Analysis Overview
SHA256
2d7b915fc601914a6b23c00dfa59e263e2d2ed8f59a62dd72cbb00a326ad35a3
Threat Level: Known bad
The file 9f452b6e2cdafb5b8d7080eaca2bad2c was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
Warzone RAT payload
Warzonerat family
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Warzone RAT payload
Modifies Installed Components in the registry
Loads dropped DLL
ASPack v2.12-2.42
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-16 02:58
Signatures
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Warzonerat family
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-16 02:58
Reported
2024-02-16 03:00
Platform
win7-20240215-en
Max time kernel
150s
Max time network
117s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\svchost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1512 set thread context of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe |
| PID 1512 set thread context of 2560 | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 2868 set thread context of 2692 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 2868 set thread context of 2988 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 1540 set thread context of 1616 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
| PID 1540 set thread context of 1944 | N/A | \??\c:\windows\system\spoolsv.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | \??\c:\windows\system\spoolsv.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"
C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 36
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
Network
Files
memory/1512-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1512-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1512-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1512-3-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1512-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1512-6-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2652-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2652-11-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2652-13-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2652-17-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-23-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2560-28-0x0000000000400000-0x0000000000412000-memory.dmp
memory/2652-27-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2560-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2560-31-0x0000000000400000-0x0000000000412000-memory.dmp
memory/1512-33-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2560-36-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\system\explorer.exe
| MD5 | e8e26d2b436e55a85a938c5ce3b09ae8 |
| SHA1 | a8c8e5d20dff2f736e984da1857a7a77659f8017 |
| SHA256 | 01c6eb5a031bd1cfa829c660a5db0202bedb94b8615c305a7e2d66d47734665b |
| SHA512 | c979864b158fd4db8c034e95b03849dd7b3e26264e83b4c57fb8cf8c592458d6a34078d8a92e701c1cfee5f239f7067c046a9e509baa3789799a37192e258e0f |
C:\Windows\system\explorer.exe
| MD5 | 8cdddc79d94d9f05b1e72913ebd2166f |
| SHA1 | d97115b8be8d9b3e5c52f6060960b4ed8a73df5e |
| SHA256 | 00a262432470ebbadbecc2ce654c4a59e5b3ccbfa9348677efe0b4f43014d26d |
| SHA512 | 3e089e45b14e22ffe05d1174a014289bbae7b4c76373353f5fa63fa72cb801e2507e2af184fbfb268159b7e763397efc70ddfa006dfea2cd0689308e36a78e26 |
\Windows\system\explorer.exe
| MD5 | 9482d66b8f41ce49bbebc8954c100730 |
| SHA1 | 7b171f8e71cd7db83a2a9e60f1e4dd1f687b51b6 |
| SHA256 | 9cf01af0e7d20cf1f84850720b720724fc0ea9749a885bf55f3aa25f2df3e969 |
| SHA512 | b44ac23839c9d83ff69baceb723e11ab1298d9a355ccdc06f97d8c421c48aedbf7b7d17b3d2923d1a8dea5c267c44ccc85f111c52e387cf9c94f4f289b1b538a |
memory/2652-47-0x00000000031F0000-0x0000000003304000-memory.dmp
memory/2868-46-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2652-49-0x00000000031F0000-0x0000000003304000-memory.dmp
memory/2868-48-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\explorer.exe
| MD5 | fd8495aec694963e787e6f4e543fac20 |
| SHA1 | c4d7f621210883773212e63e27687a427dbba222 |
| SHA256 | 996078564d6d379619b904ce1b964d835baf7ebed1a63db06ea496811534d547 |
| SHA512 | 75b92ac36c6ec48422a40ed2dca5533c91dd020263b19d87af43d84b6a92db084dabbee4f56ce60868d49c82a5c647540b71367358b41b3e104f961d32817764 |
memory/2868-50-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2868-51-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2652-53-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2868-54-0x0000000000400000-0x0000000000514000-memory.dmp
\??\c:\windows\system\explorer.exe
| MD5 | 1483637cd16735b3959b5b0e311c0d4d |
| SHA1 | 151ff8d90198b7293864af849f945afc7b15aacb |
| SHA256 | 34baadac7770f536c9eefbf913b86325a58e7a3a3bd0153e75b4cfc32fd2700c |
| SHA512 | 96678aac90215402f330d84be64885f2c82dfa6942f7b7575bab1445fb5edf3fd11920a5e3ffd83ca7ad4779cc3d3fe1c84e51a6aa4aec8dd24f7e12a34edfaa |
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | c9b68379d8e39454610e4f975eb197a1 |
| SHA1 | b60ee88e89c0e078ef98b1d40cd4cc5618745167 |
| SHA256 | a4302a3f5632a83a5a79f0a51fef340e2ca9b8ac1ab4507cecc6e9678969d06f |
| SHA512 | 1530e2a8cd7fdcbb5af71f4c873e29238ecfbb4bab52a5b68fc2d40e0cdfb6296877a6a67f3b22192227b799a08304d91a866584e47a51a07a35df1cce11af87 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 5fdd40a9d34959357136ca48b2362874 |
| SHA1 | 31371f70da212198b642c5567c097829b49edf1a |
| SHA256 | 17d6c8e43dbc0c3fa04f0d70ffb41686524186414be5e9e61de58246fea2d0ac |
| SHA512 | a1ae578a90ab5952678e92ea77084df7c34266030210f0ecf9bdbb35a8db2c11ae0e6e735ead84a2e3dc8b257ac646bebdf704f336e1a596ae8c62a0d4b335c1 |
C:\Windows\system\explorer.exe
| MD5 | 8a18e83fccdc09bb819a0b3d37b280d4 |
| SHA1 | 75418a7082d31f86acd00ebc085ec249fd30dc0f |
| SHA256 | 9b8d0626811258bfc9eb5d5acd824ad46a86e60bf2de8e3c3c76861aa53ded1e |
| SHA512 | 99df41aea0e8fb9f63ebf58b1c6c4b89ceefe09b573490058c1a79dbc14082db683bb423588fc7f2417e76f83220fe123f81cce1436e4fcb219b3a7e79eca113 |
memory/2988-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2868-88-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | ac268d00b6a49f07e91f76c5e4b82b07 |
| SHA1 | 8527472c16be4ebcb34ec185b734d4dd7b90a472 |
| SHA256 | 50646055829b3326a2f64ae5bcdfee06b8d74dbddfe8e23c17fa72b038ffb91b |
| SHA512 | 93e51729560b3d824438e8864eec7241771667c09d7cfd3c273bb1a0d082d7716914473e93499db232b2d129e52a94871394c67008fc943bb48857ebbee3dad8 |
memory/2692-97-0x0000000003200000-0x0000000003314000-memory.dmp
memory/2692-99-0x0000000003200000-0x0000000003314000-memory.dmp
memory/1540-100-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1540-103-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/1540-98-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1540-96-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 94e39fb6fdc9b8ed0d7a2df752443bb2 |
| SHA1 | f45c0ab15eed22783bfe2b25b3067cc1ceb8c4d8 |
| SHA256 | ffae1e471aad905716c4b58e410d5e34a1a541c7291166f03cc7ac8fea23bc89 |
| SHA512 | e7361ad16a0e2955d00d2cad37da82ca4717e530422a2ad722875a6baa88875436068a3de077672553bb0dcc69221fcd95e770be93f33a8445fc999225443846 |
\Windows\system\spoolsv.exe
| MD5 | 38ec3f2c8acd48be124b366735ebb08c |
| SHA1 | 9d9da759e1934356eec552cd15b96368afc1c3ab |
| SHA256 | bd96364a62ee2397156a5c3d82992fd3474b668cbfd539288404654f4f78734e |
| SHA512 | 6c89ff2be6d6be8eb6e47f5704e9f7ba2c07359fec4b91ca93f739006e1a8e53e0cc90d4b656ca9ea02c4f4ec1d3d02ad0d154f8c5d6e4765001a3c1365438f8 |
C:\Windows\system\spoolsv.exe
| MD5 | 633b84fd05564df931a6a94e32fa19d7 |
| SHA1 | e00b0eac159bd81cbbcce9ee7a840553b82d0a76 |
| SHA256 | bd757131ce412d6892b1be9a80c6a5a6cbcad7aebfd668e5f1ed5e060d249ecb |
| SHA512 | fb57d536830ee19af2070f09d04118be279d7281dd007edb77f8b5362d639e51f36a19b69ccfa6dfb22074181698f54caa99a888e6d4ca979c760334ea33d494 |
memory/1740-112-0x0000000000400000-0x0000000000514000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | e52c4d7423e2ec4a00fc60c02a96f7f6 |
| SHA1 | f5d43548e828f7a5cc654b7c7dac06e5d33cdfa4 |
| SHA256 | 2cf52b5e244a24e790b431beac0e3a4a2fd8597666aef1e5d0453e2af900c503 |
| SHA512 | 4d42605d4b846cab3b572adb4d2add20604066264b1661187d880347c81b1a3d47cdb7662215dfb41ae0bca9397cd4075c550b06b68bc957fbf6ccfa1daaf844 |
\Windows\system\spoolsv.exe
| MD5 | b180f34ae4f9b7c59c704655610eced5 |
| SHA1 | dcdf1c9974e84ac634d68079c12cf27ffbd24d1c |
| SHA256 | b11711dc25f6e6feeb1855e9ef72830ee0319a2bc1b4247a63c499216cbcf238 |
| SHA512 | fb6fd93d5441cc20fb3ddcdf6a7cedf3f33ea61f41a41a10f3300b97cd64e0e6842ffa6ffd6624e0847e2bad4fdceec268abbe716d2dcd19629cf6f9e2bd735a |
