402cb190ffe57be62ff1c5f0f3df18bd32b0f067
SHA512 2c1a9e0f21386ac2fd3a34be73353e0d8d2c88cd2da8d1a0eea4dba34658e41a36dd83ea5af3d88a378a80f1e981e9b6975b366bf8c190c2fb0be66fa9465b15

C:\Windows\System\spoolsv.exe

MD5 4cb9dfb0e24235547e4984a5197a00ad
SHA1 4bc6fb921b64d98c936f04359c56a38e9e8eed5c
SHA256 293c6477ef150b4ffb4bd3321fd1e4f183c2a951220dbf3eb7d3bc8c505e5253
SHA512 ef6b341af8cd0d56c570bd20a14d99593cb93b682fc04d61688c9fe87eadffbc0972a3697ab185ee0233f20d7d8213d26f060a1daf22f4d7d6e45ce7b91f8ef0

C:\Windows\System\spoolsv.exe

MD5 e8aa10b47c2d7241103e7d1c46b9f58f
SHA1 97e414561cd11cd87279018ab695ed4c7751db98
SHA256 19bdeee0f5a6d2a0f39b1363654cc071ddb1e4666225c3dfd7d68343a6750e99
SHA512 94d0243a4156d64186695a805874b368ababa9ab8790becdebad802d260f5b2bebc17808865f9d77d7e457c93ec28a683a400bcd8da8955b762a08d19cae9220

C:\Windows\System\spoolsv.exe

MD5 dd6c915e892ef5754ecf66fffe76430a
SHA1 7b5339f9cb7de08e1336521cca5f4c4e5aa06499
SHA256 935f3ff49e1d5fbd6de55fc0fa8b5e9a29d5d806b83a34be04349baf1f59ff6a
SHA512 15d830d95143cd37b74040684c4a28fccba9df568678c487e8f6a6878b58e400d60851e6c5ae374a5919391b1cbeaf0805e4bc13f899fcde590d7c7dfebf0c70

C:\Windows\System\spoolsv.exe

MD5 470f8d6071f3900ef4f64807782fab89
SHA1 4d42348ea1de8cee942f41a5f575864f2f5aa174
SHA256 24de0fe6108a5a908e6c7c2f79373472c80c08ceb615307fdc13055f10281e6c
SHA512 95455460eadf02c4a769ab56f440e201a85d18a3dbb75bb7c6d53465142a3742acc600fcebf3133de4f6df94807e71f4d034bf78e21a4f6653710bdb6d688d62

memory/652-148-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 1b995e9bfdf2cc5cc40981a00560c132
SHA1 ab85efa2c739a0d31546e5db6e0a3e6e4ff50dd6
SHA256 a9d4c957b8eb04533e7f13d4d5f5c487eec7540d3653235399711626e4ee865b
SHA512 308a3ba0dfc9f85586b1a002a2d7f669d565d6207e6a5674b21405ffafd4d86954dd36b88bacc79c9b8ef8fb6d16960fa39007e91dfa6ede46a6f6fedc098a06

C:\Windows\System\spoolsv.exe

MD5 f023fad956e347d13de618aebbe70b66
SHA1 be720e9cf101d167bddb25fb30a86e48987bea5f
SHA256 da26fd38786ddb2f82a98dffa90010bb08651266dfbe8068a4aa2c9a4e045031
SHA512 4d6edad090da800d7eb2e547ab6e128f86292e24fe19ff55d965210b7363ab924792186a45ec74fd2c5522345412e49af8d1c6e7e243d4fef3811e6cee217366

C:\Windows\System\spoolsv.exe

MD5 0a29315f18409cb8a9c821993fdacdc1
SHA1 d19fca5efdc94fdf9007d9995f421369a09c9567
SHA256 a968533833c9c8aa5cdd45d0a511179e03b27ae73e41ced0d46a63850c1f7f02
SHA512 5c548596768c11351c5706f9fc94eca2d187e129e8f85849a578f8142fbf0a33dea2986cf6a3abd82234eff46e45c1805a60fe9b2b8acca13799243e639f60bc

memory/4888-152-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2804-153-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3200-167-0x0000000000400000-0x0000000000412000-memory.dmp

memory/848-168-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4140-174-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2256-177-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4140-175-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/4140-173-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4140-172-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4500-178-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4140-179-0x0000000000400000-0x0000000000514000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-28 05:58

Reported

2024-01-28 06:00

Platform

win7-20231215-en

Max time kernel

133s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\spoolsv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2532 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe C:\Windows\SysWOW64\diskperf.exe
PID 2708 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 2708 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 2708 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 2708 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 516 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2928 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2928 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2928 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2928 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2928 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2928 wrote to memory of 2844 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 516 wrote to memory of 1088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1088 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 2076 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2076 wrote to memory of 2104 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2104 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2104 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2076 wrote to memory of 2104 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 516 wrote to memory of 1888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1888 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1888 wrote to memory of 1392 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1888 wrote to memory of 1392 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1888 wrote to memory of 1392 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1888 wrote to memory of 1392 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 516 wrote to memory of 1804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1804 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1804 wrote to memory of 1420 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1804 wrote to memory of 1420 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1804 wrote to memory of 1420 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1804 wrote to memory of 1420 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 516 wrote to memory of 1552 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 516 wrote to memory of 1552 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe

