Malware Analysis Report

2025-01-22 14:19

Sample ID 240216-df8a2sfd5t
Target 9f452b6e2cdafb5b8d7080eaca2bad2c
SHA256 2d7b915fc601914a6b23c00dfa59e263e2d2ed8f59a62dd72cbb00a326ad35a3
Tags
rat aspackv2 warzonerat evasion infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d7b915fc601914a6b23c00dfa59e263e2d2ed8f59a62dd72cbb00a326ad35a3

Threat Level: Known bad

The file 9f452b6e2cdafb5b8d7080eaca2bad2c was found to be: Known bad.

Malicious Activity Summary

rat aspackv2 warzonerat evasion infostealer persistence

WarzoneRat, AveMaria

Warzone RAT payload

Warzonerat family

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Warzone RAT payload

Modifies Installed Components in the registry

Loads dropped DLL

ASPack v2.12-2.42

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-16 02:58

Signatures

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzonerat family

warzonerat

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-16 02:58

Reported

2024-02-16 03:00

Platform

win7-20240215-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\spoolsv.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 2652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 2652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 2652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 2652 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2692 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 2868 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2868 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2868 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2868 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2868 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2868 wrote to memory of 2988 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 2692 wrote to memory of 1540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1540 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1740 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1740 wrote to memory of 2356 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2356 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2356 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 1740 wrote to memory of 2356 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 592 wrote to memory of 1864 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 592 wrote to memory of 1864 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 592 wrote to memory of 1864 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 592 wrote to memory of 1864 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 2924 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2924 wrote to memory of 1920 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 1920 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 1920 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2924 wrote to memory of 1920 N/A \??\c:\windows\system\spoolsv.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 1676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2692 wrote to memory of 1676 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe

"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"

C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe

"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 36

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

Network

N/A

Files

memory/1512-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1512-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1512-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1512-3-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1512-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1512-6-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2652-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2652-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2652-13-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2652-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-23-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2560-28-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2652-27-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2560-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2560-31-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1512-33-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2560-36-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\system\explorer.exe

MD5 e8e26d2b436e55a85a938c5ce3b09ae8
SHA1 a8c8e5d20dff2f736e984da1857a7a77659f8017
SHA256 01c6eb5a031bd1cfa829c660a5db0202bedb94b8615c305a7e2d66d47734665b
SHA512 c979864b158fd4db8c034e95b03849dd7b3e26264e83b4c57fb8cf8c592458d6a34078d8a92e701c1cfee5f239f7067c046a9e509baa3789799a37192e258e0f

C:\Windows\system\explorer.exe

MD5 8cdddc79d94d9f05b1e72913ebd2166f
SHA1 d97115b8be8d9b3e5c52f6060960b4ed8a73df5e
SHA256 00a262432470ebbadbecc2ce654c4a59e5b3ccbfa9348677efe0b4f43014d26d
SHA512 3e089e45b14e22ffe05d1174a014289bbae7b4c76373353f5fa63fa72cb801e2507e2af184fbfb268159b7e763397efc70ddfa006dfea2cd0689308e36a78e26

\Windows\system\explorer.exe

MD5 9482d66b8f41ce49bbebc8954c100730
SHA1 7b171f8e71cd7db83a2a9e60f1e4dd1f687b51b6
SHA256 9cf01af0e7d20cf1f84850720b720724fc0ea9749a885bf55f3aa25f2df3e969
SHA512 b44ac23839c9d83ff69baceb723e11ab1298d9a355ccdc06f97d8c421c48aedbf7b7d17b3d2923d1a8dea5c267c44ccc85f111c52e387cf9c94f4f289b1b538a

memory/2652-47-0x00000000031F0000-0x0000000003304000-memory.dmp

memory/2868-46-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2652-49-0x00000000031F0000-0x0000000003304000-memory.dmp

memory/2868-48-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\explorer.exe

MD5 fd8495aec694963e787e6f4e543fac20
SHA1 c4d7f621210883773212e63e27687a427dbba222
SHA256 996078564d6d379619b904ce1b964d835baf7ebed1a63db06ea496811534d547
SHA512 75b92ac36c6ec48422a40ed2dca5533c91dd020263b19d87af43d84b6a92db084dabbee4f56ce60868d49c82a5c647540b71367358b41b3e104f961d32817764

memory/2868-50-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2868-51-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2652-53-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2868-54-0x0000000000400000-0x0000000000514000-memory.dmp

\??\c:\windows\system\explorer.exe

MD5 1483637cd16735b3959b5b0e311c0d4d
SHA1 151ff8d90198b7293864af849f945afc7b15aacb
SHA256 34baadac7770f536c9eefbf913b86325a58e7a3a3bd0153e75b4cfc32fd2700c
SHA512 96678aac90215402f330d84be64885f2c82dfa6942f7b7575bab1445fb5edf3fd11920a5e3ffd83ca7ad4779cc3d3fe1c84e51a6aa4aec8dd24f7e12a34edfaa

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 c9b68379d8e39454610e4f975eb197a1
SHA1 b60ee88e89c0e078ef98b1d40cd4cc5618745167
SHA256 a4302a3f5632a83a5a79f0a51fef340e2ca9b8ac1ab4507cecc6e9678969d06f
SHA512 1530e2a8cd7fdcbb5af71f4c873e29238ecfbb4bab52a5b68fc2d40e0cdfb6296877a6a67f3b22192227b799a08304d91a866584e47a51a07a35df1cce11af87

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 5fdd40a9d34959357136ca48b2362874
SHA1 31371f70da212198b642c5567c097829b49edf1a
SHA256 17d6c8e43dbc0c3fa04f0d70ffb41686524186414be5e9e61de58246fea2d0ac
SHA512 a1ae578a90ab5952678e92ea77084df7c34266030210f0ecf9bdbb35a8db2c11ae0e6e735ead84a2e3dc8b257ac646bebdf704f336e1a596ae8c62a0d4b335c1

C:\Windows\system\explorer.exe

MD5 8a18e83fccdc09bb819a0b3d37b280d4
SHA1 75418a7082d31f86acd00ebc085ec249fd30dc0f
SHA256 9b8d0626811258bfc9eb5d5acd824ad46a86e60bf2de8e3c3c76861aa53ded1e
SHA512 99df41aea0e8fb9f63ebf58b1c6c4b89ceefe09b573490058c1a79dbc14082db683bb423588fc7f2417e76f83220fe123f81cce1436e4fcb219b3a7e79eca113

memory/2988-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2868-88-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 ac268d00b6a49f07e91f76c5e4b82b07
SHA1 8527472c16be4ebcb34ec185b734d4dd7b90a472
SHA256 50646055829b3326a2f64ae5bcdfee06b8d74dbddfe8e23c17fa72b038ffb91b
SHA512 93e51729560b3d824438e8864eec7241771667c09d7cfd3c273bb1a0d082d7716914473e93499db232b2d129e52a94871394c67008fc943bb48857ebbee3dad8

memory/2692-97-0x0000000003200000-0x0000000003314000-memory.dmp

memory/2692-99-0x0000000003200000-0x0000000003314000-memory.dmp

memory/1540-100-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1540-103-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1540-98-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1540-96-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 94e39fb6fdc9b8ed0d7a2df752443bb2
SHA1 f45c0ab15eed22783bfe2b25b3067cc1ceb8c4d8
SHA256 ffae1e471aad905716c4b58e410d5e34a1a541c7291166f03cc7ac8fea23bc89
SHA512 e7361ad16a0e2955d00d2cad37da82ca4717e530422a2ad722875a6baa88875436068a3de077672553bb0dcc69221fcd95e770be93f33a8445fc999225443846

\Windows\system\spoolsv.exe

MD5 38ec3f2c8acd48be124b366735ebb08c
SHA1 9d9da759e1934356eec552cd15b96368afc1c3ab
SHA256 bd96364a62ee2397156a5c3d82992fd3474b668cbfd539288404654f4f78734e
SHA512 6c89ff2be6d6be8eb6e47f5704e9f7ba2c07359fec4b91ca93f739006e1a8e53e0cc90d4b656ca9ea02c4f4ec1d3d02ad0d154f8c5d6e4765001a3c1365438f8

C:\Windows\system\spoolsv.exe

MD5 633b84fd05564df931a6a94e32fa19d7
SHA1 e00b0eac159bd81cbbcce9ee7a840553b82d0a76
SHA256 bd757131ce412d6892b1be9a80c6a5a6cbcad7aebfd668e5f1ed5e060d249ecb
SHA512 fb57d536830ee19af2070f09d04118be279d7281dd007edb77f8b5362d639e51f36a19b69ccfa6dfb22074181698f54caa99a888e6d4ca979c760334ea33d494

memory/1740-112-0x0000000000400000-0x0000000000514000-memory.dmp

\Windows\system\spoolsv.exe

MD5 e52c4d7423e2ec4a00fc60c02a96f7f6
SHA1 f5d43548e828f7a5cc654b7c7dac06e5d33cdfa4
SHA256 2cf52b5e244a24e790b431beac0e3a4a2fd8597666aef1e5d0453e2af900c503
SHA512 4d42605d4b846cab3b572adb4d2add20604066264b1661187d880347c81b1a3d47cdb7662215dfb41ae0bca9397cd4075c550b06b68bc957fbf6ccfa1daaf844

\Windows\system\spoolsv.exe

MD5 b180f34ae4f9b7c59c704655610eced5
SHA1 dcdf1c9974e84ac634d68079c12cf27ffbd24d1c
SHA256 b11711dc25f6e6feeb1855e9ef72830ee0319a2bc1b4247a63c499216cbcf238
SHA512 fb6fd93d5441cc20fb3ddcdf6a7cedf3f33ea61f41a41a10f3300b97cd64e0e6842ffa6ffd6624e0847e2bad4fdceec268abbe716d2dcd19629cf6f9e2bd735a