\Windows\system\spoolsv.exe
| MD5 | f55cc39b777fa8d699d62e877200e3cb |
| SHA1 | 234c8fd1a8da60815f1eed0c573574d82e97aa79 |
| SHA256 | 22109bfa790228c1adf0274185220a86e3d05f5407ced9092cc58671a63884c2 |
| SHA512 | 8805cd414b0a735cc7c1448f21d835f0ebfe8533231f7ebd65644597fca354ea8ba8eab7caf387e73f08a875d77f1891b6c3936aaccbd99e00c2e4fd18a99ffe |
\Windows\system\spoolsv.exe
| MD5 | 0d50028a9804471aad29600f10bb8a0b |
| SHA1 | 00ab0fe7fe07c0428beb77607b36a61ea202e2ab |
| SHA256 | edc0c302050e4f9f7f927f026629b52cfc16f622a5ac64ec9b11dd074e9c10fa |
| SHA512 | d0a983aa6dbdd7c34212fe74f6dc2f28dc20b75719c6137728c12a6cc1e7948f00614610f738ba731b6bdf4140f85b753c1c05384431119338d08ecad523b54a |
\Windows\system\spoolsv.exe
| MD5 | 516ada361b9a1adb72a911c4a37dcffd |
| SHA1 | 4b87cd52990f9b3f3afa357e3edd457a587178bf |
| SHA256 | 551463d10e886cad055d00cff411802631cd44a55aca9c660c0765f8aeb0b6c5 |
| SHA512 | 35bb8943481e5d856639ce19672a11d4a4ad681475fd6ab9f2d9b19d7c298b68a153c7d0122e52d8ef2abcdd2955f0674ef7c891078a2ba9c36610d4cc784e81 |
\Windows\system\spoolsv.exe
| MD5 | fb488d52772273df21b0f1eebdf1d771 |
| SHA1 | 239df314b4ee5bf69bf4a6ffdc3171843a891185 |
| SHA256 | a0d20a74bf340d49e7d6c70a7cda1c2cb74ea19f1ac56c748f8ea7607805fdc3 |
| SHA512 | 1d95de9fd84991c5c01fd8f9e00323c8bb2e10ccf950671543ba92eb7fe6c5fe223d0ea32ad92fd4b1bdbb26d7c6adca35cccc2c3372f340da0094c752eed966 |
\Windows\system\spoolsv.exe
| MD5 | 9e34670b73cb526a06610c533bd4a2e9 |
| SHA1 | e54d9a803ba9906560661b69a4f61cd5c0a3cb78 |
| SHA256 | 3aaffcb44e01e8caa7585622a443178cf2f3a112806e398bc02012aab0e8ec0c |
| SHA512 | cb66747923875721a82574db03c9deb005392374d3d0216c8c769bb7c0ceb0f604c6f77793450835a4fde961d2233adfa945ce2a2357997fc1597f4293a12013 |
\Windows\system\spoolsv.exe
| MD5 | 961a3948207a5259fc763ed04119eca1 |
| SHA1 | d1fd10fbffee589ad4022450dc09cab2903e2cb0 |
| SHA256 | 26601e15a2d6aff8184273083e66e16cbf5fb0e376802ffafef20a2e49f1051d |
| SHA512 | d276aa26672a8a31df0d9385be7f679d6182c2e193e3222b555aedd3372e7cda10651810de88a783c7c820978a0b852881ecb132f04003a086ee8868f0dfaa3d |
\Windows\system\spoolsv.exe
| MD5 | 92707446b9b983f2a9d95a30d09c37be |
| SHA1 | 021566a36a7a0e64e27bd0834199b5090889bf33 |
| SHA256 | 762a76ae288587d9668d0a1a6e36fce65e351c47be4e612b7832a8f7f86a9232 |
| SHA512 | e10d037a0754016e7063a211367b2731ae94c37d71950249ee23b9605be1c9e31e4da7cbb5e1f7f118fd31f2f02bfeb1550e43367600e9b9d1177df324c04958 |
memory/2692-120-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\system\spoolsv.exe
| MD5 | 918a821c38905214c02b8c408764a4d1 |
| SHA1 | e88935333af7cab4aa27ec1f52bae25ff5b934a1 |
| SHA256 | 2cf87bf077edf98a7e2dd8c1f47ba0492a47878eb38859c31a1dd44a6e79d3f5 |
| SHA512 | a9b8b922edb505efffa1dd837e0d50d2489b73d9a5224f7d35b26a6258eece4bdbd833fe7987608b26e89cec3f927075398a3dcb6e047f2b561ea94b1b94bbe1 |
memory/1540-129-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2692-130-0x0000000003200000-0x0000000003314000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 3bc006a7a9d7a6063dd45e0a5c380273 |
| SHA1 | d7e7e71eeb3940239a425fcee464246ca7a1c3f8 |
| SHA256 | b3a06bc0a49b935021c5aaaeaa64b904bd7eee3ba1e87ef43a6648cc398e0620 |
| SHA512 | e8c17d31d4f45115530dd5f26a7f072e69d32d21686a8f5b1d00953a8c4fd2798fae14d1670169c8639bac7483eb35eebf13bf69d6a78c7ca3da2d9b2f4132e5 |
\Windows\system\spoolsv.exe
| MD5 | d9f799c0187e51d10ad25b8496866027 |
| SHA1 | 0666c023d2bd6e51f01f9989167b5d69955204f4 |
| SHA256 | 4b43b6899932e6d04359a0156bb3efaa31c754752840fb14b43771221687644a |
| SHA512 | eed6df1f824c317e900aa502cb6326d49f90d3d76fa24d7714789188369f09ab401bff83ad1d08cd3c0ff7c10874aed32bf63c120728da079fe317ea1f76d3a5 |
\Windows\system\spoolsv.exe
| MD5 | ea78606c6d1448ad77549c915862e806 |
| SHA1 | d79ca8239a5ff785c40da7b706ae1d34f38e2ed1 |
| SHA256 | 82e4ac721ecf8fe6c3d9dde69ac6b32f49319a87e1a71fc6dd9aa61a85b17b8b |
| SHA512 | 1927a5acd17818e29b2b7a3f3f243ec2e69085ee840f2083f4c4c76a333e35b72a04ad6741a2f66a8024a6d9b97bcbaf821430a502d2aae9d0aaa2d0a6d25e83 |
\Windows\system\spoolsv.exe
| MD5 | 670546e1afc0a4ccd1a8709e93dcd5c9 |
| SHA1 | ef34565e3885b718320ae105d866bdb12499ced9 |
| SHA256 | b8ee6ee27e5853fd6be049ed7494e59fef3c62b20e2220c06190d6c77c506586 |
| SHA512 | d42d5d983ba7c099ce40c5899cdcd5223bb69103ebd041d34308dbc1331980e9d36f577081c3a69f6d5185b327f105abfca2da2af0b42804d08e46e87be123db |
\Windows\system\spoolsv.exe
| MD5 | 56195c30e728c6589c3e98a326a2deab |
| SHA1 | 5c56f82ba257cc33713ed9c1057b971c0777c9ad |
| SHA256 | 72c93a4c092fd598619d019cf203a508b6082694fad32cd3500372d5ed23fa7c |
| SHA512 | 8f1fd690a8a28f40e86c0a9622f79617a821af71795fb76925c6a815fad9c7798b76b32fe73975c9ea883de91c35b0f8717cdc8419b8c7bdcbaf4d9fa154f1bb |
\Windows\system\spoolsv.exe
| MD5 | eae584ebef4a234d686e75f6b76d5387 |
| SHA1 | f97e6e8b3c93b5bec61d5753ebfba267a6b9ac77 |
| SHA256 | 9a03e2219baa7932ee4f2316a53f11eed6409aad72caed7c04211207aaddd082 |
| SHA512 | 3223f28f14d493a4dc646ae9ca351391e59e69fe713d0593ea8356d24d0a1568f8888f7195be73680fa1ace94622abc2278298cf9dc0d14f174282144fdc0a05 |
\Windows\system\spoolsv.exe
| MD5 | fd3dfe55b1af7a073e010a1504ce8afd |
| SHA1 | d54afbbe71f56667a129f4cfb053c34be904982a |
| SHA256 | e19049943b22b48d92385b90c28cc8f0d8ba68606d5497024af73feb65731f94 |
| SHA512 | eb76f5336cfeeef0d5ee0d7d2f812840aa916f2812af146a163efc81f0b48c878d5af2bde891155e03d8f559233d32550a1b05cea4078d9ac2bb4a18b135652c |
\Windows\system\spoolsv.exe
| MD5 | acc2f1c24f234e40fab8fdd1a0de8f95 |
| SHA1 | 57e0abc77f7bca8dc2cf762943ebfd8097bf5675 |
| SHA256 | bfc158e33e4b1003f6c9ca08f9e2cc5546a4cb34aaa6af6ae2a5eedebc5831b7 |
| SHA512 | 9a018d0550f6dae021fb5e23623207d052515e122922bacfb43b7cdc6c85254a696225db802207568e23af6c4df2b9f1ab79a74cb7f9185fd922970dfa229e1c |
\Windows\system\spoolsv.exe
| MD5 | 8bc5a03a5c44325f5aae0071df8da9d5 |
| SHA1 | e990b00ceefcb012cdc956ffc2a047bea21ab9eb |
| SHA256 | 7d623a89ded7740cf687a791ea3e1eeb3a88d49374e976e3f670d27839edfdcf |
| SHA512 | 33575a2f7b4185b7dd83004173d5d29f9552e852c8a75451d9fe0002c30dc320e52312d9dd7163089df661a7383f31de768f02d05ff0143993eb5ecb0c57ff92 |
memory/2692-138-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2692-139-0x0000000003200000-0x0000000003314000-memory.dmp
memory/2692-140-0x0000000003200000-0x0000000003314000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 3fdcc1d8f08111532d4a90ef4893dea0 |
| SHA1 | 6b390cff2a446f5a9218cc4a0d574ee0f0cb090c |
| SHA256 | a75fbad3effe4da36d1b35bf439b5cc551200c47fe896b0c548fc817642ce5b4 |
| SHA512 | 0a9af73a9e0edb147f6ffc2a839918b1235643da25a467c6bcc3555cfa8654597866ffd4999dcf3ddd1df9fb86e578ebd3ac5c4c34127af4a60d07c312a86f06 |
\Windows\system\spoolsv.exe
| MD5 | 4bca45a5969fbde74fd99f23d764ebe9 |
| SHA1 | f831fc17079561f6c27a0584928d83d4db8ff99f |
| SHA256 | 9249d43a63ad1fc171ad6e3e07c824c5670e94d9b9ab7967c50a943827a20c22 |
| SHA512 | aad87496eab072f92f5940f9999a872fb344f521af3c22993401233254b9060366eabee983c71ebfb1915a9e94eec96b4712c4c4fba866ebbcac8deccbcbebd9 |
\Windows\system\spoolsv.exe
| MD5 | d10c4f6a1823a6362461f275bd7e0837 |
| SHA1 | b1ded9c0e6502c3722c91876e771e95d727d450c |
| SHA256 | bc63a271f0ab501945e93e98b279293294ddf655abfe2c2518485108ac47c48b |
| SHA512 | 1d7363879b45d2a13b56a768959d0ca3cae572856a4a5bb44b326617d471abd223ad8ecfc20088bde6590567f3e31f1c8075fc1071abccd6bd90b300d828393a |
C:\Windows\system\spoolsv.exe
| MD5 | 89bee7c9a186a9fad6c0cb3359165a73 |
| SHA1 | 257984c8ec0dd4da22de934dc86d9c73ae77bb79 |
| SHA256 | 6024f2081f29764030e12514cfe8845973a356399a681785e67d6d7c961dae88 |
| SHA512 | a43a8d96faa8a079482a6b509ccbc4d2d7e1d4a902c60de5361a9a74353a59e8fdd7d2dd688ac77a40ae562ce940e9aba0e5c5f2c692c2bd726cb53976d991dc |
\Windows\system\spoolsv.exe
| MD5 | fb8d626c668435cbf9c74c33fcced2e7 |
| SHA1 | df68ee69cc8561a226cb34c3c007347ab396ab8c |
| SHA256 | 0427e749e6608fb6e8e8985143422cbad1c5ec57edaa4a36ba382fbfb6af374f |
| SHA512 | 45c0d688f95364433aefa9666bbcbd8d3ef17006490a9f187c51268693e70584be78ce440ae982568730a5716eaeba2a12981735bb67e114b0cad703f02df465 |
\Windows\system\spoolsv.exe
| MD5 | 1092d5b280364e191c408991ddcf53ea |
| SHA1 | 5996a1a00e1705b0548ac23cb752e3bfb079dfa0 |
| SHA256 | 90464f6208ca687ee19bd2229ad8ef6d1ccec7f349df28ecfd5fc07c5f63aa96 |
| SHA512 | f87d747eddb1750685599961ed97cf56cddbd9776b4feeee8b21b2a7bf3870cc81ad66908910c9b4457bdc138b6b9a2cc88ee37322afa9d0e0efe16ccea79a15 |
\Windows\system\spoolsv.exe
| MD5 | 78b480b88a3aeee458408e7783ff3c91 |
| SHA1 | ac7484186c4e5bed7e138db2dcdaf68315fc22a3 |