"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"

C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe

"C:\Users\Admin\AppData\Local\Temp\7c531d1fea8dadc8067a0862439b38e6.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 36

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1552 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

N/A

Files

memory/2532-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2532-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2532-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2532-3-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2532-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2532-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2708-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2708-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2708-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2708-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2708-23-0x0000000000400000-0x000000000043E000-memory.dmp

memory/276-25-0x0000000000400000-0x0000000000412000-memory.dmp

memory/276-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/276-29-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2532-33-0x0000000000400000-0x0000000000514000-memory.dmp

memory/276-35-0x0000000000400000-0x0000000000412000-memory.dmp

memory/276-34-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 09a3326d9b2a18571217ca9625e97ed0
SHA1 c288b4c84b2e5887c3de7b10f7fd776e42fc208f
SHA256 162238d541e8bbc5c08d3c4af7c1b3e0cd0c8dcd22381b1db3dcdb7db28043da
SHA512 a2c28ccb05e3ec4808ca42bd4431dca5bf4b290555fceb15a10dee0a48613aa7cdd2a4f7390f27acbd04197110115a20098e022a5c8ad5931b50c19437f71b71

\Windows\system\explorer.exe

MD5 c59ddc97800c5d6b3d98c79aab521c56
SHA1 634ce5bd60df2ad0e3b276a3e6a68ac362a04ce5
SHA256 3da86bfb86778aa75b017a415216e37c7bf629f701cb4548fcc11084f8966884
SHA512 bf26e34ce9c80bf29be09e211e2e11f22e07b78745181d09d8c7171bc6d7905a0d897689230e8bb8933368ed83b49c0ee57dab7322467907fe0697471f7457b9

\Windows\system\explorer.exe

MD5 8613866395ecb485b5e65b645c6a2075
SHA1 2d9fe5aab53bd0e21dd0f2bd7a03898f7723ca00
SHA256 89818ea4c8396f22374ab9068f9652b85cc1fcf352edeb7995dfac23d179d8cb
SHA512 0f6215eaa6d95064aadbc8a2ec1b88c07fa6519c4996341494825497f9403aeb7c9d29ec5fe2c566938f474f3305a0346a262d132e5ca6c1cfb4570f959b5d9d

C:\Windows\system\explorer.exe

MD5 44aec6b1d43ba50fcb7ddd568aaf01ca
SHA1 9a3e9d63b8bcc1e8250036b95dbcccfa44b959bf
SHA256 a4dfd07389e151c1d51ffba649058ef4b39d76684424406df83c7c4cf80dfe94
SHA512 7513852883cbd2c38fb0110aafcd7547c9f23f3511da76a779855390e0004871d9d4ee5b3d7abc0bf1c7dc1212f38e974321cf8e4a9842f9d7a55c2a79e70a21

memory/2928-49-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2928-48-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2708-50-0x0000000003030000-0x0000000003144000-memory.dmp

memory/2708-45-0x0000000003030000-0x0000000003144000-memory.dmp

memory/2928-51-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/2708-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2928-54-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2928-56-0x00000000003A0000-0x00000000003A1000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 84583f078c647c69a4106f27a6d92565
SHA1 4b666f49755d5fbaecacf91272014ad82990d05b
SHA256 74bb65d5de4a0efe859d285f102d17cf1193be9b8f87e6eca93cb65d9d5018e6
SHA512 98a439be4b0261aa023b3dbd709780ca72372d426675348514cd0ee534e6e131dd932fa58d7d3f9108e5620371b4ea0b2aade4313d8348213ca99c39b36be2cb

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 be7c39fa5c6e3fa5da3d5ca5d484e8dd
SHA1 cce73bc7427d0c6bc05ae3f4c962b9d78481b28a
SHA256 e150e08ec485d6e248f7e2d81aea8b6afac95ac088dd16df78c2ac44caf1c543
SHA512 b3554c5eeeae7dd5b170fd5b3e6a4d0be45306316b01b51a8c5332a54d060d130355d5b67742e2a1e965c29518a08e285f62f61487cb10dc0478d52f043f5513

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 fa2759c9c4cf27a0e834c63bc058940e
SHA1 2897c7af482df3dd2a55bd2339aba5f59c250faa
SHA256 ad12b51f957d82d70e02197ca8b273c40446458aae7f701d0be0b592d3a9a9b2
SHA512 8551e7134d0ba0919dfa145ebc4ecd43cfa23d8e5060cf6d1c7a44f58423216fdae679cf9c84ed965dd1ab9dede02a9714de4204db6b348905c3aa5772fb2b63

memory/2844-79-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Windows\system\explorer.exe