\Windows\system\spoolsv.exe

MD5 f55cc39b777fa8d699d62e877200e3cb
SHA1 234c8fd1a8da60815f1eed0c573574d82e97aa79
SHA256 22109bfa790228c1adf0274185220a86e3d05f5407ced9092cc58671a63884c2
SHA512 8805cd414b0a735cc7c1448f21d835f0ebfe8533231f7ebd65644597fca354ea8ba8eab7caf387e73f08a875d77f1891b6c3936aaccbd99e00c2e4fd18a99ffe

\Windows\system\spoolsv.exe

MD5 0d50028a9804471aad29600f10bb8a0b
SHA1 00ab0fe7fe07c0428beb77607b36a61ea202e2ab
SHA256 edc0c302050e4f9f7f927f026629b52cfc16f622a5ac64ec9b11dd074e9c10fa
SHA512 d0a983aa6dbdd7c34212fe74f6dc2f28dc20b75719c6137728c12a6cc1e7948f00614610f738ba731b6bdf4140f85b753c1c05384431119338d08ecad523b54a

\Windows\system\spoolsv.exe

MD5 516ada361b9a1adb72a911c4a37dcffd
SHA1 4b87cd52990f9b3f3afa357e3edd457a587178bf
SHA256 551463d10e886cad055d00cff411802631cd44a55aca9c660c0765f8aeb0b6c5
SHA512 35bb8943481e5d856639ce19672a11d4a4ad681475fd6ab9f2d9b19d7c298b68a153c7d0122e52d8ef2abcdd2955f0674ef7c891078a2ba9c36610d4cc784e81

\Windows\system\spoolsv.exe

MD5 fb488d52772273df21b0f1eebdf1d771
SHA1 239df314b4ee5bf69bf4a6ffdc3171843a891185
SHA256 a0d20a74bf340d49e7d6c70a7cda1c2cb74ea19f1ac56c748f8ea7607805fdc3
SHA512 1d95de9fd84991c5c01fd8f9e00323c8bb2e10ccf950671543ba92eb7fe6c5fe223d0ea32ad92fd4b1bdbb26d7c6adca35cccc2c3372f340da0094c752eed966

\Windows\system\spoolsv.exe

MD5 9e34670b73cb526a06610c533bd4a2e9
SHA1 e54d9a803ba9906560661b69a4f61cd5c0a3cb78
SHA256 3aaffcb44e01e8caa7585622a443178cf2f3a112806e398bc02012aab0e8ec0c
SHA512 cb66747923875721a82574db03c9deb005392374d3d0216c8c769bb7c0ceb0f604c6f77793450835a4fde961d2233adfa945ce2a2357997fc1597f4293a12013

\Windows\system\spoolsv.exe

MD5 961a3948207a5259fc763ed04119eca1
SHA1 d1fd10fbffee589ad4022450dc09cab2903e2cb0
SHA256 26601e15a2d6aff8184273083e66e16cbf5fb0e376802ffafef20a2e49f1051d
SHA512 d276aa26672a8a31df0d9385be7f679d6182c2e193e3222b555aedd3372e7cda10651810de88a783c7c820978a0b852881ecb132f04003a086ee8868f0dfaa3d

\Windows\system\spoolsv.exe

MD5 92707446b9b983f2a9d95a30d09c37be
SHA1 021566a36a7a0e64e27bd0834199b5090889bf33
SHA256 762a76ae288587d9668d0a1a6e36fce65e351c47be4e612b7832a8f7f86a9232
SHA512 e10d037a0754016e7063a211367b2731ae94c37d71950249ee23b9605be1c9e31e4da7cbb5e1f7f118fd31f2f02bfeb1550e43367600e9b9d1177df324c04958

memory/2692-120-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system\spoolsv.exe

MD5 918a821c38905214c02b8c408764a4d1
SHA1 e88935333af7cab4aa27ec1f52bae25ff5b934a1
SHA256 2cf87bf077edf98a7e2dd8c1f47ba0492a47878eb38859c31a1dd44a6e79d3f5
SHA512 a9b8b922edb505efffa1dd837e0d50d2489b73d9a5224f7d35b26a6258eece4bdbd833fe7987608b26e89cec3f927075398a3dcb6e047f2b561ea94b1b94bbe1

memory/1540-129-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2692-130-0x0000000003200000-0x0000000003314000-memory.dmp

\Windows\system\spoolsv.exe

MD5 3bc006a7a9d7a6063dd45e0a5c380273
SHA1 d7e7e71eeb3940239a425fcee464246ca7a1c3f8
SHA256 b3a06bc0a49b935021c5aaaeaa64b904bd7eee3ba1e87ef43a6648cc398e0620
SHA512 e8c17d31d4f45115530dd5f26a7f072e69d32d21686a8f5b1d00953a8c4fd2798fae14d1670169c8639bac7483eb35eebf13bf69d6a78c7ca3da2d9b2f4132e5

\Windows\system\spoolsv.exe

MD5 d9f799c0187e51d10ad25b8496866027
SHA1 0666c023d2bd6e51f01f9989167b5d69955204f4
SHA256 4b43b6899932e6d04359a0156bb3efaa31c754752840fb14b43771221687644a
SHA512 eed6df1f824c317e900aa502cb6326d49f90d3d76fa24d7714789188369f09ab401bff83ad1d08cd3c0ff7c10874aed32bf63c120728da079fe317ea1f76d3a5

\Windows\system\spoolsv.exe

MD5 ea78606c6d1448ad77549c915862e806
SHA1 d79ca8239a5ff785c40da7b706ae1d34f38e2ed1
SHA256 82e4ac721ecf8fe6c3d9dde69ac6b32f49319a87e1a71fc6dd9aa61a85b17b8b
SHA512 1927a5acd17818e29b2b7a3f3f243ec2e69085ee840f2083f4c4c76a333e35b72a04ad6741a2f66a8024a6d9b97bcbaf821430a502d2aae9d0aaa2d0a6d25e83

\Windows\system\spoolsv.exe

MD5 670546e1afc0a4ccd1a8709e93dcd5c9
SHA1 ef34565e3885b718320ae105d866bdb12499ced9
SHA256 b8ee6ee27e5853fd6be049ed7494e59fef3c62b20e2220c06190d6c77c506586
SHA512 d42d5d983ba7c099ce40c5899cdcd5223bb69103ebd041d34308dbc1331980e9d36f577081c3a69f6d5185b327f105abfca2da2af0b42804d08e46e87be123db

\Windows\system\spoolsv.exe

MD5 56195c30e728c6589c3e98a326a2deab
SHA1 5c56f82ba257cc33713ed9c1057b971c0777c9ad
SHA256 72c93a4c092fd598619d019cf203a508b6082694fad32cd3500372d5ed23fa7c
SHA512 8f1fd690a8a28f40e86c0a9622f79617a821af71795fb76925c6a815fad9c7798b76b32fe73975c9ea883de91c35b0f8717cdc8419b8c7bdcbaf4d9fa154f1bb

\Windows\system\spoolsv.exe

MD5 eae584ebef4a234d686e75f6b76d5387
SHA1 f97e6e8b3c93b5bec61d5753ebfba267a6b9ac77
SHA256 9a03e2219baa7932ee4f2316a53f11eed6409aad72caed7c04211207aaddd082
SHA512 3223f28f14d493a4dc646ae9ca351391e59e69fe713d0593ea8356d24d0a1568f8888f7195be73680fa1ace94622abc2278298cf9dc0d14f174282144fdc0a05

\Windows\system\spoolsv.exe

MD5 fd3dfe55b1af7a073e010a1504ce8afd
SHA1 d54afbbe71f56667a129f4cfb053c34be904982a
SHA256 e19049943b22b48d92385b90c28cc8f0d8ba68606d5497024af73feb65731f94
SHA512 eb76f5336cfeeef0d5ee0d7d2f812840aa916f2812af146a163efc81f0b48c878d5af2bde891155e03d8f559233d32550a1b05cea4078d9ac2bb4a18b135652c

\Windows\system\spoolsv.exe

MD5 acc2f1c24f234e40fab8fdd1a0de8f95
SHA1 57e0abc77f7bca8dc2cf762943ebfd8097bf5675
SHA256 bfc158e33e4b1003f6c9ca08f9e2cc5546a4cb34aaa6af6ae2a5eedebc5831b7
SHA512 9a018d0550f6dae021fb5e23623207d052515e122922bacfb43b7cdc6c85254a696225db802207568e23af6c4df2b9f1ab79a74cb7f9185fd922970dfa229e1c

\Windows\system\spoolsv.exe

MD5 8bc5a03a5c44325f5aae0071df8da9d5
SHA1 e990b00ceefcb012cdc956ffc2a047bea21ab9eb
SHA256 7d623a89ded7740cf687a791ea3e1eeb3a88d49374e976e3f670d27839edfdcf
SHA512 33575a2f7b4185b7dd83004173d5d29f9552e852c8a75451d9fe0002c30dc320e52312d9dd7163089df661a7383f31de768f02d05ff0143993eb5ecb0c57ff92

memory/2692-138-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2692-139-0x0000000003200000-0x0000000003314000-memory.dmp

memory/2692-140-0x0000000003200000-0x0000000003314000-memory.dmp

\Windows\system\spoolsv.exe

MD5 3fdcc1d8f08111532d4a90ef4893dea0
SHA1 6b390cff2a446f5a9218cc4a0d574ee0f0cb090c
SHA256 a75fbad3effe4da36d1b35bf439b5cc551200c47fe896b0c548fc817642ce5b4
SHA512 0a9af73a9e0edb147f6ffc2a839918b1235643da25a467c6bcc3555cfa8654597866ffd4999dcf3ddd1df9fb86e578ebd3ac5c4c34127af4a60d07c312a86f06