| SHA256 | d38a6d3012e5f8eb78bb0e818a2190689cd8db16f13b9ee3b5a8975fcdca6b6b |
| SHA512 | 78393581b286c2ce0e0edf2da9d77908fb9b10f7450eb3bd18a7a14dfc178b39d6e5f95322171cc75ab0c2fff3fbe45648d63e3a3a6efac7d35365aaa40a3f3f |
\Windows\system\spoolsv.exe
| MD5 | 39e0000a6f04999d0f53fe7071e7c3ca |
| SHA1 | 8c8706aaff85084cb19912639e7fd257a3f92ac1 |
| SHA256 | 18bbb367cb07dd3ac3639165012e3389644c140d848df0429b9009091523b3dc |
| SHA512 | 419f448aa6966683ce00cbca85e18f42380415e3e4df953b8cab8ad5a6a9e5d3c33b9a48caa77af61a4588d4ec3dfb45d9e68c6e35f9c454748869d84ce33fc0 |
\Windows\system\spoolsv.exe
| MD5 | 3cfa1f0bf4409d52fcc30f52833c0a1a |
| SHA1 | 82ab0b1a15835bbe2f1e5694410e4157a56346eb |
| SHA256 | 6a40c7e5f1ad2cdc15d6baf11ecbfa12a4202124c19b230d188340d18eb9348a |
| SHA512 | d7b52b86d048c9b8fb162cb11d899f3a43cf89a318bdf95e2f7d09f7a421cea728de8f2574b06eaf7362f2ca782ff78b1e5625f14492d0d0e12c774465171e0b |
\Windows\system\spoolsv.exe
| MD5 | 83aba96cbf89a0c2175fba7dda88e223 |
| SHA1 | 9cf0f157a4542c227fd808991e839908198e168a |
| SHA256 | 96cbc475a0a0e0e857f973dd6921d565a66ea44dbd092175a08fbba5c90f822c |
| SHA512 | d11d4f852fa294e128c332c5e623d5bf43788a1b06e441d2a026b736a883e39e017d7b6238d7ae56d3e731ff57618a4deb2882168686ce19f288c690a89c94b4 |
\Windows\system\spoolsv.exe
| MD5 | 5253ca91631c0c78360ed3412aa6ffe2 |
| SHA1 | ca8a37294d786c93e2e86590343c048fa2a92d58 |
| SHA256 | 87d578a9d550ee9f9bd36fb34c7c31ef633368c6d2edaaeca1d1c33cfeaa875f |
| SHA512 | 98ce384ed3ace10c85a0598788f89e31c4e4d7c1f06ce066a4d847b1299ec3429c4ad5ade248d464f2d39055024703b11f9afa9eed3f8db9c5597b4a09b2c174 |
C:\Windows\system\spoolsv.exe
| MD5 | 30345a9ef85856c0c9ac39d3ed3d3315 |
| SHA1 | 375752894b1713b427a92a113fb9eca444f44e74 |
| SHA256 | 9790024614b08f96ac2dc2647135dbb60c468df918f3ddbeafd0121f39932e9c |
| SHA512 | d62f476684b7a53390f9caccd96cf9dd2352172d512ec60fa8e74e271e69d3f7d4d5534eebee06c833d029d422f2d17ef7b56d0679ebe81fe183fe00aec44278 |
\Windows\system\spoolsv.exe
| MD5 | f95af403f446237e6881e71945bca678 |
| SHA1 | 726aaaecdd198976a38d4f7ccfcc57027fbd05c1 |
| SHA256 | 661b37dea35e51fb1a4e88cad65d178780e9383562c40cd03c4aab07fbe3078c |
| SHA512 | 7d765739a67684e14792aed1e5d364c6fe3e6819ae1a798b30af6eb6052f4cccab08bfdd486e9050cecd79a90cb08dc40190dbf53ba00b3687dd0c8b69bd19f8 |
\Windows\system\spoolsv.exe
| MD5 | 127bacfe6720de9ae0e1a0c726178cb8 |
| SHA1 | 27fc23b0215c220c743136ac1928732f55eef1fc |
| SHA256 | 1216a3aecc943a124b114631d6a624ee18bedcb5d4d859626a075ca391a0d267 |
| SHA512 | cca7a9f7b771e5c6e1b61e4e605e7f7edb1f30c9509ca1a42fb8c1df52a123c6a20b3c63ea0d5a317cd8b07df9b50023c65f3dad5ad03f7fecee59a85636cf7f |
\Windows\system\spoolsv.exe
| MD5 | 3ffbcc83e1b84fb62fdb1d1eee2f562b |
| SHA1 | 97d1df62be4fd9b6cbd7326d701e45d7b8131dcc |
| SHA256 | aef03687a975f9ebb9e0b5e672d0f7a58e633073577ca9bd3dbea8aa24b732c5 |
| SHA512 | 2a5e7d550791c1c639f39545363a86aac4b30f6e9d1500457fe40eb8135ed97df6c4a919224736b61cf7f059a56e34280d4d2a2cfc2bef697acf7dce4b364a66 |
\Windows\system\spoolsv.exe
| MD5 | d53e3dc716c1e01f0b6ee5c786062919 |
| SHA1 | bcc97f8233b912630f0652b9558a4c7c281a8d11 |
| SHA256 | 2b4922687a69d6f0758066cd5057975d2a4a994d27b8c21b0c976139a441a2ce |
| SHA512 | 366541e687b81ff43db028e3217939f66149244e2b48704449a1138c305f71822523d1bade1367f5fe488196e6db9e19d370034921d36aa077c005c9ed38a007 |
\Windows\system\spoolsv.exe
| MD5 | 93272397d70056956b15324dd17532fc |
| SHA1 | e3ca9b51da03d12666ffef75b82b3fc330c84a1f |
| SHA256 | fc6de39ae70b717b17351aad8b6d06064ffe9d3fab822004d38e2db78c677a48 |
| SHA512 | 035dd011bea00f5a3f769aecf1a0a2aedd79e3dc86caa819481114388ace8643071f05dec89183e79f2b5903759befeefe8698b584f7921b85742c0ac3a71bba |
\Windows\system\spoolsv.exe
| MD5 | 6536bef0a9854470b2ca44f6c69029e2 |
| SHA1 | 9bce608a1b3e9c723d34890c42588e000f7f5c03 |
| SHA256 | 93ae3a8c670087c054a351436a3b942607fb43ed42717c006a00ba48781b7604 |
| SHA512 | 67e190dd200eab46257ce123929d524fd3e9fdb0f5aabf43024bcb0193a857bcd836cac507af766a9d3d2e3db88674ce6ee201d90d3feeb22b5aba66af1557cc |
\Windows\system\spoolsv.exe
| MD5 | 12b2578f1e670de898dadd96a4a55b64 |
| SHA1 | 2ff76886ce0a475fd0f1986360aebef0ae3b0367 |
| SHA256 | 4d97d297eb926e17e23ea1649fe4efc8fb4fbe444dd3695ddd7229757047c5c2 |
| SHA512 | 730ffdc0a6cf91c8be417e0bc142cc20da2e7b920237708e7e72bcedefb652c24b7cfa6bd54e5fad3a6dc12836f741350876a183b8ea3d3d92c2fe75006bf884 |
\Windows\system\spoolsv.exe
| MD5 | be474b25659bdd7ecf34b6d06863266f |
| SHA1 | 3e1c2e668094732edf8f2bc2014513cff3fce57b |
| SHA256 | 59a722f23e77bf10e8cd00fded5437b5a2a01f8251e4bb288e2e22ddbe409c59 |
| SHA512 | 5360da9fe96e16fe6a0046fe4361f8981050ca02c1f86e2129ad48c3b16c83dc340d8e361ec5b7c03370a2c6b8895528c3d42c6ab40e6f56bc3393850a0ef940 |
\Windows\system\spoolsv.exe
| MD5 | 0e793d41d143181df8eb9a759e63f528 |
| SHA1 | e7e1b39aaf4d4b13ee0f3f35ad522cdec344c806 |
| SHA256 | 063a1e773f2109c71d4b6abbeaa162e42acf7565e17e57d163c20eb1854384cb |
| SHA512 | c853ffbba33651c876e0604da68aba90506bf6f93cc8bf450c7915c8b27f8c478096643927d75ca4b78349705b8010d111825ef097c2cdbeba43e279a6a12f20 |
C:\Windows\system\spoolsv.exe
| MD5 | b350209cbc90910930c512de9949c7a1 |
| SHA1 | 356cb49deb89820abe00a92d04cc2f78b46689e2 |
| SHA256 | 2ab7d9ba4423d9f38b93e0cc746ee46896ed42dee67be73b2a8a422899466343 |
| SHA512 | 708db208531dc5435a99d110cd3afa969abff8c2dd5d2fe23570b2d44a07ed30ab122255c5cfc48e5308955094f44471c4f75ec4678b9df4375e94b1bcb98020 |
memory/2692-185-0x0000000003200000-0x0000000003314000-memory.dmp
\Windows\system\spoolsv.exe
| MD5 | 973844443a6b5ac2202519fe9820cb05 |
| SHA1 | e5ece69865d9b49c87b720890790659ed9d55d53 |
| SHA256 | 26dc5099555eb47fc3f3e3185580193444a4e7cb618eb8ea7616edc11020227a |
| SHA512 | 91c2f39ff753f2fdf16f45660918d97414864309c1cf0a3fb8f91ab8f595d2789caf31c675f3f060e6a4e5af793c4ff0ac78bc75ac390ebc21f45fff3900fa57 |
\Windows\system\spoolsv.exe
| MD5 | 5fb1c578a1386d1bad545a985b9e192b |
| SHA1 | d514ca9cb5a45eab330c6dd6cffe6d8a0ee30579 |
| SHA256 | 03cac58e46df5c069fef067ec2c58b75aa7a3c291fc2433c9735509e2dc545c7 |
| SHA512 | 0430e6f034427b369c1ba7a899660feb64d6837a2ebe54d40a18d5223c0537b56d324e2e3b5433634844ea552406682b037f79b462f901db247db8e1c2f34bd8 |
\Windows\system\spoolsv.exe
| MD5 | d7d4d81c2c22f878c4f1660caf531204 |
| SHA1 | c592227c21798376c37cb304944aa65f388408d3 |
| SHA256 | 9fef089e4e50e756772ee5b46c4c156ab53dee9f85015d90199dbeb65fba7882 |
| SHA512 | ba419b22c1c78f1fee66f05b8f2e5b778b8e2731c12ca167ede6d9e6ccbabbaa16b0f2cc67205ceb3b2539061cc22711d204326f772551010a6b6df0b5e210bb |
\Windows\system\spoolsv.exe
| MD5 | 7e52eee17839468dc4a08da3510543ba |
| SHA1 | 99c3e3578eafcb90c04f3de57e6b861b2b61603b |
| SHA256 | 2bb0117362e191391bd1d64e27ab902bde5235bc8365ed181e3136e2991b92e9 |
| SHA512 | 16170732f992745a64c9c537e60a9bbe5d006f5f403c47f1bb4d0c5e869dd3069bc4cbcfada116d562c3176ed6d060f3a7cd545e4ea41ff0fede8473601743b2 |
\??\c:\windows\system\spoolsv.exe
| MD5 | 8a72be074fd2dd918f3d23fe171818af |
| SHA1 | fc6203f75629fb1b050acda979344ab11dbb19ec |
| SHA256 | 116ba7242c8a51dbc8640bc58acd624957b3aaad2b172ece777ba23b99cbacd3 |
| SHA512 | 1ed995fbbb41cff2e2f4fc88253280b4e52d6a152abca382325a59c338c535a5c428f012cb00ca6485ebbaf7a8e066cd43d3fb41a5985661e1bec1951e12fa24 |
\Windows\system\spoolsv.exe
| MD5 | 229fa51ebe06046965a39da319f93073 |
| SHA1 | 6fcffa11dac52ac08cdf67f74ccf0a8aef6f9135 |
| SHA256 | af849f8c5c722a0eaaabb34534669d576727ea07164f1ba3c7ad688ded519e7a |
| SHA512 | e3b51840109c37551d50b186b6f3603457e2c9f571c740800e5cdf65f4b8d6b5fdc29169c3c43b305fdc6df71d2fe95d47fa5e74e51aaf4c236627098174bf0e |
\Windows\system\spoolsv.exe
| MD5 | ec8b8a0c73b2de867e4d921e7b70e6b3 |
| SHA1 | 0d128e6fc5d505fea91996fcbdfb7d8871ac09fd |
| SHA256 | e6912cc46a8c79299977730fe9e915e39b26470a9ad70b2e24c2dfdf5fd95d8d |
| SHA512 | 5187efa26ddac113db541040a1321e2320da913a184224d3b40f61d41a23c7f02821c3700ee08f1122903e008684a2155db0be3b3ef0792bfb17fdce5098d3b8 |
\Windows\system\spoolsv.exe
| MD5 | 31fb81d938ab4a001afca4c8c5435bae |
| SHA1 | 825c152a9523bc8185f822e46615021327fe5d83 |
| SHA256 | b057a72b58811ec65d120f29e35089e72f9993700c42d2b760a4d79de90e11b9 |
| SHA512 | 2f598a44496ebaf05787951d87f9f6c19116edff155b3140fa95d91ca33a948bd0a1c991966f7c06d547d97e52921855ec1264280f6e8c33be0a6c9db879a383 |
\Windows\system\spoolsv.exe
| MD5 | 4439d52ce7173ab9609273f76566e955 |
| SHA1 | 7df18e93c6873003cc83acf40679cff9d75cc5c3 |
| SHA256 | 4ee699dd381110c43c6fc428ec5da50979aaae4ce5080cc81b4251e80d975a87 |