MD5 bf4c70ef68c5f11722680d8374a6d70c
SHA1 cdfd893534e34111c0fcfad66c8b13619b653aa5
SHA256 3d570f97b2e0cfcd293f361244e8a41dea0c071f798a1782a1fbb2392df258ce
SHA512 81a9250aec2e068498cab3bab887642bf1ae765bb4e1d591c43bcb28966684670de8e98b9023aef103472670d90e4d88719f51af9e667524278e66faeaa994a4

memory/2928-86-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2844-89-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e662a84c75876126ede6b9e4a6f61381
SHA1 d8a0bf3ed9d80bdee7fdd3fb194f6baf40acd683
SHA256 63cd83fdd66a65e8867b2f0365f20549a092a487745c650120d4c3c655931c65
SHA512 b792ff0922a85fb7a18aa3a0e408ffcff13de672ffda551eececaa264095ccab548fc258e4d2dbe6c4b581d5df216c929912d02f7f1cc0800c00aea23618b2b0

\Windows\system\spoolsv.exe

MD5 53f9b43bd5d7bec1ca2108e5729672d3
SHA1 5bd844074fcb9df8326b108b0f382050277841d0
SHA256 fc4f5c03f6f8ff79c41ef77c25edcd46afad6f138af69668facd75d384accbba
SHA512 da26c2318c10085a187e8fe865d0a1a3cb99e0ffaf87b8f4aa9a0bbda85737e8bc38abd194a0ff8eb4671e6d07c1d5ab3e41ac773f26596cf18de0c94bee9820

memory/516-102-0x0000000002E60000-0x0000000002F74000-memory.dmp

memory/1088-101-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1088-100-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1088-104-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1088-103-0x0000000000400000-0x0000000000514000-memory.dmp

memory/516-99-0x0000000002E60000-0x0000000002F74000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 1497c6affe7a1a887b7d05e01e3948c9
SHA1 959c3ecd262c0310b4b3c368fba71d063009173e
SHA256 183198a38da66771bdb10008ef81f129e28e1addf63cf02ec3f75982c1f3b638
SHA512 b0d242e88bbbc28494720e109bced32b7ee82d15c576546b34e7cbb02fb8b6881787a9b0c95da82a221780448d6b4edb91a4569283721d217b7168db44d2be9b

\Windows\system\spoolsv.exe

MD5 76ae2fcf70ddc8ce23a9f9c4a5917707
SHA1 85ec45c6ef96490f21e4f759e30a9edf6d1bb34c
SHA256 7eb8904bf64958dc4774de2c8b451c1b78ba3e8dd815c6cb35f1de4d9aaba9a4
SHA512 402277eebe2986616aee84b7696fa86589fa33ca77f2e291abfc93fa37e527264d17ccf9613e4ecb03e90b0d7555633decbbfb67d8cf197361ea9448fc9e825a

C:\Windows\system\spoolsv.exe

MD5 33d4c40f85f7a3124953077cc3723c26
SHA1 999c4324906aeb1274fc6fcac57837dcbb8672fd
SHA256 ff84872fc0c3b59c8b139c2c62ba0856e7c6387c0a86b5fc056da1bfc7c3af61
SHA512 229f12b84e8eb92e5f0c40df427d218e6cc323400ceead65173923c730c3d1c9fbf3768542328434b39cbee4405d305fdf91580c0fd6b503e9d816d068003b41

memory/2076-115-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 71eaa1ff93350777dd3a5954c7d20df2
SHA1 578e7f84e29ed353223dc3119782a0bdd23422d1
SHA256 e8736c5a11655f11c2da659767848d95ab2b74480ca8ce4ccf882278ea22093a
SHA512 fbefcfb8d0cca39da03ec3184eccd53dd20da5c590c92bdcaeb2ceb0336d39e1b1763edba6d744bf1627ed81454b0ee8cd82322d1e26304e6f182d1df33ad637

\Windows\system\spoolsv.exe

MD5 c355ddbce970ab30d2c239ab6fea5ef5
SHA1 00def063849e2978f89cafe2c09449156e2539fb
SHA256 dfe43b20d1e79e06be1220ddd41a0ce50dcc1cdca571948388038e16ddfb3850
SHA512 1c174b8b6f34430ac265c798d1afee8eece0f807c7d7122360cd698e9f625fe81242e5f1f968ec33b025f3c91df937856e806b7c6dd548bcd29ab6f57a9e714a

\Windows\system\spoolsv.exe

MD5 bdc85dcd311d227cde488e77c77c1f0a
SHA1 ef0aa715a470ace8f1428920020b3f9006c54207
SHA256 d8a7a6f39688e037d7301fd856f951b8e8044b6dbe11482062c5dafc325f2162
SHA512 dfd1ea84b8c2993cfeaf32d10156c3545af93356e50e104d85ac9ede93e3ed7354ba0bb9e51e53852feac3314dd09452eb3e71183ae25fe2a45ea041dd5736c6

\Windows\system\spoolsv.exe

MD5 d89abd1d7e3dac710791e989ff974237
SHA1 cf898f89305a6a2b374a0fe7312ac3b892c362cf
SHA256 7a1868daa9550a07b6eb0e6576d6b11c65eff57536b4abc70e360a15a843144a
SHA512 fbd692938f460c0c869a5db110ee78ba7fee0c5e6ec764bb90e774acf4fdef3464aa20f7163e068eed7b4b7f78f44c7a06cc86926e0bbd6697b1e1bb6b989b49