\Windows\system\spoolsv.exe

MD5 4bca45a5969fbde74fd99f23d764ebe9
SHA1 f831fc17079561f6c27a0584928d83d4db8ff99f
SHA256 9249d43a63ad1fc171ad6e3e07c824c5670e94d9b9ab7967c50a943827a20c22
SHA512 aad87496eab072f92f5940f9999a872fb344f521af3c22993401233254b9060366eabee983c71ebfb1915a9e94eec96b4712c4c4fba866ebbcac8deccbcbebd9

\Windows\system\spoolsv.exe

MD5 d10c4f6a1823a6362461f275bd7e0837
SHA1 b1ded9c0e6502c3722c91876e771e95d727d450c
SHA256 bc63a271f0ab501945e93e98b279293294ddf655abfe2c2518485108ac47c48b
SHA512 1d7363879b45d2a13b56a768959d0ca3cae572856a4a5bb44b326617d471abd223ad8ecfc20088bde6590567f3e31f1c8075fc1071abccd6bd90b300d828393a

C:\Windows\system\spoolsv.exe

MD5 89bee7c9a186a9fad6c0cb3359165a73
SHA1 257984c8ec0dd4da22de934dc86d9c73ae77bb79
SHA256 6024f2081f29764030e12514cfe8845973a356399a681785e67d6d7c961dae88
SHA512 a43a8d96faa8a079482a6b509ccbc4d2d7e1d4a902c60de5361a9a74353a59e8fdd7d2dd688ac77a40ae562ce940e9aba0e5c5f2c692c2bd726cb53976d991dc

\Windows\system\spoolsv.exe

MD5 fb8d626c668435cbf9c74c33fcced2e7
SHA1 df68ee69cc8561a226cb34c3c007347ab396ab8c
SHA256 0427e749e6608fb6e8e8985143422cbad1c5ec57edaa4a36ba382fbfb6af374f
SHA512 45c0d688f95364433aefa9666bbcbd8d3ef17006490a9f187c51268693e70584be78ce440ae982568730a5716eaeba2a12981735bb67e114b0cad703f02df465

\Windows\system\spoolsv.exe

MD5 1092d5b280364e191c408991ddcf53ea
SHA1 5996a1a00e1705b0548ac23cb752e3bfb079dfa0
SHA256 90464f6208ca687ee19bd2229ad8ef6d1ccec7f349df28ecfd5fc07c5f63aa96
SHA512 f87d747eddb1750685599961ed97cf56cddbd9776b4feeee8b21b2a7bf3870cc81ad66908910c9b4457bdc138b6b9a2cc88ee37322afa9d0e0efe16ccea79a15

\Windows\system\spoolsv.exe

MD5 78b480b88a3aeee458408e7783ff3c91
SHA1 ac7484186c4e5bed7e138db2dcdaf68315fc22a3
SHA256 d38a6d3012e5f8eb78bb0e818a2190689cd8db16f13b9ee3b5a8975fcdca6b6b
SHA512 78393581b286c2ce0e0edf2da9d77908fb9b10f7450eb3bd18a7a14dfc178b39d6e5f95322171cc75ab0c2fff3fbe45648d63e3a3a6efac7d35365aaa40a3f3f

\Windows\system\spoolsv.exe

MD5 39e0000a6f04999d0f53fe7071e7c3ca
SHA1 8c8706aaff85084cb19912639e7fd257a3f92ac1
SHA256 18bbb367cb07dd3ac3639165012e3389644c140d848df0429b9009091523b3dc
SHA512 419f448aa6966683ce00cbca85e18f42380415e3e4df953b8cab8ad5a6a9e5d3c33b9a48caa77af61a4588d4ec3dfb45d9e68c6e35f9c454748869d84ce33fc0

\Windows\system\spoolsv.exe

MD5 3cfa1f0bf4409d52fcc30f52833c0a1a
SHA1 82ab0b1a15835bbe2f1e5694410e4157a56346eb
SHA256 6a40c7e5f1ad2cdc15d6baf11ecbfa12a4202124c19b230d188340d18eb9348a
SHA512 d7b52b86d048c9b8fb162cb11d899f3a43cf89a318bdf95e2f7d09f7a421cea728de8f2574b06eaf7362f2ca782ff78b1e5625f14492d0d0e12c774465171e0b

\Windows\system\spoolsv.exe

MD5 83aba96cbf89a0c2175fba7dda88e223
SHA1 9cf0f157a4542c227fd808991e839908198e168a
SHA256 96cbc475a0a0e0e857f973dd6921d565a66ea44dbd092175a08fbba5c90f822c
SHA512 d11d4f852fa294e128c332c5e623d5bf43788a1b06e441d2a026b736a883e39e017d7b6238d7ae56d3e731ff57618a4deb2882168686ce19f288c690a89c94b4

\Windows\system\spoolsv.exe

MD5 5253ca91631c0c78360ed3412aa6ffe2
SHA1 ca8a37294d786c93e2e86590343c048fa2a92d58
SHA256 87d578a9d550ee9f9bd36fb34c7c31ef633368c6d2edaaeca1d1c33cfeaa875f
SHA512 98ce384ed3ace10c85a0598788f89e31c4e4d7c1f06ce066a4d847b1299ec3429c4ad5ade248d464f2d39055024703b11f9afa9eed3f8db9c5597b4a09b2c174

C:\Windows\system\spoolsv.exe

MD5 30345a9ef85856c0c9ac39d3ed3d3315
SHA1 375752894b1713b427a92a113fb9eca444f44e74
SHA256 9790024614b08f96ac2dc2647135dbb60c468df918f3ddbeafd0121f39932e9c
SHA512 d62f476684b7a53390f9caccd96cf9dd2352172d512ec60fa8e74e271e69d3f7d4d5534eebee06c833d029d422f2d17ef7b56d0679ebe81fe183fe00aec44278

\Windows\system\spoolsv.exe

MD5 f95af403f446237e6881e71945bca678
SHA1 726aaaecdd198976a38d4f7ccfcc57027fbd05c1
SHA256 661b37dea35e51fb1a4e88cad65d178780e9383562c40cd03c4aab07fbe3078c
SHA512 7d765739a67684e14792aed1e5d364c6fe3e6819ae1a798b30af6eb6052f4cccab08bfdd486e9050cecd79a90cb08dc40190dbf53ba00b3687dd0c8b69bd19f8

\Windows\system\spoolsv.exe

MD5 127bacfe6720de9ae0e1a0c726178cb8
SHA1 27fc23b0215c220c743136ac1928732f55eef1fc
SHA256 1216a3aecc943a124b114631d6a624ee18bedcb5d4d859626a075ca391a0d267
SHA512 cca7a9f7b771e5c6e1b61e4e605e7f7edb1f30c9509ca1a42fb8c1df52a123c6a20b3c63ea0d5a317cd8b07df9b50023c65f3dad5ad03f7fecee59a85636cf7f

\Windows\system\spoolsv.exe

MD5 3ffbcc83e1b84fb62fdb1d1eee2f562b
SHA1 97d1df62be4fd9b6cbd7326d701e45d7b8131dcc
SHA256 aef03687a975f9ebb9e0b5e672d0f7a58e633073577ca9bd3dbea8aa24b732c5
SHA512 2a5e7d550791c1c639f39545363a86aac4b30f6e9d1500457fe40eb8135ed97df6c4a919224736b61cf7f059a56e34280d4d2a2cfc2bef697acf7dce4b364a66

\Windows\system\spoolsv.exe

MD5 d53e3dc716c1e01f0b6ee5c786062919
SHA1 bcc97f8233b912630f0652b9558a4c7c281a8d11
SHA256 2b4922687a69d6f0758066cd5057975d2a4a994d27b8c21b0c976139a441a2ce
SHA512 366541e687b81ff43db028e3217939f66149244e2b48704449a1138c305f71822523d1bade1367f5fe488196e6db9e19d370034921d36aa077c005c9ed38a007

\Windows\system\spoolsv.exe

MD5 93272397d70056956b15324dd17532fc
SHA1 e3ca9b51da03d12666ffef75b82b3fc330c84a1f
SHA256 fc6de39ae70b717b17351aad8b6d06064ffe9d3fab822004d38e2db78c677a48
SHA512 035dd011bea00f5a3f769aecf1a0a2aedd79e3dc86caa819481114388ace8643071f05dec89183e79f2b5903759befeefe8698b584f7921b85742c0ac3a71bba

\Windows\system\spoolsv.exe

MD5 6536bef0a9854470b2ca44f6c69029e2
SHA1 9bce608a1b3e9c723d34890c42588e000f7f5c03
SHA256 93ae3a8c670087c054a351436a3b942607fb43ed42717c006a00ba48781b7604
SHA512 67e190dd200eab46257ce123929d524fd3e9fdb0f5aabf43024bcb0193a857bcd836cac507af766a9d3d2e3db88674ce6ee201d90d3feeb22b5aba66af1557cc

\Windows\system\spoolsv.exe

MD5 12b2578f1e670de898dadd96a4a55b64
SHA1 2ff76886ce0a475fd0f1986360aebef0ae3b0367
SHA256 4d97d297eb926e17e23ea1649fe4efc8fb4fbe444dd3695ddd7229757047c5c2
SHA512 730ffdc0a6cf91c8be417e0bc142cc20da2e7b920237708e7e72bcedefb652c24b7cfa6bd54e5fad3a6dc12836f741350876a183b8ea3d3d92c2fe75006bf884