| SHA512 | db91d3bea409f01151292f656fe975cac716bc4e6cbe5540070bdb3ddee4d5700beba06e840e3927f380bb5a47bbc07b185dfce0f94360af376bb2a56c142593 |
\Windows\system\spoolsv.exe
| MD5 | 153f7e9e0374bd0b7c19956920e29848 |
| SHA1 | d0bb6b6f2f407c8b4af21acf2f1a715f63a31507 |
| SHA256 | 3c0d23240600f711c6d33153a7a6d41bd304b06048b5b0c3b3723d554f091798 |
| SHA512 | 633549b61fb776cc3e5b3d2d2a9a3ac24f639b0414282de5ec61fbd5dd39d44e733b1cae75f13e4ebdd1b8a8b138fadf468779a8deb613faa4583fb7e296f6b0 |
C:\Windows\system\spoolsv.exe
| MD5 | 4e57f5564838554f5bb46a17743817aa |
| SHA1 | ab5eb376454ae28311a912e27bd65b1a9fed859f |
| SHA256 | 0774f2ae8f855e845557925088d0f1bc54d282fac745edc53545e9af8e3c5150 |
| SHA512 | 7d87a3988b0440848cfad421cd389e7fc19e36690a3ae3269180e977898790373f87665e071bd4167f7fd9afb73e5906c293b1a9ce26203813b1f9fedce3de43 |
memory/1540-222-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1944-223-0x0000000000400000-0x0000000000412000-memory.dmp
\Windows\system\svchost.exe
| MD5 | cf7a3ccd54823309cd92138ddf7d26d8 |
| SHA1 | 8095091891417095bde5f7b9fa2ca105fe34c552 |
| SHA256 | 20ccb1cf034e4f75b3bcb945f94df36f276d52eecb861a7f05b400665806745e |
| SHA512 | 64ec932719ed62cfc89b2ccd56b35e186220024aa9b428de946297bbb0197d3dd717408bb77575280932cf7b8eb1a072cb036199b8418d813231724366af1d36 |
memory/2692-232-0x0000000003200000-0x0000000003314000-memory.dmp
memory/1616-234-0x0000000003210000-0x0000000003324000-memory.dmp
memory/2032-236-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2032-238-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1616-239-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2692-241-0x0000000003200000-0x0000000003314000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-16 02:58
Reported
2024-02-16 03:00
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" | \??\c:\windows\system\explorer.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\system\explorer.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" | \??\c:\windows\system\explorer.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\StikyNot.exe" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" | \??\c:\windows\system\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft OneDrive = "C:\\Users\\Admin\\AppData\\Local\\Chrome\\SyncHost.exe" | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1996 set thread context of 5108 | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe |
| PID 1996 set thread context of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 4272 set thread context of 1196 | N/A | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe |
| PID 4272 set thread context of 4300 | N/A | \??\c:\windows\system\explorer.exe | C:\Windows\SysWOW64\diskperf.exe |
| PID 4592 set thread context of 4788 | N/A | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\spoolsv.exe |
| PID 4592 set thread context of 2640 | N/A | \??\c:\windows\system\spoolsv.exe | C:\Windows\SysWOW64\diskperf.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\system\explorer.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\svchost.exe | \??\c:\windows\system\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\system\udsys.exe | \??\c:\windows\system\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\system\explorer.exe | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| File opened for modification | \??\c:\windows\system\spoolsv.exe | \??\c:\windows\system\explorer.exe | N/A |
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\system\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"
C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe
"C:\Users\Admin\AppData\Local\Temp\9f452b6e2cdafb5b8d7080eaca2bad2c.exe"
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 972 -ip 972
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 396 -ip 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2980 -ip 2980
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4020 -ip 4020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4036 -ip 4036
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2824 -ip 2824
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2100 -ip 2100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 380 -ip 380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5000 -ip 5000
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 228 -ip 228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1904 -ip 1904
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4880 -ip 4880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3664 -ip 3664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3920 -ip 3920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1780 -ip 1780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1496 -ip 1496
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3536 -ip 3536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5084 -ip 5084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1700 -ip 1700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2176 -ip 2176
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 720 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 720 -ip 720
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3052 -ip 3052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4416 -ip 4416
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 212 -ip 212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 212 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3196 -ip 3196
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3196 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4408 -ip 4408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4948 -ip 4948
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2824 -ip 2824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4816 -ip 4816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2084 -ip 2084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1976 -ip 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1892 -ip 1892
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2136 -ip 2136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4428 -ip 4428
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2720 -ip 2720
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1640 -ip 1640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2640 -ip 2640
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4508 -ip 4508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4508 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3044 -ip 3044
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2008 -ip 2008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4680 -ip 4680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2396 -ip 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4800 -ip 4800
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1560 -ip 1560
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4912 -ip 4912
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4784 -ip 4784
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3420 -ip 3420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1388 -ip 1388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4892 -ip 4892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2400 -ip 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3948 -ip 3948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1756 -ip 1756
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4932 -ip 4932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 376 -ip 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5008 -ip 5008
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2544 -ip 2544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3040 -ip 3040
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3656 -ip 3656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 944 -ip 944
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4184 -ip 4184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1808 -ip 1808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3044 -ip 3044
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3744 -ip 3744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4724 -ip 4724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2608 -ip 2608
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4448 -ip 4448
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3132 -ip 3132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1052 -ip 1052
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1792 -ip 1792