\Windows\system\spoolsv.exe

MD5 88ffe99be2ac98bcd69c4742f02e148e
SHA1 7d6086c6a71509cb6114d13a876563cfc8afb3d2
SHA256 dcca35f740c968931d85a1eae3e8c37005dadb8e3874b752678f39946844db26
SHA512 d75c70bc94f0ec6fd67edd24d33734264a0d795118aa9a0238d2ab83a67aa81e9314ff065a0cdacbee499290e6152abda84d5e7a22dfe189d27f27aba03c8ca7

\Windows\system\spoolsv.exe

MD5 89f96734289e88cb9cc029a1a208c35e
SHA1 eb85c3068391281e50601220413469402e2ec570
SHA256 fd18489b702e09a4fd852b4bb2538e2602fbb72d091f407e3b260c2e2f451603
SHA512 720e4f7f13fcd73ec7095ad038dddbcc6074119de1dec99aa8f00d42926c9e486637d48ac88f29593cc472624844368274de4dd3d59649bfd6a4b5fb031f8d00

\Windows\system\spoolsv.exe

MD5 96eee645a8fee55e5348595fd9051c16
SHA1 12c10cecfd2a4807d107bdd3d824fc866b34d18c
SHA256 ac43525c2997aa1c6dabfdceb42519f7b2ef49a7c0a8f8b4b17da4fce97f8bcf
SHA512 186e1456e673152e20adfdcc732ea92d129fccb244baa48cf6f6fba080b59976bc6dbcfe92c4de821ad4590b93e1fc6a6261cea8efa2f24b8996292d3d0c3060

\Windows\system\spoolsv.exe

MD5 b0259eb1c8acbe0200c892accb31439c
SHA1 a2e101e14cc4448abb6bd550ea715dce463c15dd
SHA256 f675ef07b592d85d279649df99f2e9fd44a2aad4754a89ec677275eff42ca97d
SHA512 6c74107b7624f9cde9e52d32dcd615c1378416600ce517d0c2305cefc9f6ee768523e7360de05bc9c17934918224ef771c0039fb2113a96134e9128709d60c0e

memory/1088-124-0x0000000000400000-0x0000000000514000-memory.dmp

memory/516-123-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 2da8528eca27afbbc1f3f9d34f240f4c
SHA1 6560fb69b9688ba069c336e5daaffeb6f003ccf3
SHA256 b2988fe6bf2188d28670d9ea508e68526a20a7d6c75e2097308a942a57605e8d
SHA512 2fcb51f17903d29ead91382ddd14f2331e9621323df1f889c599cf26488e0440cfe60d9a45f821214de61f4014f278e8a2d048c7ea369da292bdc428e46bedf7

memory/516-133-0x0000000002E60000-0x0000000002F74000-memory.dmp

\Windows\system\spoolsv.exe

MD5 fd4db2278130d54302919f1b884b3e06
SHA1 1098491f917e1cd4680c425a0b64cabca82f4cc6
SHA256 0cdb9b7670bd2e5b68092555826c5545c2889c491a9c3778077623344fb6fd14
SHA512 94ce12ae1b443d4f2cdcb2a151c566ea845a3967afb4a5d45a59a3a30556215435c14d056b01bb861d32ccafa1c382d3529350abfe7fc8685cd1816f3542fd55

\Windows\system\spoolsv.exe

MD5 0cb8bc89380b929f828e3fb59eb10923
SHA1 62007f479a9628a590dc50c6257d570a5699742a
SHA256 309bc43332b27eef19efe427f375d10425604aa2c33534fabdc26dddeb137b3a
SHA512 06b9e3eed2af917c4c37396e8b9379b29ba8ce999b62baaec95020cd15984e33a4e0dca0b067133b790cdb3818f5f6e7c7fb0742ca535f069488fefa87d00db4

\Windows\system\spoolsv.exe

MD5 b29791a5fd5542a081850f031c765c47
SHA1 d8a50b6067b83da6c8dedd728f0accbc59043ceb
SHA256 2b1faf0ae7c74e377069b59f943509a09ffa6cb0f1ff8c7817f57565eb94c044
SHA512 b7b04090970d5cacfe70d7dad7c23d15d94fd257b85da34db068dd7a43b47f67c0851cfca5747905511e71a9b23ee137c586a95931f10d81bf1d400afccefe22