\Windows\system\spoolsv.exe

MD5 be474b25659bdd7ecf34b6d06863266f
SHA1 3e1c2e668094732edf8f2bc2014513cff3fce57b
SHA256 59a722f23e77bf10e8cd00fded5437b5a2a01f8251e4bb288e2e22ddbe409c59
SHA512 5360da9fe96e16fe6a0046fe4361f8981050ca02c1f86e2129ad48c3b16c83dc340d8e361ec5b7c03370a2c6b8895528c3d42c6ab40e6f56bc3393850a0ef940

\Windows\system\spoolsv.exe

MD5 0e793d41d143181df8eb9a759e63f528
SHA1 e7e1b39aaf4d4b13ee0f3f35ad522cdec344c806
SHA256 063a1e773f2109c71d4b6abbeaa162e42acf7565e17e57d163c20eb1854384cb
SHA512 c853ffbba33651c876e0604da68aba90506bf6f93cc8bf450c7915c8b27f8c478096643927d75ca4b78349705b8010d111825ef097c2cdbeba43e279a6a12f20

C:\Windows\system\spoolsv.exe

MD5 b350209cbc90910930c512de9949c7a1
SHA1 356cb49deb89820abe00a92d04cc2f78b46689e2
SHA256 2ab7d9ba4423d9f38b93e0cc746ee46896ed42dee67be73b2a8a422899466343
SHA512 708db208531dc5435a99d110cd3afa969abff8c2dd5d2fe23570b2d44a07ed30ab122255c5cfc48e5308955094f44471c4f75ec4678b9df4375e94b1bcb98020

memory/2692-185-0x0000000003200000-0x0000000003314000-memory.dmp

\Windows\system\spoolsv.exe

MD5 973844443a6b5ac2202519fe9820cb05
SHA1 e5ece69865d9b49c87b720890790659ed9d55d53
SHA256 26dc5099555eb47fc3f3e3185580193444a4e7cb618eb8ea7616edc11020227a
SHA512 91c2f39ff753f2fdf16f45660918d97414864309c1cf0a3fb8f91ab8f595d2789caf31c675f3f060e6a4e5af793c4ff0ac78bc75ac390ebc21f45fff3900fa57

\Windows\system\spoolsv.exe

MD5 5fb1c578a1386d1bad545a985b9e192b
SHA1 d514ca9cb5a45eab330c6dd6cffe6d8a0ee30579
SHA256 03cac58e46df5c069fef067ec2c58b75aa7a3c291fc2433c9735509e2dc545c7
SHA512 0430e6f034427b369c1ba7a899660feb64d6837a2ebe54d40a18d5223c0537b56d324e2e3b5433634844ea552406682b037f79b462f901db247db8e1c2f34bd8

\Windows\system\spoolsv.exe

MD5 d7d4d81c2c22f878c4f1660caf531204
SHA1 c592227c21798376c37cb304944aa65f388408d3
SHA256 9fef089e4e50e756772ee5b46c4c156ab53dee9f85015d90199dbeb65fba7882
SHA512 ba419b22c1c78f1fee66f05b8f2e5b778b8e2731c12ca167ede6d9e6ccbabbaa16b0f2cc67205ceb3b2539061cc22711d204326f772551010a6b6df0b5e210bb

\Windows\system\spoolsv.exe

MD5 7e52eee17839468dc4a08da3510543ba
SHA1 99c3e3578eafcb90c04f3de57e6b861b2b61603b
SHA256 2bb0117362e191391bd1d64e27ab902bde5235bc8365ed181e3136e2991b92e9
SHA512 16170732f992745a64c9c537e60a9bbe5d006f5f403c47f1bb4d0c5e869dd3069bc4cbcfada116d562c3176ed6d060f3a7cd545e4ea41ff0fede8473601743b2

\??\c:\windows\system\spoolsv.exe

MD5 8a72be074fd2dd918f3d23fe171818af
SHA1 fc6203f75629fb1b050acda979344ab11dbb19ec
SHA256 116ba7242c8a51dbc8640bc58acd624957b3aaad2b172ece777ba23b99cbacd3
SHA512 1ed995fbbb41cff2e2f4fc88253280b4e52d6a152abca382325a59c338c535a5c428f012cb00ca6485ebbaf7a8e066cd43d3fb41a5985661e1bec1951e12fa24

\Windows\system\spoolsv.exe

MD5 229fa51ebe06046965a39da319f93073
SHA1 6fcffa11dac52ac08cdf67f74ccf0a8aef6f9135
SHA256 af849f8c5c722a0eaaabb34534669d576727ea07164f1ba3c7ad688ded519e7a
SHA512 e3b51840109c37551d50b186b6f3603457e2c9f571c740800e5cdf65f4b8d6b5fdc29169c3c43b305fdc6df71d2fe95d47fa5e74e51aaf4c236627098174bf0e

\Windows\system\spoolsv.exe

MD5 ec8b8a0c73b2de867e4d921e7b70e6b3
SHA1 0d128e6fc5d505fea91996fcbdfb7d8871ac09fd
SHA256 e6912cc46a8c79299977730fe9e915e39b26470a9ad70b2e24c2dfdf5fd95d8d
SHA512 5187efa26ddac113db541040a1321e2320da913a184224d3b40f61d41a23c7f02821c3700ee08f1122903e008684a2155db0be3b3ef0792bfb17fdce5098d3b8

\Windows\system\spoolsv.exe

MD5 31fb81d938ab4a001afca4c8c5435bae
SHA1 825c152a9523bc8185f822e46615021327fe5d83
SHA256 b057a72b58811ec65d120f29e35089e72f9993700c42d2b760a4d79de90e11b9
SHA512 2f598a44496ebaf05787951d87f9f6c19116edff155b3140fa95d91ca33a948bd0a1c991966f7c06d547d97e52921855ec1264280f6e8c33be0a6c9db879a383

\Windows\system\spoolsv.exe

MD5 4439d52ce7173ab9609273f76566e955
SHA1 7df18e93c6873003cc83acf40679cff9d75cc5c3
SHA256 4ee699dd381110c43c6fc428ec5da50979aaae4ce5080cc81b4251e80d975a87
SHA512 db91d3bea409f01151292f656fe975cac716bc4e6cbe5540070bdb3ddee4d5700beba06e840e3927f380bb5a47bbc07b185dfce0f94360af376bb2a56c142593

\Windows\system\spoolsv.exe

MD5 153f7e9e0374bd0b7c19956920e29848
SHA1 d0bb6b6f2f407c8b4af21acf2f1a715f63a31507
SHA256 3c0d23240600f711c6d33153a7a6d41bd304b06048b5b0c3b3723d554f091798
SHA512 633549b61fb776cc3e5b3d2d2a9a3ac24f639b0414282de5ec61fbd5dd39d44e733b1cae75f13e4ebdd1b8a8b138fadf468779a8deb613faa4583fb7e296f6b0

C:\Windows\system\spoolsv.exe

MD5 4e57f5564838554f5bb46a17743817aa
SHA1 ab5eb376454ae28311a912e27bd65b1a9fed859f
SHA256 0774f2ae8f855e845557925088d0f1bc54d282fac745edc53545e9af8e3c5150
SHA512 7d87a3988b0440848cfad421cd389e7fc19e36690a3ae3269180e977898790373f87665e071bd4167f7fd9afb73e5906c293b1a9ce26203813b1f9fedce3de43

memory/1540-222-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1944-223-0x0000000000400000-0x0000000000412000-memory.dmp

\Windows\system\svchost.exe

MD5 cf7a3ccd54823309cd92138ddf7d26d8
SHA1 8095091891417095bde5f7b9fa2ca105fe34c552
SHA256 20ccb1cf034e4f75b3bcb945f94df36f276d52eecb861a7f05b400665806745e
SHA512 64ec932719ed62cfc89b2ccd56b35e186220024aa9b428de946297bbb0197d3dd717408bb77575280932cf7b8eb1a072cb036199b8418d813231724366af1d36

memory/2692-232-0x0000000003200000-0x0000000003314000-memory.dmp

memory/1616-234-0x0000000003210000-0x0000000003324000-memory.dmp

memory/2032-236-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2032-238-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1616-239-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2692-241-0x0000000003200000-0x0000000003314000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-16 02:58

Reported

2024-02-16 03:00

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" \??\c:\windows\system\spoolsv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe \??\c:\windows\system\spoolsv.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
PID 1996 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1996 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1996 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1996 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 1996 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe C:\Windows\SysWOW64\diskperf.exe
PID 5108 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 5108 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 5108 wrote to memory of 4272 N/A C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 1196 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe
PID 4272 wrote to memory of 4300 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4272 wrote to memory of 4300 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4272 wrote to memory of 4300 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4272 wrote to memory of 4300 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 4272 wrote to memory of 4300 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\diskperf.exe
PID 1196 wrote to memory of 4592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4592 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4800 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 4800 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 4800 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 972 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 396 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2980 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 2980 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 2980 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 3756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 3756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 3756 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 3900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 3900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 3900 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 4020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4020 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 4036 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2824 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2824 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2824 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2428 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1196 wrote to memory of 2100 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 2100 N/A \??\c:\windows\system\explorer.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe

"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"

C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe

"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 972 -ip 972

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 396 -ip 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2980 -ip 2980

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4020 -ip 4020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4036 -ip 4036

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2824 -ip 2824

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2428 -ip 2428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2100 -ip 2100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 380 -ip 380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5000 -ip 5000