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1244 -ip 1244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4260 -ip 4260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4268 -ip 4268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1184 -ip 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4296 -ip 4296
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4492 -ip 4492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2428 -ip 2428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2576 -ip 2576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 672 -ip 672
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 116 -ip 116
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2336 -ip 2336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1308 -ip 1308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2544 -ip 2544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2380 -ip 2380
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4468 -ip 4468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1640 -ip 1640
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2640 -ip 2640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3860 -ip 3860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1900 -ip 1900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2872 -ip 2872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4228 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4228 -ip 4228
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5116 -ip 5116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3384 -ip 3384
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 1664 -ip 1664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3440 -ip 3440
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 972 -ip 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3508 -ip 3508
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 316 -ip 316
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2596 -ip 2596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 632 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 632 -ip 632
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2232 -ip 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 800 -ip 800
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2444 -ip 2444
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4812 -ip 4812
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4708 -ip 4708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1768 -ip 1768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3824 -ip 3824
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4052 -ip 4052
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3676 -ip 3676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2544 -ip 2544
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2380 -ip 2380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4532 -ip 4532
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1640 -ip 1640
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2640 -ip 2640
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2228 -ip 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 208 -ip 208
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3044 -ip 3044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4968 -ip 4968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4724 -ip 4724
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2404 -ip 2404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4448 -ip 4448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3616 -ip 3616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1004 -ip 1004
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 592 -ip 592
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3680 -ip 3680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4364 -ip 4364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5016 -ip 5016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3604 -ip 3604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3900 -ip 3900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 4892 -ip 4892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3300 -ip 3300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3300 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2624 -ip 2624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 232 -ip 232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 4460 -ip 4460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 8 -ip 8
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4472 -ip 4472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4276 -ip 4276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1528 -ip 1528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 4420 -ip 4420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 800 -p 3920 -ip 3920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 200
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 2140 -ip 2140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 4788 -ip 4788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1480 -ip 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 1456 -ip 1456
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2932 -ip 2932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 1200 -ip 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 3536 -ip 3536
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 2740 -ip 2740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2916 -ip 2916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 1328 -ip 1328
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 5076 -ip 5076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 880 -ip 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4444 -ip 4444
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 2304 -ip 2304
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1580 -ip 1580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3612 -ip 3612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3828 -ip 3828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 2016 -ip 2016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 5036 -ip 5036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 2576 -ip 2576
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3012 -ip 3012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 380 -ip 380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 5000 -ip 5000
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 628 -ip 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 1892 -ip 1892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1892 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1404 -ip 1404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4848 -ip 4848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 5104 -ip 5104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4376 -ip 4376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4400 -ip 4400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 924 -p 2140 -ip 2140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2140 -s 192
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\diskperf.exe
"C:\Windows\SysWOW64\diskperf.exe"
\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 772 -ip 772
\??\c:\windows\system\svchost.exe
c:\windows\system\svchost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 192
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/1996-0-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1996-1-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1996-2-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1996-3-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/1996-4-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1996-6-0x00000000006E0000-0x00000000006E1000-memory.dmp
memory/5108-9-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5080-13-0x0000000000400000-0x0000000000412000-memory.dmp
memory/5108-14-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1996-17-0x0000000000400000-0x0000000000514000-memory.dmp
memory/5080-18-0x0000000000400000-0x0000000000412000-memory.dmp
memory/5080-20-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | 0d815a2cd1f1b9bcb15a7a1deb99e07b |
| SHA1 | b090bb07650935463f39e5ebcf5893f02b6970e8 |
| SHA256 | 233c12b0beb57b991acecb319f1d6c97714d26c861813b01df9db189bf60aac1 |
| SHA512 | 079342a1869bc289f57cdff2b4f27c3a81fd04fb90a5babcbce7955cf5fa4d0cdc877842e8c5594dc5b11366b40e56caf3a2083a9c77532b06821bb8f2992789 |
\??\c:\windows\system\explorer.exe