\Windows\system\spoolsv.exe

MD5 ea300e7197bb47bb11d499f425d343b0
SHA1 c44aa07492edbfb576bb718861d9c33a3887fc57
SHA256 e1dec2ceb6cbc962e433a268a9b862ea5a8913b40a21e57697eb529c7c85da62
SHA512 4ccec5c428c376b807f40b39f070d18ba10bbea185a2d41eb936a93fb3a61eda2de80a54a62f1cfa81047ba61f537579715d8969887b5fdef262bae23ce8d181

memory/516-142-0x0000000002E60000-0x0000000002F74000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d03507af62d31e1d1065268dd0ca7e0c
SHA1 a02f243f0b97df84cdc54cbf1bfbfc543300df67
SHA256 856ea66672bb73e77815e7372d76a40aa78f8298bf4c2945372d48fed382972a
SHA512 33fa8cded09975175f30062d892330ec72e3e4a95f7f274d339b59714823c6af4d3f9ecf717672c763ddd94b5bb66c2262da1663641e5d2b6e0be9e61c94aca8

memory/1888-140-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 331d0456232929baad3028ae6b1cddf6
SHA1 2613f58c8df432f0726b900c7631c4cefaf88a47
SHA256 e9604f88db330a8da085e7796481c9b9c3344db3c27598b6f884affd737ba6ce
SHA512 76c194573eb1bba48ea256d8f891f2deb4d1d4c49cc2c5fbd89eab40e6419000d4aeff36d9eab28a5df846b0a1b5155d4b99d084418eb267e8c69c63dedc91c8

\Windows\system\spoolsv.exe

MD5 a05e075b7cf52667e1833b9f977aa975
SHA1 c28a66bfadd1b09d08c45ed1bbece6634844edd3
SHA256 783768184ac0c409344d9d20211f6a90ce22290f416dc1872404eb01810d035a
SHA512 738a7e7b6ba43aed278fe07689d99218d22731e1b735d7062e2f17ffd1a12078c3829af5b785cd75a4b38a4675b1dc77073c415115a9ca7ab351d71d32b868a4

\Windows\system\spoolsv.exe

MD5 4f55bf24ba6f6416ed78b148c90cf0b6
SHA1 bb69176eb9ba293513ec3aceaa8976201ace4c5f
SHA256 a442eff62f7086cbe27e2ebfafd210381442214c36733c7e009ab46a1997548f
SHA512 8cbb7d7b87cdeecde62a203b733b889fb8414f473d4cb658f320f8bc1c1a92e5fe208a76cfd1554d81daf7c58d179c0a989db9c1fd677ca2c7af764759968de7

\Windows\system\spoolsv.exe

MD5 ce408c0f625bdcf0b1feda607b6cafc8
SHA1 c3f19da24e9c130670f98d63df37487c2e08fe94
SHA256 f3b7ab06fb58113cf0a4ed5b4c1f3b1f36c6b5ceb02c4db7916468b602675e8e
SHA512 0d68f3a14478bec9d150c838eabac078ef97ae21dba458aa61787b6db66d62fa964ac84c1296ac94011a3b303d05b3e8e19c0bba2791cb9eaddf652f9bcf6fae

memory/516-143-0x0000000002E60000-0x0000000002F74000-memory.dmp

memory/1088-144-0x0000000000220000-0x0000000000221000-memory.dmp

memory/516-145-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 a2d6e47fed9d37f5984051de10c1284d
SHA1 da034211f2ad66680805d4f13336c29e0b318cad
SHA256 c1d7646206494e9bb80203a3430274f7d0f7f4bb967b859245927034c1fa39e3
SHA512 afa828ac4c0f0498d1e058c67d55ad9fa233ea811e8e44e09df78cfe2311bf686eae6985bac5a6914a538c6326705de5fc74820446845dc90e6d9840730a1396

memory/1804-155-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 cb20cc345b38408b7baafa8d540c473f
SHA1 e8f37f6f04ed2e9c32a84d610f10042d26b89195
SHA256 481b08918c506918f35b71700da74ffe050777bc308b25c4da273dbfeb1be6a8
SHA512 bbc5fed8a691277b3fec7a48d7323e145377c98faa89a45a92de344af47f5c662f5f2f663cd8d02c9e31d460682be8e9d196867ed3be72c19d497b1945761295

\Windows\system\spoolsv.exe

MD5 bdf855dabc4194d4e9d6a734347755d8
SHA1 438331c7cb53b7fc5f057dd596c505734412e5d9
SHA256 770074efdbd1990f89300cd42fc9aa54107a4e10f43c33f0930a1cccb76961a8
SHA512 a440eb0815a3c5f784a1bb18bf4d0ed9a5031ce34df64e2e88b3ce3010c2dacbefeab2995b8549d7450e520323fa5ab382bad147c0fb1da7f0e8f69794c6407e

\Windows\system\spoolsv.exe

MD5 93b46f93b100671317c8deda10b9bd0d
SHA1 802919a33275c8448f7d76ea59777709c97e8c52
SHA256 aa3e59d36980fec52c97938cbeeaa1933b73774fe234f8addfe53b80f9db7b51
SHA512 b11378a6481c9a6c1c49441a56971f88411b3bae8248916181332ee6c6df353a15b7590a2138d41cc911dd9562c4c3e6078a743aa8b7d9a91b881c77f04c9353

\Windows\system\spoolsv.exe

MD5 5d37340e692ae9032ecb87de65c5efe7
SHA1 06894e9c14e7f35045d9a6e69ee9ce04e81d35b0
SHA256 266d367c23587ab8d4c4f99c655ddb87021d96516963453012c3b1f848b61a08
SHA512 d79a1d0fd66c09db6e607743fc14b64a556f725076cc7ca7090ce52becbaf584b4cad516c92d39c46597c3a8bf8ecdf3851d104e451a3fb6a1b910d9ab4aafd1