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 628 -ip 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1904 -ip 1904

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4880 -ip 4880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3664 -ip 3664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1780 -ip 1780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4184 -ip 4184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2228 -ip 2228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1496 -ip 1496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5084 -ip 5084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2176 -ip 2176

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 720 -ip 720

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3052 -ip 3052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4416 -ip 4416

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 212 -ip 212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3196 -ip 3196

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4408 -ip 4408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4948 -ip 4948

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2824 -ip 2824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4816 -ip 4816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4372 -ip 4372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1976 -ip 1976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1892 -ip 1892

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4428 -ip 4428

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2720 -ip 2720

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1640 -ip 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2640 -ip 2640

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4508 -ip 4508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3044 -ip 3044

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2396 -ip 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4800 -ip 4800

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1560 -ip 1560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4784 -ip 4784

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3420 -ip 3420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1388 -ip 1388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2400 -ip 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3948 -ip 3948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1756 -ip 1756

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4932 -ip 4932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 376 -ip 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5008 -ip 5008

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3388 -ip 3388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2544 -ip 2544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 944 -ip 944

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4184 -ip 4184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3044 -ip 3044

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4724 -ip 4724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2608 -ip 2608

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4448 -ip 4448

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3132 -ip 3132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1052 -ip 1052

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1792 -ip 1792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1244 -ip 1244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4260 -ip 4260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4268 -ip 4268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1184 -ip 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4296 -ip 4296

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4492 -ip 4492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3644 -ip 3644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2428 -ip 2428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2576 -ip 2576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 672 -ip 672

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 116 -ip 116

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2336 -ip 2336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1308 -ip 1308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2544 -ip 2544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2380 -ip 2380

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1640 -ip 1640

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2640 -ip 2640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3860 -ip 3860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2872 -ip 2872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4228 -ip 4228

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5116 -ip 5116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3384 -ip 3384

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3440 -ip 3440

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3508 -ip 3508

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 316 -ip 316

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4136 -ip 4136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2596 -ip 2596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 632 -ip 632

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2232 -ip 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 800 -ip 800

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3764 -ip 3764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2444 -ip 2444

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4812 -ip 4812

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4708 -ip 4708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1768 -ip 1768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3824 -ip 3824

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4052 -ip 4052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1028 -ip 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3676 -ip 3676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4344 -ip 4344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2544 -ip 2544

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4532 -ip 4532

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1640 -ip 1640

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2640 -ip 2640

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2228 -ip 2228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 208 -ip 208

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3044 -ip 3044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4968 -ip 4968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4724 -ip 4724

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2404 -ip 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3616 -ip 3616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1004 -ip 1004

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 592 -ip 592

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3680 -ip 3680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4364 -ip 4364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3300 -ip 3300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2624 -ip 2624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4372 -ip 4372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4276 -ip 4276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1528 -ip 1528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2788 -ip 2788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4420 -ip 4420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3920 -ip 3920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 200

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2140 -ip 2140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 4788 -ip 4788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2932 -ip 2932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 1200 -ip 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3536 -ip 3536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2916 -ip 2916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 1328 -ip 1328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 880 -ip 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4444 -ip 4444

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 2304 -ip 2304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1580 -ip 1580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3612 -ip 3612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3828 -ip 3828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 2576 -ip 2576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3012 -ip 3012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 380 -ip 380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 628 -ip 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1892 -ip 1892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4848 -ip 4848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4376 -ip 4376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4400 -ip 4400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 2140 -ip 2140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\diskperf.exe

"C:\Windows\SysWOW64\diskperf.exe"

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 772 -ip 772

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 192

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/1996-0-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1996-1-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1996-2-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1996-3-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/1996-4-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1996-6-0x00000000006E0000-0x00000000006E1000-memory.dmp

memory/5108-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5080-13-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5108-14-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1996-17-0x0000000000400000-0x0000000000514000-memory.dmp

memory/5080-18-0x0000000000400000-0x0000000000412000-memory.dmp

memory/5080-20-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\explorer.exe

MD5 0d815a2cd1f1b9bcb15a7a1deb99e07b
SHA1 b090bb07650935463f39e5ebcf5893f02b6970e8
SHA256 233c12b0beb57b991acecb319f1d6c97714d26c861813b01df9db189bf60aac1
SHA512 079342a1869bc289f57cdff2b4f27c3a81fd04fb90a5babcbce7955cf5fa4d0cdc877842e8c5594dc5b11366b40e56caf3a2083a9c77532b06821bb8f2992789

\??\c:\windows\system\explorer.exe

MD5 42a6dd9fd35719f84a426f730795535e
SHA1 f3b9eaa83d94a6a4dea0c0bd307f751fdb220424
SHA256 5aba979db11264a491e05173f0d2482353dad01a675dea8c9757cfba0369ae18
SHA512 3d7da29d453f69bcbe8fc835d4816b31316c1057026ea162f0d809a67d1ed31bcc60d76fb8ad6884d9da5aa3e36fe4678356683b48d88ee1849af8a2dda54267

C:\Windows\System\explorer.exe

MD5 8562155a8b522fdd04c312a6743c5f0b
SHA1 59f8ddedd87245b6fcfe890eb0d42e2efb987606
SHA256 d85919cd707c4629a07752104aac10bd125645978218bf1a72fefe5d362f0329
SHA512 0b0a7fa602be8d56bb6c6b534e3b55600a19d5e80fa761b5f2ff82a38ccc288a142039a5474d6ce50d5b443208da606aaea6d7d5e381041f8f42e0e89920157b

memory/4272-28-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4272-29-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4272-30-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4272-31-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/5108-33-0x0000000000400000-0x000000000043E000-memory.dmp

memory/5108-32-0x0000000000440000-0x0000000000509000-memory.dmp

memory/4272-34-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4272-36-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe

MD5 7ec8858964bf402c56bcb6cede22e35d
SHA1 2c2342736b21b1789287479912b8db4261361159
SHA256 3c08ef775e4ca66325ab7156ac71d7b68e4a937bc49c99a242569bc542954639
SHA512 4405883a835308ed10d0ed6678092c4aba2d479db18bc005ebeb296aca940c8ff239955ad77ee69747f8c8ddded80181afd8daa6b14e1836fca6d504ae48bb66

C:\Users\Admin\AppData\Local\Temp\Disk.sys

MD5 7ed1a2705c0fd38da169040089b0daad
SHA1 51b822ec6c59b1f35df6d49c331408014a01a7d0
SHA256 aabb57d649f74cd66f4eca4276249e85f8a0d0b0a7cfbd135a4acec3199600c0
SHA512 46e4f06efefde4f8072ecfe60a39f05f854857f8c4c90122724450141ca2864f4201b1809c727b950317471b86d0d56710b6232945580fb8a9ae16f9de503362

memory/1196-47-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 cb46545443117a1d82eb61aedce3200b
SHA1 2a2e9716ddfc009e28c83785711fe9480bad0f79
SHA256 ce969bc17c2a175af317dd2fe51e9e30640648c005b57208d4d9900aa2f68aab
SHA512 3197f21d02dca3431d90051287aeef6355277c09acc9dc66b44b7eba7f088b1bae4872011b10a38ac3c35f5ff4a9d7eac38b65f865c621483ba33c5876af4419

memory/4272-52-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4300-55-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b211c74e93b8336379c781c2d5c11ec9
SHA1 71ce5b22a90a68b3340998370a3a18538cb47b84
SHA256 b95955cdb59e8fb0b1b1983baf020900c1c8f2d0f3eec8894c32b62946010ebc
SHA512 9329aa570e0e17db0d6b6c2d6828ba7a855e008123a84ab63bc0517315b783694c47d751be625ec9eec3d3b9ce4b78ae691f26f3945eebaf61991bd87a49c89c

\??\c:\windows\system\spoolsv.exe

MD5 ff5822b095c1648e817b20fba96440b1
SHA1 5b7f5b54df9e044f8a9c17070fd42b0e9842dc82
SHA256 083ba8dfbd75395b7d2cf588a849b3c16f5c6a7b9ea016969559234ff42ea4b7
SHA512 716d9420cac1c846276615a1cb3cab4270a862d0aef9639de423e36749056cabe5f64ee9ab7fc0941b206c6149b52f9623ebfcdd04c5525c8c3b0982ffe341d8

memory/4592-64-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4592-63-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4592-65-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/4592-62-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b638fbda936e5febb7bbc5617f6b736a
SHA1 23e5a65f6ca9b4bc166a64516907da4eed7a641b
SHA256 61584da4c8a7a8de426e05b215b7a9f49d37422702d3758275fb4abcb166a378
SHA512 42f4f832459b83f3b5d80023c59d60d07a7ceb07b8b713aa2a1a642b90d42a5c622e694753a41b9a640c9673ebdd7021a6d84e375f81a18aebbe29acbc70d15a

memory/4800-69-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6f92e26b7088321e4d5b17035bfdba07
SHA1 f63f99d365d85b65864486ff3cfe2f9a96e81130
SHA256 47e948af39cf42315e136739527b9df79dfc0ee457314059b0980490956c25a5
SHA512 33c16a58fb10fa11dfa21688bfc95c182b5e607635683f933e1e18fe1bcdbf65d4d530a463c7cc8e3181edcf68f870d18d4108e5e520e12496e96c4e6f7a4341

C:\Windows\System\spoolsv.exe

MD5 6fc1e5559a7551ff75a8c33bae5935bb
SHA1 8385885efe2cee618fe3753201ff9bddf3a78dbd
SHA256 4f42fdde960047f2da5cdb7ee964affcd4059e45a35928e8518eabf5841170de
SHA512 a249581e201135371fa48f9cf9d947b58fe79aacbbfd303891281463bb24372d2e6e538646aca9c8dcdff4916e4e5a6b01d1cba47b60cb7b61a5b889088e2a8c