| MD5 | 42a6dd9fd35719f84a426f730795535e |
| SHA1 | f3b9eaa83d94a6a4dea0c0bd307f751fdb220424 |
| SHA256 | 5aba979db11264a491e05173f0d2482353dad01a675dea8c9757cfba0369ae18 |
| SHA512 | 3d7da29d453f69bcbe8fc835d4816b31316c1057026ea162f0d809a67d1ed31bcc60d76fb8ad6884d9da5aa3e36fe4678356683b48d88ee1849af8a2dda54267 |
C:\Windows\System\explorer.exe
| MD5 | 8562155a8b522fdd04c312a6743c5f0b |
| SHA1 | 59f8ddedd87245b6fcfe890eb0d42e2efb987606 |
| SHA256 | d85919cd707c4629a07752104aac10bd125645978218bf1a72fefe5d362f0329 |
| SHA512 | 0b0a7fa602be8d56bb6c6b534e3b55600a19d5e80fa761b5f2ff82a38ccc288a142039a5474d6ce50d5b443208da606aaea6d7d5e381041f8f42e0e89920157b |
memory/4272-28-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4272-29-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4272-30-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4272-31-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/5108-33-0x0000000000400000-0x000000000043E000-memory.dmp
memory/5108-32-0x0000000000440000-0x0000000000509000-memory.dmp
memory/4272-34-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4272-36-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Chrome\StikyNot.exe
| MD5 | 7ec8858964bf402c56bcb6cede22e35d |
| SHA1 | 2c2342736b21b1789287479912b8db4261361159 |
| SHA256 | 3c08ef775e4ca66325ab7156ac71d7b68e4a937bc49c99a242569bc542954639 |
| SHA512 | 4405883a835308ed10d0ed6678092c4aba2d479db18bc005ebeb296aca940c8ff239955ad77ee69747f8c8ddded80181afd8daa6b14e1836fca6d504ae48bb66 |
C:\Users\Admin\AppData\Local\Temp\Disk.sys
| MD5 | 7ed1a2705c0fd38da169040089b0daad |
| SHA1 | 51b822ec6c59b1f35df6d49c331408014a01a7d0 |
| SHA256 | aabb57d649f74cd66f4eca4276249e85f8a0d0b0a7cfbd135a4acec3199600c0 |
| SHA512 | 46e4f06efefde4f8072ecfe60a39f05f854857f8c4c90122724450141ca2864f4201b1809c727b950317471b86d0d56710b6232945580fb8a9ae16f9de503362 |
memory/1196-47-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\explorer.exe
| MD5 | cb46545443117a1d82eb61aedce3200b |
| SHA1 | 2a2e9716ddfc009e28c83785711fe9480bad0f79 |
| SHA256 | ce969bc17c2a175af317dd2fe51e9e30640648c005b57208d4d9900aa2f68aab |
| SHA512 | 3197f21d02dca3431d90051287aeef6355277c09acc9dc66b44b7eba7f088b1bae4872011b10a38ac3c35f5ff4a9d7eac38b65f865c621483ba33c5876af4419 |
memory/4272-52-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4300-55-0x0000000000400000-0x0000000000412000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b211c74e93b8336379c781c2d5c11ec9 |
| SHA1 | 71ce5b22a90a68b3340998370a3a18538cb47b84 |
| SHA256 | b95955cdb59e8fb0b1b1983baf020900c1c8f2d0f3eec8894c32b62946010ebc |
| SHA512 | 9329aa570e0e17db0d6b6c2d6828ba7a855e008123a84ab63bc0517315b783694c47d751be625ec9eec3d3b9ce4b78ae691f26f3945eebaf61991bd87a49c89c |
\??\c:\windows\system\spoolsv.exe
| MD5 | ff5822b095c1648e817b20fba96440b1 |
| SHA1 | 5b7f5b54df9e044f8a9c17070fd42b0e9842dc82 |
| SHA256 | 083ba8dfbd75395b7d2cf588a849b3c16f5c6a7b9ea016969559234ff42ea4b7 |
| SHA512 | 716d9420cac1c846276615a1cb3cab4270a862d0aef9639de423e36749056cabe5f64ee9ab7fc0941b206c6149b52f9623ebfcdd04c5525c8c3b0982ffe341d8 |
memory/4592-64-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4592-63-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4592-65-0x00000000007B0000-0x00000000007B1000-memory.dmp
memory/4592-62-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b638fbda936e5febb7bbc5617f6b736a |
| SHA1 | 23e5a65f6ca9b4bc166a64516907da4eed7a641b |
| SHA256 | 61584da4c8a7a8de426e05b215b7a9f49d37422702d3758275fb4abcb166a378 |
| SHA512 | 42f4f832459b83f3b5d80023c59d60d07a7ceb07b8b713aa2a1a642b90d42a5c622e694753a41b9a640c9673ebdd7021a6d84e375f81a18aebbe29acbc70d15a |
memory/4800-69-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 6f92e26b7088321e4d5b17035bfdba07 |
| SHA1 | f63f99d365d85b65864486ff3cfe2f9a96e81130 |
| SHA256 | 47e948af39cf42315e136739527b9df79dfc0ee457314059b0980490956c25a5 |
| SHA512 | 33c16a58fb10fa11dfa21688bfc95c182b5e607635683f933e1e18fe1bcdbf65d4d530a463c7cc8e3181edcf68f870d18d4108e5e520e12496e96c4e6f7a4341 |
C:\Windows\System\spoolsv.exe
| MD5 | 6fc1e5559a7551ff75a8c33bae5935bb |
| SHA1 | 8385885efe2cee618fe3753201ff9bddf3a78dbd |
| SHA256 | 4f42fdde960047f2da5cdb7ee964affcd4059e45a35928e8518eabf5841170de |
| SHA512 | a249581e201135371fa48f9cf9d947b58fe79aacbbfd303891281463bb24372d2e6e538646aca9c8dcdff4916e4e5a6b01d1cba47b60cb7b61a5b889088e2a8c |
C:\Windows\System\spoolsv.exe
| MD5 | bfa227d205bcb47041e40e2d15c2acd5 |
| SHA1 | 27be92319aac446c122707f58093e5a8a4b5cac0 |
| SHA256 | 042311b6272bc6950472cf19e90dd90aacf96383aa8ac2a62568f57c270dda92 |
| SHA512 | 212ebca64948054d83b3adab497f456086016ccdeb727e93d52b8321d32cd95397473ae17c55e1a8f64d5096df5ab0db6162fe69b7437779bb52bbfdd326fac6 |
memory/3756-74-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 0f9e2ac582cef6239483dc91e6268c87 |
| SHA1 | a9069c842cddb7866e88e1e6edca619aad5fcbe3 |
| SHA256 | 80c4d42eda8ed5ae4d15159bf5147f83392f5017fc76804bf8a3f5c715a98600 |
| SHA512 | e6e66b308d45f461bd7343dfe98b45a0cb37886477fb1e04bcee3cf716f450fd11c5dd43b8585bdc1165306c98c6968fbe01518a68ffc181e1b51ecb56ce74c8 |
C:\Windows\System\spoolsv.exe
| MD5 | 69549e30bc1dda6f51c43f0114dac2ad |
| SHA1 | 348897c79c2e656ebd9d6c417b0d22b131adb03d |
| SHA256 | c2aba0b62d1d923cad0400b94cc72ccf4ba8e931c34fe735c9bc70145db523d7 |
| SHA512 | fb70c64d063a1cc43c9dd2274235394a46b839cc1420c256c9c3e5d5a95f069473400a65cee29ec2c9e688b10d6f2c00baa63c760dc6016cc13403362006d106 |
memory/1196-77-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 048ca5bff389d914b5fb5ad4352e541a |
| SHA1 | c709ac18517239fa0c6f303590fa69b87dd94902 |
| SHA256 | 46d864465c511ea6288dec8f86f8734920dda84f788bd5fe7bf7ff6a300c4bb7 |
| SHA512 | 3fa7705f00365d9f91412e30b1e0ddc1984ad8bfd4f1cd2f5146d0fd3cedc62db99aa8adedb19e4069225954b30cbe473e8e30b6606065adbc155d62b299b8aa |
memory/4036-79-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 4cddf300db398d91cd1b4f6c63d8de07 |
| SHA1 | 8922a2c74b82d2a3adff123bd6bd86e5346b861b |
| SHA256 | 7358a86e7988c2bca65178172c11b3e5c967e26ff6fc23ee94e26871276a1688 |
| SHA512 | e6ac07d0fffbc2d4781d47e4aef6dcfa011f7e6890b400f478c26b17aaa127977bccb3e9e99061b04cea4552aa42f1298b1ff80eb640a985243aecabba1bd54a |
C:\Windows\System\spoolsv.exe
| MD5 | 07e8da6076ca505db29a961b0336de23 |
| SHA1 | 4042171029032bd1c56f74a03097b5167193b214 |
| SHA256 | 68e82e187f9159b2e90df4aa79e206b3c19452cc1b3326165c93d9c4a9f6dfae |
| SHA512 | 6ec4dcb039caed05de870d9a288fb71db05fd1634acf9ea1cfc1132aff25f69340d592fbe4ec1a90776337c1305586f27729a66e9513bedf085102b3427f710f |
memory/4592-81-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4592-83-0x00000000007B0000-0x00000000007B1000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 9295df29014a28578de66a542a16793e |
| SHA1 | 45eff6ad3aad7e1455139247fdd1c09bf0d7832b |
| SHA256 | b8aaab526df20a5149273355c33ae924f2c29ab8abc03100d81d6504e2ab9002 |
| SHA512 | 407c01fc9e4b588a96f2acc645678a3c678480ddb36c054014a00e95b13ef2b3500e73e10f965d499f23e0183ab448618a8d8e1ea9392931e67f61f235c7a936 |
memory/2100-85-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | fb5388aad5d6bc334f3fa3d718b4c282 |
| SHA1 | 68be68f1b42bbbec03d1d189a8d4cb18c6a00d9d |
| SHA256 | a67b6d839ab5119ac2c34ffcc0802b81914cc489dfc01b76353bac274ffa29d1 |
| SHA512 | 6347979472ec178827995e649b2817d614c995159b28ffbd7aa5a1fcdb051ae78a18aeffd22b66f38bf9e29eac2cc9e0beb75b63f08f3387481f308e175d4d88 |
memory/380-87-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | bf5b09d615c8ff4a3d9219f88db185f2 |
| SHA1 | 8670f5a793032075fc551c43c426242b615be0f2 |
| SHA256 | 91bf049375e3766392b18bc7d6045e6b11725bb4466b180342345964949b5ff4 |
| SHA512 | a41503d39a4457a6979dcf091615a14013a83134f0422e01f6f559c7cd316866c3b31073f6049025a247a7df2c5f42465f9608ba3b32e7c7149576272a386325 |
memory/5000-89-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | b54331ed7404fda604b5f8ab7db75f77 |
| SHA1 | 7dbdc5908d736c45742a1102f1968d720264e954 |
| SHA256 | f4f941f893d662fa364aa35f2ef72c18f1949443d564da23a7bb254f1284e34b |
| SHA512 | 08be4fc309f72ce83f0d76ee3db98864ebe7c1945be9adbf0f77f96c1279ba95a418a4e882666d7b9063b5950cceabb1b61581d3d4a2c3c619e40eb650aa1bdc |
C:\Windows\System\spoolsv.exe
| MD5 | 04a114c132b63278d9cd0002b21a4028 |
| SHA1 | d931ac44f1b631171383343689f64ef1b305b375 |
| SHA256 | b881406511a60bdd225f6977e3fd17f6b2b16e8e9f8da05e41fcc971387737f1 |
| SHA512 | 70b91478244702087d776ecd09e225f060524594286e512e1fc6baa14dcfa25d0a0b704a3cc9231218f4885422a2308eca54b54e5d6b23fc81c21e70f234c0a4 |