\Windows\system\spoolsv.exe

MD5 ba3359b66710aeaf3352da441a14e1c2
SHA1 71bd048a3ff4fbcb68c17befac457d7aa8049366
SHA256 9c0b19b805f5dbbb72e98d1cbc7166ffbd7d5a97c108e958023816d5f5fcfada
SHA512 72902c87044e83db7c29cd11f9ec9f58514a25731e8c50f340e88e5dd5dd6c5a8c15b2b7bd1568d45ae7f80edd57e490abfaa9a871907722b5dba8e9465a0d2f

\Windows\system\spoolsv.exe

MD5 b639fe37db65f9d8f53aefcf54c82cbe
SHA1 f954970abd294a17d7b10a7f80803b29418e3f75
SHA256 9ee8a502d2499a8d72e9b310ac09650af87c28816414a834e73f859c5eee37b6
SHA512 3740dc279a8e306e73230db20ea67441139d567310a35c5703c38ed20ee78923c6427b770671506115a14a804d14f07326a4a8b82deb42fcbafa83b34b8ed902

\Windows\system\spoolsv.exe

MD5 8397be05bee5e9d062c0bc4e0d805246
SHA1 d9899970b6de98a52bb540a6d5f749cde0dae3ec
SHA256 0a11278df768b2ee84117360be11a33b2cdf655d6c27fe2110ed0fee89066cd8
SHA512 83c9547a3e177f9650c97d928df8f6c1e0a5ff43b060cf5e29d4f0b9de4b491c72cc395e0de26c3557b33f46db4acc55313bff161d23ac85835006e7313b3ec1

memory/516-165-0x0000000002E60000-0x0000000002F74000-memory.dmp

memory/516-174-0x0000000002E60000-0x0000000002F74000-memory.dmp

\Windows\system\spoolsv.exe

MD5 91731dcdbe7f709244de7175c93d7e81
SHA1 c6c4c764abe8d0c6c686f5cb6660824a5ef01b46
SHA256 3d3cfb6ebbbf8f0ef3b559decd228544a2e85a4fa3d1df94b20fb41c716cfe58
SHA512 7b5f336b3b944f718a3969f98a3a85a7e4e634168164b150ba6b2175f20a22ef26dfdeefc661014834dc2f78f3df36081b83da9c0be873d398010459ce81d560

\Windows\system\spoolsv.exe

MD5 7e47ccab3aea2f89b999bc6a4150dc68
SHA1 525ddc0d8932115dea9cf89106093afb9ef5c2ba
SHA256 dfbc33ec840fff56abc2c36ef45f2b41418c4bf456d6a754b422e080c1197d4a
SHA512 ea0fdcb80a884e3f2bc689b29ac53b2323f99ae7435bf5b5999b644e66d937f3caa6616e7c360381806cbc465c9f607905f150832ddb7d187f811d135047d803

\Windows\system\spoolsv.exe

MD5 89a14397da32f7cebc5d70b53bd230d1
SHA1 4c4a17fd8a2c9de394d4b45466eb9f866e7832cb
SHA256 cd5bbbb4bd2a08161e9ec6c1fb4ccfe1fb51417b3002331096eb182c50ff9ed8
SHA512 ec13b22636e2b3790f85cba255f69afef17772806e0c72c43771f8f443ba74633088e5297fe90ac360dc7a0561f6ede1e6964faae0aa8ea13452b168ffdab4a9

\Windows\system\spoolsv.exe

MD5 6788148be861b8cd86525ba3ad913e56
SHA1 cc1299d67708a4cfc951f7933bb7c4e991db6818
SHA256 6618a9571dc64cdc265a0eab54b23d1030397b8a0458465b714d96a36a540fdd
SHA512 e7e3ae10c132fec2c048e9a1cd422d0af0e9199b6f5390468bd9ee90cf1fc2f1e983c271afe1ba2ce02e86e5b34541aed76c8d136119e1ec7827b22d7390c0bf

\Windows\system\spoolsv.exe

MD5 db8273cf8e8685dd112095fe83308338
SHA1 d6d2dbc0a03621bfdfa91bcd5ba4524f2fea89a1
SHA256 04b78d5b5b15708275ef7e08a0da498d122d765c43b4ca1b3ccbda8d494ba3e5
SHA512 5b372fe9b92796ba8709393f3ea0c77c4134a70bd09304772a7fe041ecd0264312da087cfd33f046001020e8d57a38c3e453b096c9283f349c68d59b4035edbd