C:\Windows\System\spoolsv.exe

MD5 bfa227d205bcb47041e40e2d15c2acd5
SHA1 27be92319aac446c122707f58093e5a8a4b5cac0
SHA256 042311b6272bc6950472cf19e90dd90aacf96383aa8ac2a62568f57c270dda92
SHA512 212ebca64948054d83b3adab497f456086016ccdeb727e93d52b8321d32cd95397473ae17c55e1a8f64d5096df5ab0db6162fe69b7437779bb52bbfdd326fac6

memory/3756-74-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 0f9e2ac582cef6239483dc91e6268c87
SHA1 a9069c842cddb7866e88e1e6edca619aad5fcbe3
SHA256 80c4d42eda8ed5ae4d15159bf5147f83392f5017fc76804bf8a3f5c715a98600
SHA512 e6e66b308d45f461bd7343dfe98b45a0cb37886477fb1e04bcee3cf716f450fd11c5dd43b8585bdc1165306c98c6968fbe01518a68ffc181e1b51ecb56ce74c8

C:\Windows\System\spoolsv.exe

MD5 69549e30bc1dda6f51c43f0114dac2ad
SHA1 348897c79c2e656ebd9d6c417b0d22b131adb03d
SHA256 c2aba0b62d1d923cad0400b94cc72ccf4ba8e931c34fe735c9bc70145db523d7
SHA512 fb70c64d063a1cc43c9dd2274235394a46b839cc1420c256c9c3e5d5a95f069473400a65cee29ec2c9e688b10d6f2c00baa63c760dc6016cc13403362006d106

memory/1196-77-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 048ca5bff389d914b5fb5ad4352e541a
SHA1 c709ac18517239fa0c6f303590fa69b87dd94902
SHA256 46d864465c511ea6288dec8f86f8734920dda84f788bd5fe7bf7ff6a300c4bb7
SHA512 3fa7705f00365d9f91412e30b1e0ddc1984ad8bfd4f1cd2f5146d0fd3cedc62db99aa8adedb19e4069225954b30cbe473e8e30b6606065adbc155d62b299b8aa

memory/4036-79-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 4cddf300db398d91cd1b4f6c63d8de07
SHA1 8922a2c74b82d2a3adff123bd6bd86e5346b861b
SHA256 7358a86e7988c2bca65178172c11b3e5c967e26ff6fc23ee94e26871276a1688
SHA512 e6ac07d0fffbc2d4781d47e4aef6dcfa011f7e6890b400f478c26b17aaa127977bccb3e9e99061b04cea4552aa42f1298b1ff80eb640a985243aecabba1bd54a

C:\Windows\System\spoolsv.exe

MD5 07e8da6076ca505db29a961b0336de23
SHA1 4042171029032bd1c56f74a03097b5167193b214
SHA256 68e82e187f9159b2e90df4aa79e206b3c19452cc1b3326165c93d9c4a9f6dfae
SHA512 6ec4dcb039caed05de870d9a288fb71db05fd1634acf9ea1cfc1132aff25f69340d592fbe4ec1a90776337c1305586f27729a66e9513bedf085102b3427f710f

memory/4592-81-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4592-83-0x00000000007B0000-0x00000000007B1000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 9295df29014a28578de66a542a16793e
SHA1 45eff6ad3aad7e1455139247fdd1c09bf0d7832b
SHA256 b8aaab526df20a5149273355c33ae924f2c29ab8abc03100d81d6504e2ab9002
SHA512 407c01fc9e4b588a96f2acc645678a3c678480ddb36c054014a00e95b13ef2b3500e73e10f965d499f23e0183ab448618a8d8e1ea9392931e67f61f235c7a936

memory/2100-85-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 fb5388aad5d6bc334f3fa3d718b4c282
SHA1 68be68f1b42bbbec03d1d189a8d4cb18c6a00d9d
SHA256 a67b6d839ab5119ac2c34ffcc0802b81914cc489dfc01b76353bac274ffa29d1
SHA512 6347979472ec178827995e649b2817d614c995159b28ffbd7aa5a1fcdb051ae78a18aeffd22b66f38bf9e29eac2cc9e0beb75b63f08f3387481f308e175d4d88

memory/380-87-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 bf5b09d615c8ff4a3d9219f88db185f2
SHA1 8670f5a793032075fc551c43c426242b615be0f2
SHA256 91bf049375e3766392b18bc7d6045e6b11725bb4466b180342345964949b5ff4
SHA512 a41503d39a4457a6979dcf091615a14013a83134f0422e01f6f559c7cd316866c3b31073f6049025a247a7df2c5f42465f9608ba3b32e7c7149576272a386325

memory/5000-89-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 b54331ed7404fda604b5f8ab7db75f77
SHA1 7dbdc5908d736c45742a1102f1968d720264e954
SHA256 f4f941f893d662fa364aa35f2ef72c18f1949443d564da23a7bb254f1284e34b
SHA512 08be4fc309f72ce83f0d76ee3db98864ebe7c1945be9adbf0f77f96c1279ba95a418a4e882666d7b9063b5950cceabb1b61581d3d4a2c3c619e40eb650aa1bdc

C:\Windows\System\spoolsv.exe

MD5 04a114c132b63278d9cd0002b21a4028
SHA1 d931ac44f1b631171383343689f64ef1b305b375
SHA256 b881406511a60bdd225f6977e3fd17f6b2b16e8e9f8da05e41fcc971387737f1
SHA512 70b91478244702087d776ecd09e225f060524594286e512e1fc6baa14dcfa25d0a0b704a3cc9231218f4885422a2308eca54b54e5d6b23fc81c21e70f234c0a4

C:\Windows\System\spoolsv.exe

MD5 36fe02d300a1b36aef5e9a02993dc5df
SHA1 253f3b873a71a9bd69c581e36df01022bcf55774
SHA256 760b99fcc4000ddb4dfd371a1b480b91df25041e43e1d75a12d97d2f9f7bb25c
SHA512 36f49a1c60404318fc5476f33a760445270ecbfd632fdc61986dc53dff103c72f2f92c98127a1f25360f72f425266dcb04bf78009f4f7d819da998bd9d235ca4

memory/628-92-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1904-94-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 5543a01aa9186b7b462b4475ba1dd251
SHA1 311d735a37ca664539fe1bf885b3523d33166d24
SHA256 f125530945697d9ce247c64adf8a8fd7f952f69d77af714e5bfc32f7349e5b3c
SHA512 ae0a5fec0b9be1bf396444cacb0dcd99e6f1ac4db60db85d329e53b46f7fd7d2ec56b85d7caa2e96e6c9b3af5ab7788e0e65d4bfb933ac904164816a4bed444b

C:\Windows\System\spoolsv.exe

MD5 7712352fab83da95f8f5be79eeb71d91
SHA1 625fabfcdac0947726b0c9cea34e728a82b42490
SHA256 06091baecd2d5db78edc76352b342fdc7225cb0b11064c47208ee6ab17a11e5a
SHA512 81ee5131e12a73107d9e68065332154bd808a33899d503904cd88ab400219776a135ea14461a46175e7f8f839557977aae5087a62d8247551a5e6f37ed42af7d

C:\Windows\System\spoolsv.exe

MD5 3c471de58a39d2d59a0a9d885edbd79e
SHA1 bf9390830abdc536c6f72f257c31ddf1db455eb3
SHA256 b0be0366e18e2b24d218d0536664c8f07d38aad452d83496264af78f324ff855
SHA512 1da0266453fdbcdac380e7ed80d32b9f3ea17b4a5780502dba85b2c5d2848abb2542a590cd831160ef133cb88fa08931869e78f9e3332d164f16e582889fd86b

C:\Windows\System\spoolsv.exe

MD5 64ceb8380f7978f9e723b5cbd0576031
SHA1 f87e182d6ad715dcb875b01cd00374cc779b320b
SHA256 19d0935dd35df8f92f571676327cacdc8602611e42891eed51125947885478ff
SHA512 5edb0bbc0131c5c6039a34456a1679fe0ebdbebb38da5b591a14175732dd4be96425a6b8bd72c39624d569e42c13b41eb4673eb8e0f5d8dfaff8b63fccb7f32f

C:\Windows\System\spoolsv.exe

MD5 bb74ee7e568e4db5a0fc5eb2f611988f
SHA1 4dac6b1f79fa8cc76b82e580657a260e83afe06c
SHA256 0b9f987e341163125bac930ea555580cd0ddc41ddef587ca9838fa186f43c6c9
SHA512 3533528d313bb1956d41d43409f6a0f363fa33fc7ef930ab1fc1e6067247c5f4009c6b494606f908fc6f031097f2f94eda2f606c3646db8b6de7e080a5cb1d0e

C:\Windows\System\spoolsv.exe

MD5 842e7e2ba1cedf9edf29bae1fd279d64
SHA1 29bef358213b3aa6d322955089a7012d58023a3b
SHA256 65ec26436a9b60bb63c462880a28b637dd54d184c20781fb677e416abb1c8a5b
SHA512 eb468bde908502ba64e28abaa0900578506665039e85f0ddca5addf021d68b805e0afafc1e702b56a482f4c46ee99d93ef5d766c04ccecd4c909493463f99902