C:\Windows\System\spoolsv.exe
| MD5 | 36fe02d300a1b36aef5e9a02993dc5df |
| SHA1 | 253f3b873a71a9bd69c581e36df01022bcf55774 |
| SHA256 | 760b99fcc4000ddb4dfd371a1b480b91df25041e43e1d75a12d97d2f9f7bb25c |
| SHA512 | 36f49a1c60404318fc5476f33a760445270ecbfd632fdc61986dc53dff103c72f2f92c98127a1f25360f72f425266dcb04bf78009f4f7d819da998bd9d235ca4 |
memory/628-92-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1904-94-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 5543a01aa9186b7b462b4475ba1dd251 |
| SHA1 | 311d735a37ca664539fe1bf885b3523d33166d24 |
| SHA256 | f125530945697d9ce247c64adf8a8fd7f952f69d77af714e5bfc32f7349e5b3c |
| SHA512 | ae0a5fec0b9be1bf396444cacb0dcd99e6f1ac4db60db85d329e53b46f7fd7d2ec56b85d7caa2e96e6c9b3af5ab7788e0e65d4bfb933ac904164816a4bed444b |
C:\Windows\System\spoolsv.exe
| MD5 | 7712352fab83da95f8f5be79eeb71d91 |
| SHA1 | 625fabfcdac0947726b0c9cea34e728a82b42490 |
| SHA256 | 06091baecd2d5db78edc76352b342fdc7225cb0b11064c47208ee6ab17a11e5a |
| SHA512 | 81ee5131e12a73107d9e68065332154bd808a33899d503904cd88ab400219776a135ea14461a46175e7f8f839557977aae5087a62d8247551a5e6f37ed42af7d |
C:\Windows\System\spoolsv.exe
| MD5 | 3c471de58a39d2d59a0a9d885edbd79e |
| SHA1 | bf9390830abdc536c6f72f257c31ddf1db455eb3 |
| SHA256 | b0be0366e18e2b24d218d0536664c8f07d38aad452d83496264af78f324ff855 |
| SHA512 | 1da0266453fdbcdac380e7ed80d32b9f3ea17b4a5780502dba85b2c5d2848abb2542a590cd831160ef133cb88fa08931869e78f9e3332d164f16e582889fd86b |
C:\Windows\System\spoolsv.exe
| MD5 | 64ceb8380f7978f9e723b5cbd0576031 |
| SHA1 | f87e182d6ad715dcb875b01cd00374cc779b320b |
| SHA256 | 19d0935dd35df8f92f571676327cacdc8602611e42891eed51125947885478ff |
| SHA512 | 5edb0bbc0131c5c6039a34456a1679fe0ebdbebb38da5b591a14175732dd4be96425a6b8bd72c39624d569e42c13b41eb4673eb8e0f5d8dfaff8b63fccb7f32f |
C:\Windows\System\spoolsv.exe
| MD5 | bb74ee7e568e4db5a0fc5eb2f611988f |
| SHA1 | 4dac6b1f79fa8cc76b82e580657a260e83afe06c |
| SHA256 | 0b9f987e341163125bac930ea555580cd0ddc41ddef587ca9838fa186f43c6c9 |
| SHA512 | 3533528d313bb1956d41d43409f6a0f363fa33fc7ef930ab1fc1e6067247c5f4009c6b494606f908fc6f031097f2f94eda2f606c3646db8b6de7e080a5cb1d0e |
C:\Windows\System\spoolsv.exe
| MD5 | 842e7e2ba1cedf9edf29bae1fd279d64 |
| SHA1 | 29bef358213b3aa6d322955089a7012d58023a3b |
| SHA256 | 65ec26436a9b60bb63c462880a28b637dd54d184c20781fb677e416abb1c8a5b |
| SHA512 | eb468bde908502ba64e28abaa0900578506665039e85f0ddca5addf021d68b805e0afafc1e702b56a482f4c46ee99d93ef5d766c04ccecd4c909493463f99902 |
C:\Windows\System\spoolsv.exe
| MD5 | 480447970d207259f0dd21a6b5722ee4 |
| SHA1 | dc12ba586b9e29879bcf1849b18c98c6b1f7a639 |
| SHA256 | 30930da7f679655787b3c1f00afe8f1654f528a955b3f88c85ed682007e61527 |
| SHA512 | c97c9b8d05c3ff0d5f54a1ee393e86b32aa8e16a538f48f3198763788214b9d76989581c76de53f576334ddc6602fa3b997042942845add897497dd7123c0898 |
C:\Windows\System\spoolsv.exe
| MD5 | e44ad5e43d12f074c86eddf7d0e68ad6 |
| SHA1 | eb4b5cb6fa8c279a6511991903ef1dff7ef21ce2 |
| SHA256 | fcced553ea7c8794160eefebc67b7554091514511177a6c78a2ec98614206eb6 |
| SHA512 | d10076901025ea2175e09a92ee73baf384f98941e0a6ea80049eff5c9ece86e8b02bf3ea50968c22c436aeb1c1ccef5ed39d1341169e556170c001e76898b045 |
C:\Windows\System\spoolsv.exe
| MD5 | 165d68405084d2bd05076fcd4b8c902b |
| SHA1 | 1297fc4aad304bfd37e80ba8899af3cbbee4af51 |
| SHA256 | 0d0b719b2361f6bb92365ecf0c6deac0f9fe856188a5e5df9a614bbc73a43d06 |
| SHA512 | 7ec35e5f3451b65b58e68d4dd065736f3459734a25ac4fcbbc98a838b68757b79d13bf2d6f54591fa47fafe06bba3a8de53ddb395458e9726d7c6595029157b9 |
C:\Windows\System\spoolsv.exe
| MD5 | 3ac7607c88461ceec25d08bb9c1f58c3 |
| SHA1 | e936c7051e719dbac7827bb65932fd586f98e5ce |
| SHA256 | 6708f0c367ddc816c7c511ee49477960b3bc66c8a9f2f74a847907c0df4b7cf3 |
| SHA512 | 6e9f5e89917aec68b8ed7db4c6d6c038f49fb0795e6e5b1c797901c5f62f309cd57da335407bae1621868181fd92a90af950c3c23c9ed7af4f33aaaada5551bc |
memory/5084-104-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1700-106-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 6987ddebfdd2aa655803f09db64792ba |
| SHA1 | 689f141db455bea31ca5e68612c8b67c1314fdb8 |
| SHA256 | 371d54cdb0d567c869eee5bc4af1d4e3c591d4386cf390e79bcb99386cec966d |
| SHA512 | 3712b2faf612ce5986144ef0dc06004f262e063dd7682b05c3424353e0d529fc2c06b17eacf25ee0b056b41dd3716854385278adef076174f219e0eba823d30e |
C:\Windows\System\spoolsv.exe
| MD5 | 770b616ae56205dc57a92a3bf1c53199 |
| SHA1 | 8b05949af00e3752ba2435f307946e331f1ff085 |
| SHA256 | c446dc425c1b060bd651d6d8c065c880d92407522b0b25e73b8d04e756aa3705 |
| SHA512 | 6e61ce9c996b7ecef0cc30208ec8a48468c155360d3d46259855f7cdbf20f0d29d303b8a3ed97753b4fdefe2955684089fb2236d5f402e0e48167691f0712813 |
C:\Windows\System\spoolsv.exe
| MD5 | 74addf2ecdc1e5ffa9d85d16c0c86c0a |
| SHA1 | ffcf69d918dd81e248a504a1e7abccb5a832ece1 |
| SHA256 | da11e24375464f6224323491c4219d3e6421de08d67da6a7aa69f8a6d1b72877 |
| SHA512 | 900b0bca9d04b568118e61688da8116f9b8c25cadbc603d81b77b461745dbcc2596e2b72cfbee36e5b38a0bc6ef8ed1c1d8ca57d79fcf819133bf967ac4d2092 |
C:\Windows\System\spoolsv.exe
| MD5 | b9d6372f926512f5ab5cb22319faf925 |
| SHA1 | 5c7b840958015751429ddef549e1df37527eb405 |
| SHA256 | 52ae0efd0a7a9367c3fe22b98bc18e39a88fea127877a58ccaf842a9bdf0c4a9 |
| SHA512 | 2317429f768243b011252eba37bc48ac2147a9c67bedeaadda976244a9a1c56016d49b3f96f2497e62cebe78e3c6cd8b88e1726edda70cffec5de7fcd529b760 |
C:\Windows\System\spoolsv.exe
| MD5 | 2eb2a0b0c6b63b7542d67051771db118 |
| SHA1 | 54f2a6b28863875a0f06e1c198b1ce7173807cef |
| SHA256 | c35d846bb66211da13d6bb463c980eb633dd11fb7fb8d8625a8dc2549d486e9b |
| SHA512 | 2289c01126fd225613ded4df20bc6ced33c95a1469a23850f79a4c23b57889abaeedb4948737877792fc54f8918511f349e9690f98f124b3b352dced770c55fe |
C:\Windows\System\spoolsv.exe
| MD5 | 129de6e7a78e61fc3311e0beb11a9af4 |
| SHA1 | 89dcae0db21f0fa244475cb668cac6f64c2ac401 |
| SHA256 | 4a57c36701122294e3f52b0123d60719a428a440bfd4dbc4551b63c218defc2b |
| SHA512 | 00b971678104ae8478dd7d8f642b6ed513b745e1fc7d218d00c67a5b417211c159b38184231133d39f93a27a6c1ca285dc16f0888edf20b6d9c950d1707dc329 |
C:\Windows\System\spoolsv.exe
| MD5 | 14f641b0966674d8124b03e3b6670190 |
| SHA1 | 4fa984ffc13af89cc6ee786693446e1788edb108 |
| SHA256 | f5449fa73ec6c4669c33f0593545b7c6676f8148ac42a76fc6bf4187ba8b5249 |
| SHA512 | bd5d008cf6c5358746b2dcc5f784232d93bd2541e22b2ceb60b4fec2bb26a0e5c92dcf5381e1583a4503dd84f816ea9d81f674e5555a28c6dcca03087e535a38 |
memory/3756-114-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 2e3efbbc681ff0c29af58fb9e024174b |
| SHA1 | b19e35fdaf74fff19d1ed95db946bff4da002c59 |
| SHA256 | f8850d66c687411a1c8dc76a6f83b4565fd02c6aa1c7a24e6d8edbfd4be22660 |
| SHA512 | 0afd57984359edd84b656aab81dd6a9ea9f14138ee55e819d1a7f5128df1a483a56b09e22e1cd3aeaa45bc89d55c3caa6af79e8f63af917b5c2b312660d498f0 |
C:\Windows\System\spoolsv.exe
| MD5 | 48f4e8e9715f36892affb1ff1bfb486b |
| SHA1 | a7b2dfa7e1566cbbff2190927bfb9ad68fb2c9eb |
| SHA256 | 7d9a5ebc0e4c6c1348a4e594a87b97319815b51c4b52bdb3f8923fe3992d6dd2 |
| SHA512 | de020baad0ce3eedbfcaef5c0f68e76d69ab36729219fb12b3ea5d8f7f08aba2265ddad7a68bad0ec101c0df45496583b63a57f40001a7ece84b8c5c3af4c12e |
C:\Windows\System\spoolsv.exe
| MD5 | d1827a0cec1ece6acdf123150b376b7e |
| SHA1 | 359a269b2b3208832d7d10310729b84cebd17371 |
| SHA256 | b060283f0a0641ac15149cd2706efcb25ca6431a2182bc8e9c50d18246090be2 |
| SHA512 | 298af981e96a592a3ec200f52e478bd5aacacc10be62c029742400b958c4287b4a0d0eb266085d3657d8cabd6260b290f515487313b84135c67b20af848b6f7a |
C:\Windows\System\spoolsv.exe
| MD5 | 31c3708cf879280f9284a504f1f10096 |
| SHA1 | af3d5c139aa6beb23e2d06d02f3d7d6095c6c4f5 |
| SHA256 | d2ffbc01ea73b818fb9de10d97beb067376c5e9331a6e0a65ddcaecbda15e035 |
| SHA512 | be2773d4807d9ad577d12a53268519829e4163ff0737cfa31de1ece541350498f68fd46c6e4b27e0827273191297420a366af2b6655d8b56ce519e789c4c126f |
C:\Windows\System\spoolsv.exe
| MD5 | 45ac5e522d628d6f91405940a9a94272 |
| SHA1 | 4b42b4e58af891dbd563c66970c3fa8840d45245 |
| SHA256 | 7f2677fc598f2dc2bfba20751cf4c403cbb2b9853aaba41ddd0c8ac0bba8df99 |
| SHA512 | ad27e3aebd31613ec6cffec0a2a9bdf65ba6febd4de0dbebdf0a4bcaa210e779b2dd6577246c31dd18b1d0b18d9847aac6aa0fde677f7207666789aea181c0a9 |
C:\Windows\System\spoolsv.exe
| MD5 | 6635307ff728b908f835738084e52a1f |
| SHA1 | 5c2c81057c6c3ab802dd25eec50f26e9ed809b77 |
| SHA256 | 9d657c4aac071faa9516c7810866538da151e9166c2a76105750c1889385b68e |