\Windows\system\spoolsv.exe

MD5 3feccfe7983411ba349f002c5d77cf98
SHA1 afdbbdaecb01ff63cabbb2943060396b0d821ba2
SHA256 6dfcc9b76fb18c3a3a375c569725ef856e5b023652b7e1e7843f429e9650ab02
SHA512 f58f265e2d27c645a3378216d7e7121bb09f19a01105d3d6f2db3d3fe0a578489c9dee5b8c96193a732745dc8a2b8d9cab9b474e9860313b392883108b69e3cf

memory/516-175-0x0000000002E60000-0x0000000002F74000-memory.dmp

\Windows\system\spoolsv.exe

MD5 d7e94fe396fe083b5c9d9ccdb0b3f3ca
SHA1 27db488942b950169af61a3c0e8c72f22e763327
SHA256 d8c169469cd5b5bf6e9b46dc520724b3a6d9e7c4aa6225064b5277610b6095d3
SHA512 833a6647886d66392c776d012024e7403c60dc3be459303ec78488e3e6129bd25eb5f65593dec53644f8527a5c4eca0e51749daf195532b8f632a9da07414526

C:\Windows\system\spoolsv.exe

MD5 2046eb3b47ae2b8dac250d02548e8b43
SHA1 2240feb6d5aa3ed61d2fe23b126cff35e24a9fc0
SHA256 9942fcbb5230ae9d91a885a757e0ee714548791be96d34d460d190de733da9fe
SHA512 5bf042e1056f7aabaa509808d5cfef742e6c27a2638072b7101a95f032fa83d12fa1f2384301578a30bc3502016a89ba20c179fa0152a7d2b47e930fb3c7ef5d

\Windows\system\spoolsv.exe

MD5 073e8d987e080c5b0a84b25c36ae1516
SHA1 f596da58d6e75890f310ba2ab6f6e12d5bbb9708
SHA256 a4e6f5916846ee79684a3b25965acaaa821f01a6dfdcc8c05957cad453ebbe72
SHA512 b4cb5495ed3926d98c7d76c2e82f32740212bdb5784acc2809ac73a3619a535cb135403e29ccb529933ca5e25acbdc503acc4d900fbfa98e1af0a1916673bf00

\Windows\system\spoolsv.exe

MD5 acce0e1160e34710e64781a829e9c081
SHA1 b4db132c04e2de82588e2699dabe1caeb5c07dce
SHA256 fac8dcf1532def030b600f5d055be351b5e1c281c03a3970b3c0f44666b37d2a
SHA512 3d21b5c82f06dfb7509d6d11151142fb6ad5ed48d819e499cddc1724c429e3d528bc3878911e1c173e654d06eb54f1a44d5bd7c4b54dd151fa3b66ffbaaad96b

\??\c:\windows\system\spoolsv.exe

MD5 b08a7af8f7f2c5041bf50401cfcc2884
SHA1 75687ec8bccbba37d2aeba800fa4b5bed8153c20
SHA256 e8586680467d0ee79201f7a9f7c6cc8c87143428e2ab6cb7e6ee555703a87130
SHA512 a312ff076d4543e7059c23b814704fabcfde887c430a8f7edd38cbb7d6e03149204839a401ddddf1a01e887ff70eb21ddf1cec92f1b7b4a8c82bf80c9d7d39e9

C:\Windows\system\spoolsv.exe

MD5 151421cefd53a9d97dc1b189f6696be9
SHA1 8862b763881ac5d1e6ea30ed93f19df8e655397d
SHA256 a350c7cd27cae3708f5d7fd6b914a32326b39e59cc055b2e7fd2dabd745bfa82
SHA512 79dc1144755d475bae05aa9364fbeb7dd92b1672c47deb4c035b7757a4164d8110307f398fb78f86c0e90917b5cb70331f33f72826468b94a13980031da22f5e

\Windows\system\spoolsv.exe

MD5 7908c40c05c7d23dd903b17d597b6764
SHA1 f28c8d36c481d1f6bcb19f5c1665cf8efe78788b
SHA256 c9dab040cd05e2d3a2ed33b4155e1e3566431e3fdd66cfa29d224d32045d2efd
SHA512 2e9801cdebcbab3c2f47f9a3abf9019ed6e9422c637c665bc7fbe947048462c4fd689d57303d36980912b62eb3ddd8984acc217a505ac38d1300b0d89087e44a

\Windows\system\spoolsv.exe

MD5 2524e9c6d090647fd170d99837b28322
SHA1 638903307afffe527d824f599c22ff927480a39a
SHA256 07d9e642fb18f435f630a324d09dc2bc9f24040e7548bbbf65177f8eafdb5912
SHA512 a750302bd38bda79a5c1c6abb0e345902358a42f8cb9080239224c74e7469421f2f69ae0f7ed83bdc162519725ef9732e7fd5f818144dce51254b24abd50f71a

\Windows\system\spoolsv.exe

MD5 f033c108c174416dc4691c5125878b64
SHA1 514b97b3332e3d0a34a2a1527c064b4d79e65153
SHA256 bde595babdbe2a1ca14a52863f7999dc6b1c38969274ed53679e25672ba1c30e
SHA512 6db164b05c8e2da90f611fbfc2f8b3f1b0ae7e06eb1753eb4f4e29c0e04c4f589daefdfcb94131a87bcac874ddc94a8b4ef3b0f519cb5434e165b6a0b19209bf