C:\Windows\System\spoolsv.exe

MD5 480447970d207259f0dd21a6b5722ee4
SHA1 dc12ba586b9e29879bcf1849b18c98c6b1f7a639
SHA256 30930da7f679655787b3c1f00afe8f1654f528a955b3f88c85ed682007e61527
SHA512 c97c9b8d05c3ff0d5f54a1ee393e86b32aa8e16a538f48f3198763788214b9d76989581c76de53f576334ddc6602fa3b997042942845add897497dd7123c0898

C:\Windows\System\spoolsv.exe

MD5 e44ad5e43d12f074c86eddf7d0e68ad6
SHA1 eb4b5cb6fa8c279a6511991903ef1dff7ef21ce2
SHA256 fcced553ea7c8794160eefebc67b7554091514511177a6c78a2ec98614206eb6
SHA512 d10076901025ea2175e09a92ee73baf384f98941e0a6ea80049eff5c9ece86e8b02bf3ea50968c22c436aeb1c1ccef5ed39d1341169e556170c001e76898b045

C:\Windows\System\spoolsv.exe

MD5 165d68405084d2bd05076fcd4b8c902b
SHA1 1297fc4aad304bfd37e80ba8899af3cbbee4af51
SHA256 0d0b719b2361f6bb92365ecf0c6deac0f9fe856188a5e5df9a614bbc73a43d06
SHA512 7ec35e5f3451b65b58e68d4dd065736f3459734a25ac4fcbbc98a838b68757b79d13bf2d6f54591fa47fafe06bba3a8de53ddb395458e9726d7c6595029157b9

C:\Windows\System\spoolsv.exe

MD5 3ac7607c88461ceec25d08bb9c1f58c3
SHA1 e936c7051e719dbac7827bb65932fd586f98e5ce
SHA256 6708f0c367ddc816c7c511ee49477960b3bc66c8a9f2f74a847907c0df4b7cf3
SHA512 6e9f5e89917aec68b8ed7db4c6d6c038f49fb0795e6e5b1c797901c5f62f309cd57da335407bae1621868181fd92a90af950c3c23c9ed7af4f33aaaada5551bc

memory/5084-104-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1700-106-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 6987ddebfdd2aa655803f09db64792ba
SHA1 689f141db455bea31ca5e68612c8b67c1314fdb8
SHA256 371d54cdb0d567c869eee5bc4af1d4e3c591d4386cf390e79bcb99386cec966d
SHA512 3712b2faf612ce5986144ef0dc06004f262e063dd7682b05c3424353e0d529fc2c06b17eacf25ee0b056b41dd3716854385278adef076174f219e0eba823d30e

C:\Windows\System\spoolsv.exe

MD5 770b616ae56205dc57a92a3bf1c53199
SHA1 8b05949af00e3752ba2435f307946e331f1ff085
SHA256 c446dc425c1b060bd651d6d8c065c880d92407522b0b25e73b8d04e756aa3705
SHA512 6e61ce9c996b7ecef0cc30208ec8a48468c155360d3d46259855f7cdbf20f0d29d303b8a3ed97753b4fdefe2955684089fb2236d5f402e0e48167691f0712813

C:\Windows\System\spoolsv.exe

MD5 74addf2ecdc1e5ffa9d85d16c0c86c0a
SHA1 ffcf69d918dd81e248a504a1e7abccb5a832ece1
SHA256 da11e24375464f6224323491c4219d3e6421de08d67da6a7aa69f8a6d1b72877
SHA512 900b0bca9d04b568118e61688da8116f9b8c25cadbc603d81b77b461745dbcc2596e2b72cfbee36e5b38a0bc6ef8ed1c1d8ca57d79fcf819133bf967ac4d2092

C:\Windows\System\spoolsv.exe

MD5 b9d6372f926512f5ab5cb22319faf925
SHA1 5c7b840958015751429ddef549e1df37527eb405
SHA256 52ae0efd0a7a9367c3fe22b98bc18e39a88fea127877a58ccaf842a9bdf0c4a9
SHA512 2317429f768243b011252eba37bc48ac2147a9c67bedeaadda976244a9a1c56016d49b3f96f2497e62cebe78e3c6cd8b88e1726edda70cffec5de7fcd529b760

C:\Windows\System\spoolsv.exe

MD5 2eb2a0b0c6b63b7542d67051771db118
SHA1 54f2a6b28863875a0f06e1c198b1ce7173807cef
SHA256 c35d846bb66211da13d6bb463c980eb633dd11fb7fb8d8625a8dc2549d486e9b
SHA512 2289c01126fd225613ded4df20bc6ced33c95a1469a23850f79a4c23b57889abaeedb4948737877792fc54f8918511f349e9690f98f124b3b352dced770c55fe

C:\Windows\System\spoolsv.exe

MD5 129de6e7a78e61fc3311e0beb11a9af4
SHA1 89dcae0db21f0fa244475cb668cac6f64c2ac401
SHA256 4a57c36701122294e3f52b0123d60719a428a440bfd4dbc4551b63c218defc2b
SHA512 00b971678104ae8478dd7d8f642b6ed513b745e1fc7d218d00c67a5b417211c159b38184231133d39f93a27a6c1ca285dc16f0888edf20b6d9c950d1707dc329

C:\Windows\System\spoolsv.exe

MD5 14f641b0966674d8124b03e3b6670190
SHA1 4fa984ffc13af89cc6ee786693446e1788edb108
SHA256 f5449fa73ec6c4669c33f0593545b7c6676f8148ac42a76fc6bf4187ba8b5249
SHA512 bd5d008cf6c5358746b2dcc5f784232d93bd2541e22b2ceb60b4fec2bb26a0e5c92dcf5381e1583a4503dd84f816ea9d81f674e5555a28c6dcca03087e535a38

memory/3756-114-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 2e3efbbc681ff0c29af58fb9e024174b
SHA1 b19e35fdaf74fff19d1ed95db946bff4da002c59
SHA256 f8850d66c687411a1c8dc76a6f83b4565fd02c6aa1c7a24e6d8edbfd4be22660
SHA512 0afd57984359edd84b656aab81dd6a9ea9f14138ee55e819d1a7f5128df1a483a56b09e22e1cd3aeaa45bc89d55c3caa6af79e8f63af917b5c2b312660d498f0

C:\Windows\System\spoolsv.exe

MD5 48f4e8e9715f36892affb1ff1bfb486b
SHA1 a7b2dfa7e1566cbbff2190927bfb9ad68fb2c9eb
SHA256 7d9a5ebc0e4c6c1348a4e594a87b97319815b51c4b52bdb3f8923fe3992d6dd2
SHA512 de020baad0ce3eedbfcaef5c0f68e76d69ab36729219fb12b3ea5d8f7f08aba2265ddad7a68bad0ec101c0df45496583b63a57f40001a7ece84b8c5c3af4c12e

C:\Windows\System\spoolsv.exe

MD5 d1827a0cec1ece6acdf123150b376b7e
SHA1 359a269b2b3208832d7d10310729b84cebd17371
SHA256 b060283f0a0641ac15149cd2706efcb25ca6431a2182bc8e9c50d18246090be2
SHA512 298af981e96a592a3ec200f52e478bd5aacacc10be62c029742400b958c4287b4a0d0eb266085d3657d8cabd6260b290f515487313b84135c67b20af848b6f7a

C:\Windows\System\spoolsv.exe

MD5 31c3708cf879280f9284a504f1f10096
SHA1 af3d5c139aa6beb23e2d06d02f3d7d6095c6c4f5
SHA256 d2ffbc01ea73b818fb9de10d97beb067376c5e9331a6e0a65ddcaecbda15e035
SHA512 be2773d4807d9ad577d12a53268519829e4163ff0737cfa31de1ece541350498f68fd46c6e4b27e0827273191297420a366af2b6655d8b56ce519e789c4c126f

C:\Windows\System\spoolsv.exe

MD5 45ac5e522d628d6f91405940a9a94272
SHA1 4b42b4e58af891dbd563c66970c3fa8840d45245
SHA256 7f2677fc598f2dc2bfba20751cf4c403cbb2b9853aaba41ddd0c8ac0bba8df99
SHA512 ad27e3aebd31613ec6cffec0a2a9bdf65ba6febd4de0dbebdf0a4bcaa210e779b2dd6577246c31dd18b1d0b18d9847aac6aa0fde677f7207666789aea181c0a9

C:\Windows\System\spoolsv.exe

MD5 6635307ff728b908f835738084e52a1f
SHA1 5c2c81057c6c3ab802dd25eec50f26e9ed809b77
SHA256 9d657c4aac071faa9516c7810866538da151e9166c2a76105750c1889385b68e
SHA512 9897634966110ec14c07c4a8a04773ed7619d5e1125d578fbdaf7d35d7bc4a8196b14538cddecb6c8e6e224b2ad87d4380923fdf1cc51c94fecff6bf07f000d7

C:\Windows\System\spoolsv.exe

MD5 2433b27f89c4652ea307da019892a683
SHA1 7d98290b9b040c78d5b68efc5972e7dc7585c4aa
SHA256 b3ffd83f00747b891c5cc6263c388c8e4f25ec796f558000ec060c089b494fd7
SHA512 9566ad2b0194f1be5e0f48823aa5202176029754a8727719bef739a307054976c936dfb3312eb898169c4a46da799d4f068e37a169fa123cbe99646e44ee7a1c

C:\Windows\System\spoolsv.exe

MD5 70635bdb21b2896eb819d0fd3a718952
SHA1 0ff8dd007a037b7d1576d29e6c01f19d3b1d7beb
SHA256 23b8604c7388541b93a018153ef1d643d150378651cd1c9485a616b926c8e7bc
SHA512 485a48a2abfcfc72df84e8cbe836c5566609129e5b685721aa00582707d5a6358e09cb81be12fde472fabb53cb27c8ece95c171908bcc69c3bc6c05c5fccaf13