| SHA512 | 9897634966110ec14c07c4a8a04773ed7619d5e1125d578fbdaf7d35d7bc4a8196b14538cddecb6c8e6e224b2ad87d4380923fdf1cc51c94fecff6bf07f000d7 |
C:\Windows\System\spoolsv.exe
| MD5 | 2433b27f89c4652ea307da019892a683 |
| SHA1 | 7d98290b9b040c78d5b68efc5972e7dc7585c4aa |
| SHA256 | b3ffd83f00747b891c5cc6263c388c8e4f25ec796f558000ec060c089b494fd7 |
| SHA512 | 9566ad2b0194f1be5e0f48823aa5202176029754a8727719bef739a307054976c936dfb3312eb898169c4a46da799d4f068e37a169fa123cbe99646e44ee7a1c |
C:\Windows\System\spoolsv.exe
| MD5 | 70635bdb21b2896eb819d0fd3a718952 |
| SHA1 | 0ff8dd007a037b7d1576d29e6c01f19d3b1d7beb |
| SHA256 | 23b8604c7388541b93a018153ef1d643d150378651cd1c9485a616b926c8e7bc |
| SHA512 | 485a48a2abfcfc72df84e8cbe836c5566609129e5b685721aa00582707d5a6358e09cb81be12fde472fabb53cb27c8ece95c171908bcc69c3bc6c05c5fccaf13 |
C:\Windows\System\spoolsv.exe
| MD5 | 09861f6fe9a9b4eebcf86d32d542ca56 |
| SHA1 | 83a1b2aa11ae839769ca9e14aaeb8c5752300ffb |
| SHA256 | 543312c015e89684aa71e6c6d4ef3c66bac414da5cec78903efa461a9fabd5e5 |
| SHA512 | 01d359c3c2d1c3c418ca46cff6cb69a65273c7b9e6daa5fde70f5da1697407401a64f42cda0506d2ae47b884c9a6de42d05d16fe2187f74ab40b48c48ba1de5f |
C:\Windows\System\spoolsv.exe
| MD5 | 8786f92bfaf3b0e533e0d275773e837b |
| SHA1 | 018c3a76b74701b1a2928bfa10632751e965cfbd |
| SHA256 | bb7b6a7f18e037fd8201a1aaee082ba93370f63b990a7256995a3cd1e00a9c4a |
| SHA512 | 1a3d9c3cc43672f7f9256309b3af478c643aa5b6a14fcce6845fe745353a6e17c233f5c127e76ee9809aa891fc0cdb1313a646b6b71163934f4081f378a43150 |
C:\Windows\System\spoolsv.exe
| MD5 | b639fe37db65f9d8f53aefcf54c82cbe |
| SHA1 | f954970abd294a17d7b10a7f80803b29418e3f75 |
| SHA256 | 9ee8a502d2499a8d72e9b310ac09650af87c28816414a834e73f859c5eee37b6 |
| SHA512 | 3740dc279a8e306e73230db20ea67441139d567310a35c5703c38ed20ee78923c6427b770671506115a14a804d14f07326a4a8b82deb42fcbafa83b34b8ed902 |
C:\Windows\System\spoolsv.exe
| MD5 | 4b4b7db75d213f1871a5dfa3f8ae7c28 |
| SHA1 | c58777473a3f71bf36efc0d242a594dbe349394c |
| SHA256 | 470b4697e4288cf40d36b5bc70db7c2aacdf6f3b10ee3d3dc8deb25f5c0b7728 |
| SHA512 | 9fc84667b810c219a0282a4eb71ee5310a12dcca9429081af8cc6ed68beda3701ffb104090ad42e72b217b767022d379e6427b6ab54cd1add8b853762c8cd5d5 |
C:\Windows\System\spoolsv.exe
| MD5 | 6153b0205663782b316e42bd61f182d8 |
| SHA1 | 0ea109a82ceceb9394b08f5b86c5403d5e04d15b |
| SHA256 | 8594b6eee8f95399965a699d6c454c679845b07872f4985f758b60646717b87a |
| SHA512 | d8c1cb07faf3ed3c82cf6f6e4927068be583923af33f07c99eb3f0637cc4a36b55fb47e1f42fb264e9fb2edecac40277d8489be098bd413fa0c2530b90bc8427 |
C:\Windows\System\spoolsv.exe
| MD5 | 23140c61851b1dd2493d3f61a96085f5 |
| SHA1 | 8ba811b9f198f5689723517f0f4188ad6cd7f141 |
| SHA256 | 2bccb568aeeb789efa65a796a24f71096bf243abebbe6e2bd3ae077d21fc00a1 |
| SHA512 | db5243924f92c40a54691ae90965d166358f7425e3f085d3001722941fddd31a1367339e04a8fb299398e29dd7f12c7308d6813d53b0904a8ce33a5227c77873 |
C:\Windows\System\spoolsv.exe
| MD5 | a67ae9f0fbbe9ef653959ec95de2c6bc |
| SHA1 | 6b40b52e84a8d12e6ee8581b8279386e9ff64890 |
| SHA256 | 17f1508bd76e419fca7f4652c7a942de53d902aca10cf5695409fd8445d1e437 |
| SHA512 | 4af5c233c1170e32756cc041394abedebf32333ab10409a31eea29a50625573405563e1cac0aac945af0cfc516ee978bb7e926d4d67c50c2dd48f6d5a1a3064f |
C:\Windows\System\spoolsv.exe
| MD5 | f3c1564f270a0efa71f0245bea437818 |
| SHA1 | 0c30433dfeb5b19ce9b308281e2d040cfc66f29d |
| SHA256 | 80cd20f1d4c2e39fafd27d4232d659b2890d55e77d1c9ff557485f487efd8512 |
| SHA512 | 92fea8b3b7c9c983912f55ff7c09cf0e985c96250c2136b07f032a79f617364ec3dd077b997446ce226f4e3ef553217c00b34c16999dc8c94b3dbd9ddf6d6dab |
C:\Windows\System\spoolsv.exe
| MD5 | 9400721742a1ae08dbae7860dd95eabe |
| SHA1 | 79ab658540d8a0f1fa92ee2c0842a79f1af18109 |
| SHA256 | a28c03119ddaa33fe31ae22e7b8f967cf5ebe6a480fee9c62776c593785901d3 |
| SHA512 | 0ece5d40fc164190e41647a5d3c0c53de6447e9cdbff5b25762cfb477d94eaf90180a1ae4d77a609545314ac6435ae178748410f7b59fa8f889e78d67703f225 |
C:\Windows\System\spoolsv.exe
| MD5 | 63f91fd76eb398c89c1ce865b4bc7731 |
| SHA1 | f817cdb22edb99079e2c1463c848b2e5e100ccd7 |
| SHA256 | a8695c6fb3ee268871246eaa1f0af6f5e4ac4df8c1a6c3c69c6c87bbf47018a7 |
| SHA512 | caed90179f2f8c37c3ee306e366a3186b4c56ed24329440921cc678722b63884557cb1bcdcc6e887aa2513a01a15eb1dace88ee8ab0746f80699b1f96d161599 |
memory/3744-135-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | cd6fdb5574b285012a896b8c83a76bbc |
| SHA1 | 4f9685e368607852dfbf3e61586669c3c49814cf |
| SHA256 | ecdd560391d2eb4ab265a5c198ded679ebcb57c2e149ec57c92983346f80c6a7 |
| SHA512 | d495215a7a885f43a72ea1f68263fa28771a7ddf5eae01394f46a779df9a03942856f4fe898eea6111911ff8487a01e5b4faee32f7212ea70e34e938bd491d4a |
C:\Windows\System\spoolsv.exe
| MD5 | 22339995c386f4b6e844def5e1097e42 |
| SHA1 | f7f4363576ce42d984588250011be2143a69767c |
| SHA256 | 5d4fe9a3ece21984ed45149543136c693edffc70e9d5f1e3c3422ee984c454d5 |
| SHA512 | 11f7a8bd81807cd567e5eef3b01c3918a8fe045d9a777084188781f158f1bc22fa6dba5c195d2d308d31102042b846c51d4614d492a424356d80fe872fa55d92 |
memory/2008-138-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 76a9abd36ef968a7aac7c25d6e3a04ad |
| SHA1 | b4fbcdb77be1a33c9feef04d0a93165d065dcc0b |
| SHA256 | 035ca1e43e46a06955431b4e002b1d49bb60def81596052100f3d60534065d8d |
| SHA512 | e9aa7dbe1319d6e56d892db2069c7df464e3414dcc8e4545caa13381d77aee513c84e21e848db8312ab6b9638001a2da8debd46f959a0e9a9b5f093ac3f9069c |
memory/4680-140-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | cf269cc5909f6d2acc9f4afbcc733780 |
| SHA1 | 25aacdb6d6ee432696191fb0d1c2483aedf49955 |
| SHA256 | 53d9074909815059afb41d41029c13d584a3a3a7d7a5ed88861257ecc04e84f2 |
| SHA512 | d21c2b7d34f1d64e81cf4608e8d99b07c16a1b21899b8df441ade1eeb60a7ed26f5fae01b8e9f7d9d44951b739533765135f44310f0a2ee4c779dbc5c8a9e80f |
C:\Windows\System\spoolsv.exe
| MD5 | d32faa1803fb968371be3d87691ffca4 |
| SHA1 | 465dae9c40cec9c8193dae97e58261564f4e51ba |
| SHA256 | 9e639fb02b9e94d3d204f46827a02080698c71eb9eb5d5d0827c25a1e686634e |
| SHA512 | c7981806ffb1317474b85ea910ee328b3f86077ec7f7b449d35ea27cd45a8835b5468e65d02a689a07cc8cf9231b2ece27ba71abf1a5de00562128ecb366bad9 |
memory/2396-142-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4800-144-0x0000000000400000-0x0000000000514000-memory.dmp
C:\Windows\System\spoolsv.exe
| MD5 | 66d2366f2723109c2c9f924d504cd0f9 |
| SHA1 | 72ddd036524cd2fe918478f7dc16edcb6d22489c |
| SHA256 | 3e8133b6fb7765133518cfb383b0cfdc80cd38be0cd18ddbbc79379f7d86ee69 |
| SHA512 | 586e438e151a6014eb5858cd109d807fa8a4fc32b8c7c8dbcdca245a2f7f7c77e7bc66e62d9052cfbb3e66bc1b24b0cb854639a28d8eec175d8b757889e08cca |
C:\Windows\System\spoolsv.exe
| MD5 | da260b22185aa6f2243881fa91ca8ca3 |
| SHA1 | 761403d56d255501299069854816821519890784 |
| SHA256 | d9e2447e23f81d2bc6831db9fb97f68e061a8e3cce0a0256e9cf05962c3e37ae |
| SHA512 | 87dd0ad1ff43cdae0affd18eb5dbb41840b347a600ed236fec1374e8ba6ba71ac135ef3b69c1a89ca9d8c536d72efc8cacade569e596c0456d58da4552b01b3d |
memory/3948-146-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2544-147-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2428-150-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3384-151-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4052-152-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4448-155-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3604-156-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2624-157-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4788-158-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1456-159-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2932-160-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4444-161-0x0000000000400000-0x0000000000514000-memory.dmp
memory/3012-164-0x0000000000400000-0x0000000000514000-memory.dmp
memory/1404-165-0x0000000000400000-0x0000000000514000-memory.dmp
memory/4848-166-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2640-178-0x0000000000400000-0x0000000000412000-memory.dmp
memory/4788-176-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4592-182-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2992-185-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2992-184-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2992-186-0x0000000000400000-0x0000000000514000-memory.dmp
memory/2992-187-0x00000000023B0000-0x00000000023B1000-memory.dmp
memory/4788-189-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1196-190-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2992-191-0x0000000000400000-0x0000000000514000-memory.dmp