\Windows\system\spoolsv.exe

MD5 d810b73a13ef34e6db61e83031abe3d6
SHA1 3556f0a5fffd72074f8e73b8a8b7c4e906c544dc
SHA256 6c0c42e68080f5911791a56389efdd47580baad4585ee8843ca6fb1a322cf799
SHA512 db0cba67fcfe83a35aea12dc5c2a200ed673816391f0c043baecc9efc9826879f3f1a72362adaae97701620094c626a4ed569d7a6a0f649182064970edd88d8f

\Windows\system\spoolsv.exe

MD5 1715f1de1233c5e8f1891e6896897b6f
SHA1 9d04127a8576641686f2d169017f5d127a352edd
SHA256 c7047324b3deaf59b0f922a7f4a7dbc1f2723d2b867f6d1dac4e847d0e7df80c
SHA512 2bb4a05ad187c55095df6b001e00d620fe126d61810ae37310690ccb7967cc4d762a1459784fcf12bf4fee4ba9f786a8e84f61cff3029548f42c1775a9a4387f

\Windows\system\spoolsv.exe

MD5 48f1ce045526e56e710b19a404676742
SHA1 63decf85e9f9aa7e652853e193f08e8f8ec30c43
SHA256 fd535c29dd72ba2fc54a55cf1137d17245c1d0509b828d64da1121805a5f52d4
SHA512 03175e262296a7388b9f15dffc8500b62474823c1c39e7c941a07df0ea4765a5df8059205837522ff8e68ef0426c50851a8fcb2c39bff6fd3b26637b99e40eff

\Windows\system\spoolsv.exe

MD5 fbdda33e8a2a1533c80b89c92208cd22
SHA1 de236f43bc89f2fca9f3d51b183050ee7f83ee3f
SHA256 b064acf52d6641580eba876fafc89454a6cdfa5ee2e0d2ae63ca2090ffcb8dcc
SHA512 6e1a57ea3e5c62cbda10a43dfa918a3b86e067c01a2b0495c785c9352fac477b509c149903a95f25ef4b2467c42e11f331bfad9f42587dec2e54c5c4eceddefc

\Windows\system\spoolsv.exe

MD5 effe54d72964d4b16fd0887ca6c6fc1c
SHA1 ea1e89e550fd40f76142f157ffc6e545076e9305
SHA256 612bfcd85a96061d2ae11121d8a26071b5bd54663dd0aec345c0c8f10ad4a591
SHA512 c922c001d77f75e4bac73b804287de49ad5c58fee0c068bb36543ec2dae7f82edc3bfa1d0d682feca2eab0bd3be9829c44ed0318cbb5fae858feca70382f5aab

C:\Windows\system\spoolsv.exe

MD5 b2e7c3dda4b9883daa4d13ab508a2f9c
SHA1 4d49fa21a1ed50138d5b095811ab15316f734f70
SHA256 20840adb780205669c876b89fcd4177bc2f63212df8c4b68d46745470e27af30
SHA512 4b089c115ce6abea179fbc7f158f088c9ed9445f2fd054fdb19feea6b42b9122e16a7e905415b97205cbbf2154eedf083fdceb2083d8498a4dee08f4c31eeaf2

\Windows\system\spoolsv.exe

MD5 985099140bcd84bf0db731a49dac595c
SHA1 7c50084987186e18d100e7571f803f1a89fdae56
SHA256 c674e9aa36405ba704381009f292db48adeebdb31baab257c067bb1e1f2c4e80
SHA512 b6832f9d6b218839becdabd5d0d984459eba8d78708c56d3c12c745807f2606b3aea21ccf9294638e70fc4906a8cfe0897956d9063805d2a5ecb17132594c8e4

\Windows\system\spoolsv.exe

MD5 f4b502475e47de262209325e42f75f1c
SHA1 18ffbc9985a0e4920fde4ddfc8223b5ca57d9cba
SHA256 76d315a4be5b36b42ff106a4b89ba154d748542df1ba8ba8cd9843ddec34cf71
SHA512 654c9d68be0cf1fecd159b739ce276d8a88809aa36f11edc8f73875265d94e43162905a73af97dee346b1a6c0e3bd9a7a49acc5bb2178f32798d904e19f9b5f6

memory/516-189-0x0000000002E60000-0x0000000002F74000-memory.dmp

memory/2224-225-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1088-224-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1584-234-0x0000000002D60000-0x0000000002E74000-memory.dmp

\Windows\system\svchost.exe

MD5 8dff3fab93d405238dd0f25378446765
SHA1 ec679acfff8eaf66c8bd5369dc46f58b39723384
SHA256 1b509837f423a381161796ef27243b44f1831a01db44f531244e9f19d0e0163c
SHA512 881b0ce1d46f26388e63fadaace30f792149f6487876f178b1525c39f4efc6a26655618a1d9f4cf8ef1631564e7f559240fa7e245fc6aa42022962f2b9ea336b

memory/2860-237-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1584-241-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2860-238-0x0000000000220000-0x0000000000221000-memory.dmp

memory/516-243-0x0000000002E60000-0x0000000002F74000-memory.dmp