C:\Windows\System\spoolsv.exe

MD5 09861f6fe9a9b4eebcf86d32d542ca56
SHA1 83a1b2aa11ae839769ca9e14aaeb8c5752300ffb
SHA256 543312c015e89684aa71e6c6d4ef3c66bac414da5cec78903efa461a9fabd5e5
SHA512 01d359c3c2d1c3c418ca46cff6cb69a65273c7b9e6daa5fde70f5da1697407401a64f42cda0506d2ae47b884c9a6de42d05d16fe2187f74ab40b48c48ba1de5f

C:\Windows\System\spoolsv.exe

MD5 8786f92bfaf3b0e533e0d275773e837b
SHA1 018c3a76b74701b1a2928bfa10632751e965cfbd
SHA256 bb7b6a7f18e037fd8201a1aaee082ba93370f63b990a7256995a3cd1e00a9c4a
SHA512 1a3d9c3cc43672f7f9256309b3af478c643aa5b6a14fcce6845fe745353a6e17c233f5c127e76ee9809aa891fc0cdb1313a646b6b71163934f4081f378a43150

C:\Windows\System\spoolsv.exe

MD5 b639fe37db65f9d8f53aefcf54c82cbe
SHA1 f954970abd294a17d7b10a7f80803b29418e3f75
SHA256 9ee8a502d2499a8d72e9b310ac09650af87c28816414a834e73f859c5eee37b6
SHA512 3740dc279a8e306e73230db20ea67441139d567310a35c5703c38ed20ee78923c6427b770671506115a14a804d14f07326a4a8b82deb42fcbafa83b34b8ed902

C:\Windows\System\spoolsv.exe

MD5 4b4b7db75d213f1871a5dfa3f8ae7c28
SHA1 c58777473a3f71bf36efc0d242a594dbe349394c
SHA256 470b4697e4288cf40d36b5bc70db7c2aacdf6f3b10ee3d3dc8deb25f5c0b7728
SHA512 9fc84667b810c219a0282a4eb71ee5310a12dcca9429081af8cc6ed68beda3701ffb104090ad42e72b217b767022d379e6427b6ab54cd1add8b853762c8cd5d5

C:\Windows\System\spoolsv.exe

MD5 6153b0205663782b316e42bd61f182d8
SHA1 0ea109a82ceceb9394b08f5b86c5403d5e04d15b
SHA256 8594b6eee8f95399965a699d6c454c679845b07872f4985f758b60646717b87a
SHA512 d8c1cb07faf3ed3c82cf6f6e4927068be583923af33f07c99eb3f0637cc4a36b55fb47e1f42fb264e9fb2edecac40277d8489be098bd413fa0c2530b90bc8427

C:\Windows\System\spoolsv.exe

MD5 23140c61851b1dd2493d3f61a96085f5
SHA1 8ba811b9f198f5689723517f0f4188ad6cd7f141
SHA256 2bccb568aeeb789efa65a796a24f71096bf243abebbe6e2bd3ae077d21fc00a1
SHA512 db5243924f92c40a54691ae90965d166358f7425e3f085d3001722941fddd31a1367339e04a8fb299398e29dd7f12c7308d6813d53b0904a8ce33a5227c77873

C:\Windows\System\spoolsv.exe

MD5 a67ae9f0fbbe9ef653959ec95de2c6bc
SHA1 6b40b52e84a8d12e6ee8581b8279386e9ff64890
SHA256 17f1508bd76e419fca7f4652c7a942de53d902aca10cf5695409fd8445d1e437
SHA512 4af5c233c1170e32756cc041394abedebf32333ab10409a31eea29a50625573405563e1cac0aac945af0cfc516ee978bb7e926d4d67c50c2dd48f6d5a1a3064f

C:\Windows\System\spoolsv.exe

MD5 f3c1564f270a0efa71f0245bea437818
SHA1 0c30433dfeb5b19ce9b308281e2d040cfc66f29d
SHA256 80cd20f1d4c2e39fafd27d4232d659b2890d55e77d1c9ff557485f487efd8512
SHA512 92fea8b3b7c9c983912f55ff7c09cf0e985c96250c2136b07f032a79f617364ec3dd077b997446ce226f4e3ef553217c00b34c16999dc8c94b3dbd9ddf6d6dab

C:\Windows\System\spoolsv.exe

MD5 9400721742a1ae08dbae7860dd95eabe
SHA1 79ab658540d8a0f1fa92ee2c0842a79f1af18109
SHA256 a28c03119ddaa33fe31ae22e7b8f967cf5ebe6a480fee9c62776c593785901d3
SHA512 0ece5d40fc164190e41647a5d3c0c53de6447e9cdbff5b25762cfb477d94eaf90180a1ae4d77a609545314ac6435ae178748410f7b59fa8f889e78d67703f225

C:\Windows\System\spoolsv.exe

MD5 63f91fd76eb398c89c1ce865b4bc7731
SHA1 f817cdb22edb99079e2c1463c848b2e5e100ccd7
SHA256 a8695c6fb3ee268871246eaa1f0af6f5e4ac4df8c1a6c3c69c6c87bbf47018a7
SHA512 caed90179f2f8c37c3ee306e366a3186b4c56ed24329440921cc678722b63884557cb1bcdcc6e887aa2513a01a15eb1dace88ee8ab0746f80699b1f96d161599

memory/3744-135-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 cd6fdb5574b285012a896b8c83a76bbc
SHA1 4f9685e368607852dfbf3e61586669c3c49814cf
SHA256 ecdd560391d2eb4ab265a5c198ded679ebcb57c2e149ec57c92983346f80c6a7
SHA512 d495215a7a885f43a72ea1f68263fa28771a7ddf5eae01394f46a779df9a03942856f4fe898eea6111911ff8487a01e5b4faee32f7212ea70e34e938bd491d4a

C:\Windows\System\spoolsv.exe

MD5 22339995c386f4b6e844def5e1097e42
SHA1 f7f4363576ce42d984588250011be2143a69767c
SHA256 5d4fe9a3ece21984ed45149543136c693edffc70e9d5f1e3c3422ee984c454d5
SHA512 11f7a8bd81807cd567e5eef3b01c3918a8fe045d9a777084188781f158f1bc22fa6dba5c195d2d308d31102042b846c51d4614d492a424356d80fe872fa55d92

memory/2008-138-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 76a9abd36ef968a7aac7c25d6e3a04ad
SHA1 b4fbcdb77be1a33c9feef04d0a93165d065dcc0b
SHA256 035ca1e43e46a06955431b4e002b1d49bb60def81596052100f3d60534065d8d
SHA512 e9aa7dbe1319d6e56d892db2069c7df464e3414dcc8e4545caa13381d77aee513c84e21e848db8312ab6b9638001a2da8debd46f959a0e9a9b5f093ac3f9069c

memory/4680-140-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 cf269cc5909f6d2acc9f4afbcc733780
SHA1 25aacdb6d6ee432696191fb0d1c2483aedf49955
SHA256 53d9074909815059afb41d41029c13d584a3a3a7d7a5ed88861257ecc04e84f2
SHA512 d21c2b7d34f1d64e81cf4608e8d99b07c16a1b21899b8df441ade1eeb60a7ed26f5fae01b8e9f7d9d44951b739533765135f44310f0a2ee4c779dbc5c8a9e80f

C:\Windows\System\spoolsv.exe

MD5 d32faa1803fb968371be3d87691ffca4
SHA1 465dae9c40cec9c8193dae97e58261564f4e51ba
SHA256 9e639fb02b9e94d3d204f46827a02080698c71eb9eb5d5d0827c25a1e686634e
SHA512 c7981806ffb1317474b85ea910ee328b3f86077ec7f7b449d35ea27cd45a8835b5468e65d02a689a07cc8cf9231b2ece27ba71abf1a5de00562128ecb366bad9

memory/2396-142-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4800-144-0x0000000000400000-0x0000000000514000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 66d2366f2723109c2c9f924d504cd0f9
SHA1 72ddd036524cd2fe918478f7dc16edcb6d22489c
SHA256 3e8133b6fb7765133518cfb383b0cfdc80cd38be0cd18ddbbc79379f7d86ee69
SHA512 586e438e151a6014eb5858cd109d807fa8a4fc32b8c7c8dbcdca245a2f7f7c77e7bc66e62d9052cfbb3e66bc1b24b0cb854639a28d8eec175d8b757889e08cca

C:\Windows\System\spoolsv.exe

MD5 da260b22185aa6f2243881fa91ca8ca3
SHA1 761403d56d255501299069854816821519890784
SHA256 d9e2447e23f81d2bc6831db9fb97f68e061a8e3cce0a0256e9cf05962c3e37ae
SHA512 87dd0ad1ff43cdae0affd18eb5dbb41840b347a600ed236fec1374e8ba6ba71ac135ef3b69c1a89ca9d8c536d72efc8cacade569e596c0456d58da4552b01b3d

memory/3948-146-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2544-147-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2428-150-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3384-151-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4052-152-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4448-155-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3604-156-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2624-157-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4788-158-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1456-159-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2932-160-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4444-161-0x0000000000400000-0x0000000000514000-memory.dmp

memory/3012-164-0x0000000000400000-0x0000000000514000-memory.dmp

memory/1404-165-0x0000000000400000-0x0000000000514000-memory.dmp

memory/4848-166-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2640-178-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4788-176-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4592-182-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2992-185-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2992-184-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2992-186-0x0000000000400000-0x0000000000514000-memory.dmp

memory/2992-187-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4788-189-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1196-190-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2992-191-0x0000000000400000-0x0000000000514000-memory.dmp